There were two sessions today on User-Centric identity at Web 2.0 Expo. I attended the
first one etitled “Implementing OpenID”, which was conducted by David Recordon of Verisign and Brian Ellin of JanRain. The session was well
attended and it was surprising to see that more than 50% (according to a raised hand vote
by David) of the users had heard of OpenID. This is testiment to the momentum OpenID has
created in the industry. The session started with a brief summary of the benefits of
OpenID :
- SSO for the web
- Simple and lightweight
- Easy to use and deploy
- Open development process
- Decentralized, Free
- People are already familiar with URLs
- User control of information
- Site specific hacks are possible – use AOL user name to sign-in.
David produced a slide that showing there are not only over 100 million
OpenIDs in service, but there are close to 2,500 relying
parties already accepting OpenID. Some of the interesting platforms/technologies
that are supporting OpenID are:
- Platforms: Joomla, drupal, /bb, rails, plone
- Sites: Technocati, digg, sixapart, pageflakes, netvibes, wordpress etc.
- Vendors: Microsoft, AOL, Verisign etc.
Implementing OpenID
Brian showed a demo of how OpenID works, by logging into jyte.com. He followed it up with a cool example of OpenID
delegation, which showed how users can use their own site as an OpenID and delegate the
sign in/authentication etc. to another OpenID provider (OP) – with just 2 lines of code.
This allows users to easily customize their OpenID, along with giving them the
flexibility to change their OP when they want.
David then showed an example of how to create your own OP using /MyID. He created a
new OpenID within minutes (hashing the password seemed a bit complicated though and it
will take me more then 2 minutes!). He also demonstrated how users can create their own
personal profile data and control it centrally, to provide the right set of information
to the right relying party. By using this technique, users will not need to fill out the
same sign-up form over and over again at multiple sites.
Brian then demonstrated how to install OpenID on Ruby, using the ruby-OpenID library.
He suggested that all relying parties should use the standard
“openid_identifier” to name their OpenID input name, to make it easy for
browsers to detect and process it. The Ruby example of enabling an app to use OpenID
seemed really easy.
The Phishing Problem
To their credit, David and Brian addressed the tricky phishing issue that has been
plaguing OpenID. They suggested a number of potential solutions that are being worked
on:
- Client side certs (browser based certificates)
- Microsoft
CardSpace (IE 7/Vista) - Vidoop (image based access code); this is really not
an anti-phishing solution, but it does allows users to replace passwords with easier to
use visual categories – which defeat the keyboard logging kind of attacks. - OpenID SeatBelt: This is a new browser plug-in for FireFox and IE by Verisign. The
SeatBelt works as follows:
– The browser plugin first detects if a web page accepts OpenID authentication;
– It then asks the user to Login to their OpenID account, so that they don’t have
to login again;
– It shows a visual indication that the login page is safe, plus the current login
status of the user as a browser button in the browser toolbars;
– In terms of usability, the Seatbelt plugin automatically fills out the OpenID field
when it detects a site that accepts OpenID.
Overall it was a great, although somewhat basic, session. If you are interested in
finding out further details of the session, the slides of the session with notes are
available on OpenID.net.
