• On TechRepublic: Windows 7: Slower to boot than Vista?
May 11, 2008 3:46 PM PDT

The password that calls you: CallVerifID

by Rafe Needleman

On Monday, JanRain, which makes the clever multi-service OpenID login box, OpenID Selector, is expected to announce a security improvement for its own MyOpenID service. The new system, CallVerifID, uses your mobile phone to perform an extra security measure before it will authenticate you on its service. It works like this: When you want to authenticate a site using MyOpenID, first you sign on as usual, with your user ID and password. Then the service calls your phone at the number you've given it. All you have to do is pick up the phone and press # to confirm. If you don't, sign-on fails.

The addition of the phone as a new security factor means that even if someone steals your password, they won't be able to get into your OpenID-protected accounts unless they also have access to your phone. Furthermore, if you get an authentication call from MyOpenID that you're not expecting, it serves as an immediate warning that your password has been compromised.

Way better than carrying around an RSA token card: CallVerifID uses your phone as the second factor in two-factor security.

Of course, if you have turned on phone authentication and you forget your phone (or are in an area with no mobile service), and you want to get into a protected account, you're up a creek. And you will definitely want to use your mobile with this service, since you can have only one number per account--it won't call multiple numbers (like home and work).

The system doesn't identify the site that kicked off the authentication request, which is also a bit of an oversight.

The CallVerifID service is optional. If you're a MyOpenID user but don't want this level of security, you don't have to use it at all. However, I recommend it. One of the scary things about OpenID is that if someone gets access to your account through your password, they immediately get access not just to all the accounts that you access via OpenID, but a roadmap to each of them as well, via your OpenID authenticator site's dashboard. This system, while incompletely implemented, gives OpenID a big security boost, at only a small penalty in convenience.

Rafe Needleman writes about start-ups, new technologies, and Web 2.0 products, as editor of CNET's Webware. E-mail Rafe.
Topics:

Security and spyware

Tags:

OpenID,

security

Share:
Digg
Del.icio.us
Reddit
Recent posts from Webware
With AdMob, Google seeks mobile ad advantage
Closing chapter of Google Books saga near
Google to acquire AdMob for $750 million
After 5 years, Firefox faces new challenges
Review redux: Flixster movie app for BlackBerry
Popular iPhone movie app flops on BlackBerry
Opera Mobile 10 beta browser: First Look video
Google trying not to cross 'the creepy line'
advertisement

About Webware

Say No to boxed software! The future of applications is online delivery and access. Software is passé. Webware is the new way to get things done.

Add this feed to your online news reader

Webware topics

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET