There were two sessions today on User-Centric identity at Web 2.0 Expo. I attended the first one etitled “Implementing OpenID”, which was conducted by David Recordon of Verisign and Brian Ellin of JanRain. The session was well attended and it was surprising to see that more than 50% (according to a raised hand vote by David) of the users had heard of OpenID. This is testiment to the momentum OpenID has created in the industry. The session started with a brief summary of the benefits of OpenID :
- SSO for the web
- Simple and lightweight
- Easy to use and deploy
- Open development process
- Decentralized, Free
- People are already familiar with URLs
- User control of information
- Site specific hacks are possible - use AOL user name to sign-in.
David produced a slide that showing there are not only over 100 million OpenIDs in service, but there are close to 2,500 relying parties already accepting OpenID. Some of the interesting platforms/technologies that are supporting OpenID are:
- Platforms: Joomla, drupal, phpbb, rails, plone
- Sites: Technocati, digg, sixapart, pageflakes, netvibes, wordpress etc.
- Vendors: Microsoft, AOL, Verisign etc.
Brian showed a demo of how OpenID works, by logging into jyte.com. He followed it up with a cool example of OpenID delegation, which showed how users can use their own site as an OpenID and delegate the sign in/authentication etc. to another OpenID provider (OP) - with just 2 lines of code. This allows users to easily customize their OpenID, along with giving them the flexibility to change their OP when they want.
David then showed an example of how to create your own OP using phpMyID. He created a new OpenID within minutes (hashing the password seemed a bit complicated though and it will take me more then 2 minutes!). He also demonstrated how users can create their own personal profile data and control it centrally, to provide the right set of information to the right relying party. By using this technique, users will not need to fill out the same sign-up form over and over again at multiple sites.
Brian then demonstrated how to install OpenID on Ruby, using the ruby-OpenID library. He suggested that all relying parties should use the standard “openid_identifier” to name their OpenID input name, to make it easy for browsers to detect and process it. The Ruby example of enabling an app to use OpenID seemed really easy.
The Phishing Problem
To their credit, David and Brian addressed the tricky phishing issue that has been plaguing OpenID. They suggested a number of potential solutions that are being worked on:
- Client side certs (browser based certificates)
- Microsoft CardSpace (IE 7/Vista)
- Vidoop (image based access code); this is really not an anti-phishing solution, but it does allows users to replace passwords with easier to use visual categories - which defeat the keyboard logging kind of attacks.
- OpenID SeatBelt: This is a new browser plug-in for FireFox and IE by Verisign. The
SeatBelt works as follows:
- The browser plugin first detects if a web page accepts OpenID authentication;
- It then asks the user to Login to their OpenID account, so that they don’t have to login again;
- It shows a visual indication that the login page is safe, plus the current login status of the user as a browser button in the browser toolbars;
- In terms of usability, the Seatbelt plugin automatically fills out the OpenID field when it detects a site that accepts OpenID.
Overall it was a great, although somewhat basic, session. If you are interested in finding out further details of the session, the slides of the session with notes are available on OpenID.net.