OpenID et al Security Economics


Steven J. Murdoch and Ross Anderson, in the very worthwhile “Verifi ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication” assert:

While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong…

To which I can only respond: “you wish. We don’t have any security economics! Not even the wrong ones.”

In the past, every time I brought up this issue in the OpenID community, I got nowhere. (The Information card community has slightly better ones due to the possibility of branding, but it has bigger problems to worry about right now.) But perhaps it is time to try again …