billso.com

OpenID is distributed authentication system that lets users access thousands of participating web sites with a single set of credentials.

billso.com has supported OpenID as an authentication method since April 2008.

Related tags on billso.com

• OpenID
• security

Related articles on billso.com

• 18 July 2008: RIP CAPTCHA
• 2 June 2008: PayPal’s security key still needs work
• 13 May 2008: JanRain launches CallVerifID multifactor phone service for OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector

I briefly used a PayPal security key, but it was a frustrating experience, simply because I kept leaving the key at home. PayPal’s integration with eBay is not good, which is surprising as eBay owns PayPal.

When I decided to stop using the key, I was able to cancel the PayPal key online in a matter of minutes. It took a 15 minute live chat with an eBay rep to remove the PayPal security key from my eBay account. Perhaps that was a security step by eBay. However the frontline system for canceling the key on eBay’s site did not work properly.

The worst part of the PayPal key: I had to pay US$5 to get one in the first place. If PayPal really wanted business users to have multifactor keys, the first key would be free of charge.

Related posts and pages on billso.com

• OpenID
• 11 May 2008: JanRain launches CallVerifID multifactor phone service for OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 21 March 2007: About ecommerce part 3: The broadband connection
• 15 March 2007: About ecommerce part 1: Maximizing ROI

I’m commenting my own posts when I want to add new content and links to an article.

If you have an ID on Yahoo, AOL, WordPress.com, flickr or several other services, you can use OpenID right now to log in to billso.com

This blog also supports Gravatar.

To leave a comment, users may log in with an OpenID, Gravatar or an ID from billso.com. (Added 5 April 2008)

I have enabled direct commenting to many of the article pages, but I do review, edit and delete comments because of privacy and spam issues. I have far more spam robots that want to post free ads on my site than I do actual readers. I find myself agreeing with James Farmer: comments that users post into a blog require a great deal of my time and resources to manage. Comments are twee.

Readers can e-mail me their comments, too. In your email, please include the phrase “I give billso.com permission to post my comments”.

Sometimes I refer to old articles in my blog, and those will appear as direct comments.

TRACKBACKS AND PINGS

Bloggers are welcome to post their own comments in their blog, along with a link to my article. My blog will automatically find and list these links as comments, although it may take 2 days for the comments to appear with my blog post. It’s not an instantaneous process.

The mobile phone is an excellent device for two-factor authentication. Most Internet users already have a mobile phone. A user might not notice that they’ve lost a dongle. security token or smartcard. That’s one reason adoption has been difficult for multifactor authentication schemes.

JanRain announced on 9 May 2008 that it is launching a phone-based multifactor authentication service, CallVerifID, that works with its myOpenID service.

The phone verification service lets a user designate a specific phone number that JanRain’s partner, PhoneFactor, will call when their username requires verification. The user can press the pound (#) key on the phone to confirm the login, or use the incoming call to report that their username has been compromised.

Users can designate a mobile or landline number for their verification calls by setting up their myOpenID account preferences with the appropriate number.

The system isn’t perfect. Someone could still learn the users OpenID URL and passphrase, and arrange to intercept the confirmation phone call somehow. This might take a greater level of physical access than stealing a security key or snooping a keyboard. The call verification system could easily be improved by asking the user to enter or speak a second passphrase on the phone.

As Chris Messina pointed out in December 2007, several large Internet content companies have announced that they will support OpenID. Their implementation has been delayed. for several reasons, including branding, although ma.gnolia finally came through in March 2008.

CallVerifID is more evidence that OpenID can become a trusted authentication platform for content and blogging sites, and perhaps for e-commerce sites as well.

See CenterNetworks and Mashable and for more details.

Mobile phone image courtesy of besto-Baker on Flickr, through a Creative Commons license.

Related posts and pages on billso.com

• OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector

I recently implemented OpenID on billso.com. OpenID is a single sign-on (SSO) system that lets web users log on to multiple sites with the same username and password. SSO support is becoming a key success factor for social networking and social media web sites, as new users struggle to manage a growing number of passwords.

With OpenID, no one needs to apply for a user account on billso.com. They can use their username and credentials from another site to join billso.com, or to post a comment on a billso.com article.

Kyle Neath posted a long rant about OpenID yesterday. He won’t be implementing OpenID on his site because he thinks the system too confusing for users. I don’t think OpenID is that difficult to understand - here are two brief explanations from OpenID.net and Wikipedia.

Phishing phears

Kyle’s concerned that phishers might target OpenID users, and he uses PayPal as an example. That site has become a primary target for phishing attacks.

OpenID does have an identity system that lets an authorized user revoke their OpenID as a last resort. Anyone who uses an OpenID should select a strong passphrase, as I described in this billso.com article from 24 Aprill 2008. OpenID can also add multifactor authentication to their service. Checking a user’s location, or asking for a token or passphrase that only the user should have, in addition to the regular passphrase, would provide a strong defense against phishers. Virtual keyboards and other systems could also be used, as I described in this billso.com article from 17 April 2008.

The provider’s burden

I understand some of Kyle’s points. Any web site that implements OpenID for SSO could also become a provider of OpenIDs. I decided not to do this right from the start. I don’t want to provide perpetual support users who request a billso.com OpenID username. There is a system that lets departing OpenID providers delegate their users to another provider.

On 30 April 2008, I posted some programming code that lets a popular WordPress OpenID plugin use JanRain’s ID Selector tool. There are several providers of OpenIDs that can carry the long-term burden of maintaining these accounts, including VeriSign, AOL, Google, Flickr, and WordPress.com.

Universities could become OpenID providers. It makes sense to give students and employees access to a global SSO system, as long as schools are willing to provide stable, permanent usernames for their stakeholders.

Users can also purchase a personal identity domain for around US$10 a year and get a personalized OpenID URL.

Related posts and pages from billso.com

• OpenID
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 24 April 2008: Change that password into a passphrase
• 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
• 12 April 2008: Finding business contacts and passwords on the Internet
• 14 March 2008: Social media in action
• 2 July 2007: CXOs face malware email attacks
• 11 January 2007: How to create a secure password