[cas-dev] OpenID use case
J. David Beutel
jbeutel at hawaii.edu
Thu Sep 18 00:59:17 EDT 2008
OpenID use cases were mentioned in the minutes of last month's
conference call:
http://www.ja-sig.org/wiki/display/CAS/2008-08-15+Conference+Call
I have a use case for CAS as an OpenID client (i.e., Relying Party).
I'm developing a second-level CAS for multi-level authentication. (I
call it second-level because it first forces a username and password
authentication on our regular CAS.) It's protecting the user's bank
account number, which the user can input and read later. It uses secret
questions and answers (a.k.a. challenge/response), like many bank and
credit card web sites currently do.
Some users might want to have stronger authentication for this. Some
OpenID providers offer free multi-factor authentication. (Various
non-free hardware can also provide multi-factor authentication via
OpenID.) The use case is to allow the user to configure an optional
OpenID which my second-level CAS authenticates in addition to the basic
questions and answers. The user goes to their OpenID provider like a
third level in the authentication chain. CAS has no guarantee about the
strength of that authentication, but it can be as strong as the user
chooses to protect their own information.
Here's one OpenID provider I tried today that offers free multi-factor
authentication via a phone call, e.g., to a mobile phone:
https://www.myopenid.com/about_callverifid
Here's another OpenID provider that offers a different kind of
authentication using images in the browser. It's also free, although I
haven't tried it yet.
http://www.vidoop.com/products
It looks like we could do the phone authentication directly, using
http://www.phonefactor.com/ (as long as they continue providing it for
free, at least). However, OpenID would be better, because the user
would have a choice. For example, deaf users would have problems with
the phone call, while blind users can't do the image authentication.
Users with various authentication hardware, such as one-time-password
tokens or biometric readers, would also have the choice of using their
corresponding OpenID Provider. I wouldn't need to add support to CAS
for all these different types of authentication, just for OpenID.
Although CAS currently can be an OpenID Provider, leveraging whatever
authentication it already has, by adding support for CAS to be an OpenID
Relying Party, it would leverage all the authentication on all the other
OpenID Providers. If it's an optional addition for the user, not an
alternative to the regular authentication, then it's not a problem that
CAS doesn't trust the OpenID Provider or know the strength of its
authentication.
Cheers,
11011011
More information about the cas-dev
mailing list