Secure OpenID
From ScoutManage
Contents |
[edit] Secure OpenID
There are two ways to improve security to ScoutManage using OpenIDs. The first is by using a hardware token (such as those used by some banks, work offices, and PayPal). The second is to use a digital certificate. Using OpenID's, each is easy to setup and is either free or very inexpensive.
[edit] Hardware Authentication
Hardware authentication, sometimes known as Two-Factor authentication, is a means for dramatically improving the security of your access to a website. Typically used by banks and other financial organizations (such as PayPal), ScoutManage supports two-factor authentication using OpenID. Doing so will dramatically reduce the likelihood of your account being compromised by someone guessing or stealing your password. Two-factor authentication is based on the premise that you may be authenticated to a site by providing "something you know" and "something you have". The "something you know" is your OpenID, the "something you have" is your hardware authentication device. There are a variety of hardware authentication devices you can use, including a keychain fob, a USB device, or a wallet card. Enabling two-factor authentication for ScoutManage is easy and the hardware is inexpensive (around $10-$30). Here is how you can do it:
- Create an OpenID account at VeriSign(https://pip.verisignlabs.com).
- Connect this new OpenID with your ScoutManage account (this can be done by logging into ScoutManage using your new OpenID).
- Go to OpenID Admin. Remove all other OpenIDs from your ScoutManage account (your VeriSign OpenID is the only OpenID that should be listed).
- On this same page, disable standard password access to your ScoutManage account.
- Purchase a hardware authentication device compatible with VeriSign. You have several choices available to you:
- ($30-$48) Order a VIP Security Card or Token directly from VeriSign (click here).
- Do you use PayPal and have a PayPal Security Key? Then you can use this key directly with no additional purchase.
- Register your new device with VeriSign by clicking here.
From now on, when you login to ScoutManage, you must use your OpenID. When you use your OpenID, you will be asked to use your security device and you will not have access to your ScoutManage account without it. If you lose your security device, you will not have access to your VeriSign account, and hence no access to your ScoutManage account. You'll have to contact VeriSign to arrange alternate access to your account.
[edit] Certificate-based Authentication
Certificate-based authentication is the ability to provide a digitally signed certificate during the login process as authentication that you are who you say you are. The certificate is a special file that is installed on the hard disk of your computer, and it contains information that replaces the use of a password to access your account. NOTE: You should not use certificate-based authentication on any computer that is in a public location (such as a school or library) nor that you share with others. Also, be careful when you use it on a laptop that does not have an encrypted drive. Anyone with access to your computer can login to your ScoutManage account. Essentially, the computer itself becomes your "hardware authentication token". Enabling certificate-based authentication for ScoutManage is easy and free.
- Create an OpenID account at MyOpenID (https://www.myopenid.com).
- Connect this new OpenID with your ScoutManage account (this can be done by logging into ScoutManage using your new OpenID).
- Go to OpenID Admin. Remove all other OpenIDs from your ScoutManage account (your MyOpenID is the one and only OpenID that should be listed).
- Disable standard password access to your ScoutManage account (see "OpenID Configuration for lee", above).
- Login to your MyOpenID account, and go to "Account Settings -> Authentication Settings".
- Read the information in "Add An SSL Client Certificate" near the bottom of the page. Follow these instructions to install a certificate in your computer. Note that you can install certificates in any number of computers that you directly control.
- Read and understand the warning under "Remove Account Password". If you want to only access ScoutManage and other OpenID sites from computers that you have installed a certificate, then you can remove your MyOpenID password. But doing so will prevent you from accessing ScoutManage from any computer that does not have a MyOpenID certificate installed.
[edit] Which is Better?
Hardware and Certificate based authentication are both ways to improve the access security to your account. The both provide improved security over simple password based security, since passwords are usually easy to guess and can be easily compromised. However, both offer advantages and disadvantages.
| Hardware Token | Digital Certficate | |
|---|---|---|
| Advantages: |
|
|
| Disadvantages: |
|
|
[edit] Using Both Hardware and Certificate Based Authentication
This is potentially the best of both worlds. Do you have a computer at home that is secure and is the computer you use most often to access ScoutManage? Then setup certificate-based authentication for that computer. Additionally, setup a hardware token authentication account as well. This way you can use any computer to access ScoutManage (or other OpenID site) using the hardware token, but when you are at home you don't have to worry about hunting around for your hardware token just to login to ScoutManage, the certificate on your computer will do that for you. To do this, setup an account at both VeriSign and MyOpenID using the instructions above for both providers. Then, make sure that both OpenIDs are listed in the "OpenID Configuration for lee" section, above. Then you can use your MyOpenID certificate from your home computer, and use your hardware token from any other computer while on the road or at work or from your laptop.
