Just in time before year’s end the Provider Authentication Policy Extension (PAPE) was approved as an OpenID specification by votes of members of the OpenID Foundation.
PAPE will help making OpenID more secure. To quote from our Technical Terms page:
This extension (it can be used with OpenID 1.1 and 2.0) allows Relying Parties to request that certain authentication policies are used by OpenID Providers when authenticating users. So it is possible that a Relying Party only lets users log in with an OpenID if they have been authenticated by multi-factor authentication (e.g. by a password and a certificate).
In addition Relying Parties can request to which NIST (National Institute of Standards and Technology) levels the authentication adheres to. NIST is a US standards laboratory which also runs a computer security resource center. In 2006 it released an Electronic Authentication Guideline which describes four levels of authentication assurance. The levels range from rather simple authentication methods like passwords at level one to very strong methods like hardware cryptographic tokens at level four. If you like to learn more about NIST levels you should read the 64-page PDF.
One Trackback
[…] like to see PayPal becoming a Relying Party which makes use of the recently finalized and approved Provider Authentication Policy Extension. I think this could be a real test for the extension and it forced more providers to push their […]