I recently implemented OpenID on billso.com. OpenID is a single sign-on (SSO) system that lets web users log on to multiple sites with the same username and password. SSO support is becoming a key success factor for social networking and social media web sites, as new users struggle to manage a growing number of passwords.
With OpenID, no one needs to apply for a user account on billso.com. They can use their username and credentials from another site to join billso.com, or to post a comment on a billso.com article.
Kyle Neath posted a long rant about OpenID yesterday. He won’t be implementing OpenID on his site because he thinks the system too confusing for users. I don’t think OpenID is that difficult to understand — here are two brief explanations from OpenID.net and Wikipedia.
Phishing phears
Kyle’s concerned that phishers might target OpenID users, and he uses PayPal as an example. That site has become a primary target for phishing attacks.
OpenID does have an identity system that lets an authorized user revoke their OpenID as a last resort. Anyone who uses an OpenID should select a strong passphrase, as I described in this billso.com article from 24 Aprill 2008. OpenID can also add multifactor authentication to their service. Checking a user’s location, or asking for a token or passphrase that only the user should have, in addition to the regular passphrase, would provide a strong defense against phishers. Virtual keyboards and other systems could also be used, as I described in this billso.com article from 17 April 2008.
The provider’s burden
I understand some of Kyle’s points. Any web site that implements OpenID for SSO could also become a provider of OpenIDs. I decided not to do this right from the start. I don’t want to provide perpetual support users who request a billso.com OpenID username. There is a system that lets departing OpenID providers delegate their users to another provider.
On 30 April 2008, I posted some programming code that lets a popular WordPress OpenID plugin use JanRain’s ID Selector tool. There are several providers of OpenIDs that can carry the long-term burden of maintaining these accounts, including VeriSign, AOL, Google, Flickr, and WordPress.com.
Universities could become OpenID providers. It makes sense to give students and employees access to a global SSO system, as long as schools are willing to provide stable, permanent usernames for their stakeholders.
Users can also purchase a personal identity domain for around US$10 a year and get a personalized OpenID URL.
Related posts and pages from billso.com
- OpenID
- 30 April 2008: Updating WP-OpenID to support ID Selector
- 24 April 2008: Change that password into a passphrase
- 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
- 12 April 2008: Finding business contacts and passwords on the Internet
- 14 March 2008: Social media in action
- 2 July 2007: CXOs face malware email attacks
- 11 January 2007: How to create a secure password
