[ale] help - how do I log into learnstreet without ...

[Justin Goldberg]

On Fri, Mar 29, 2013 at 1:59 PM, David Tomaschik
<david at systemoverlord.com>wrote:

> On Fri, Mar 29, 2013 at 6:39 AM, Michael B. Trausch <mbt at naunetcorp.com>wrote:
>
>> On 03/28/2013 09:26 PM, David Tomaschik wrote:
>> > This is true, but it also provides *one provider* who you need to trust
>> > with security, not every site.  You can run that provider yourself with
>> > OpenID.  So, OpenID (or centralized authentication in general) reduces
>> > the attack surface, but increases the damage from a successful attack.
>>
>> I'm surprised at you, David!  Such a blanket statement.  That also
>> depends on what one has in place to _mitigate_ compromise.  I think that
>> anyone who puts any system in place and then does not plan for it to be
>> compromised is missing the whole point of security.  Assume it will
>> break.  Mitigate what can happen when it does.
>>
>
> Assuming you have >1 service using that OpenID provider, the damage from
> compromising the OpenID account is, by definition, more than a compromise
> of one of those accounts.  I never said that it results in a complete loss
> of control.
>

I know this is an old email, but it was sitting in my drafts for awhile.

This is where two-factor systems come into play. For example, myOpenID will
call your phone number to verify whenever you login to your account. It
even has a voice-print security feature, but I'm not sure if that really
adds any extra security or is junk science.



<SNIPPED>

>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130417/52f00e03/attachment.html>