Entries tagged as 'openid'
all
Posted Tuesday, 13 May 2008
The mobile phone is an excellent device for two-factor authentication. Most Internet users already have a mobile phone. A user might not notice that they’ve lost a dongle. security token or smartcard. That’s one reason adoption has been difficult for multifactor authentication schemes.
JanRain announced on 9 May 2008 that it is launching a phone-based multifactor authentication service, CallVerifID, that works with its myOpenID service.
The phone verification service lets a user designate a specific phone number that JanRain’s partner, PhoneFactor, will call when their username requires verification. The user can press the pound (#) key on the phone to confirm the login, or use the incoming call to report that their username has been compromised.
Users can designate a mobile or landline number for their verification calls by setting up their myOpenID account preferences with the appropriate number.
The system isn’t perfect. Someone could still learn the users OpenID URL and passphrase, and arrange to intercept the confirmation phone call somehow. This might take a greater level of physical access than stealing a security key or snooping a keyboard. The call verification system could easily be improved by asking the user to enter or speak a second passphrase on the phone.
As Chris Messina pointed out in December 2007, several large Internet content companies have announced that they will support OpenID. Their implementation has been delayed. for several reasons, including branding, although ma.gnolia finally came through in March 2008.
CallVerifID is more evidence that OpenID can become a trusted authentication platform for content and blogging sites, and perhaps for e-commerce sites as well.
See CenterNetworks and Mashable and for more details.
Mobile phone image courtesy of besto-Baker on Flickr, through a Creative Commons license.
Related posts and pages on billso.com
Tags:
authentication,
blogging,
e-commerce,
eBay,
mobile,
multifactor,
openid,
password,
paypal,
phone,
security,
telecom,
voice
all
Posted Saturday, 10 May 2008
Read 1 comment
I recently implemented OpenID on billso.com. OpenID is a single sign-on (SSO) system that lets web users log on to multiple sites with the same username and password. SSO support is becoming a key success factor for social networking and social media web sites, as new users struggle to manage a growing number of passwords.
With OpenID, no one needs to apply for a user account on billso.com. They can use their username and credentials from another site to join billso.com, or to post a comment on a billso.com article.
Kyle Neath posted a long rant about OpenID yesterday. He won’t be implementing OpenID on his site because he thinks the system too confusing for users. I don’t think OpenID is that difficult to understand - here are two brief explanations from OpenID.net and Wikipedia.
Phishing phears
Kyle’s concerned that phishers might target OpenID users, and he uses PayPal as an example. That site has become a primary target for phishing attacks.
OpenID does have an identity system that lets an authorized user revoke their OpenID as a last resort. Anyone who uses an OpenID should select a strong passphrase, as I described in this billso.com article from 24 Aprill 2008. OpenID can also add multifactor authentication to their service. Checking a user’s location, or asking for a token or passphrase that only the user should have, in addition to the regular passphrase, would provide a strong defense against phishers. Virtual keyboards and other systems could also be used, as I described in this billso.com article from 17 April 2008.
The provider’s burden
I understand some of Kyle’s points. Any web site that implements OpenID for SSO could also become a provider of OpenIDs. I decided not to do this right from the start. I don’t want to provide perpetual support users who request a billso.com OpenID username. There is a system that lets departing OpenID providers delegate their users to another provider.
On 30 April 2008, I posted some programming code that lets a popular WordPress OpenID plugin use JanRain’s ID Selector tool. There are several providers of OpenIDs that can carry the long-term burden of maintaining these accounts, including VeriSign, AOL, Google, Flickr, and WordPress.com.
Universities could become OpenID providers. It makes sense to give students and employees access to a global SSO system, as long as schools are willing to provide stable, permanent usernames for their stakeholders.
Users can also purchase a personal identity domain for around US$10 a year and get a personalized OpenID URL.
Related posts and pages from billso.com
Tags:
authentication,
crime,
key-success-factors,
openid,
phishing,
security,
student,
university,
WordPress
all
Posted Wednesday, 30 April 2008
Read 7 comments
Today I spent a few minutes modifying the WP-OpenID plugin to support JanRain’s ID Selector.
I added OpenID support to billso.com last month. This page has more information about the OpenID signle sign-on (SSO) system. Short story: OpenID lets users log in to a site with an ID they obtained on another web site. There are many different providers of OpenIDs, and many Internet users have not heard of the OpenID system.
So the ID Selector box provides opportunities to promote the OpenID system, and to add more users to a web site by supporting OpenID authentication.
The ID Selector is a small dropdown box that gives the user several choices for an OpenID provider. The system uses a small piece of JavaScript that calls a centralized server at www.idselector.com and generates an attractive selection box.
WP-OpenID doesn’t support ID Selectors yet, so I modified the code myself. The code is available in this ZIP file as interface.php
Installation is easy. Simply download my zipped file, extract the php file, edit it to include the ID Selection script that can be generated here, and upload the modified php file to your WordPress server at wp-content/plugins/openid/
The only hitch I have seen is that the selection button does not render properly in Safari, possibly because Safari uses its own weird buttons. In Firefox and Internet Explorer, it seems to work.
I’m tested this against WP 2.51 and WP-OpenID 2.1.8. I’m sure other people will find issues, so please add a comment to this post and check out my other OpenID posts, too.
For WordPress sysads who want to type in the modified code themselves, here’s an example. The code that must be changed is found in function login_form() as follows:
<label>Or login using your
<a class="<?php echo $link_class; ?>"
href="http://openid.net/">OpenID</a> url:<br/>
<input type="text" name="openid_url"
id="openid_url" class="input openid_url"
value="" size="20" tabindex="25" /></label>
</p>
<!-- this section remaps the OpenID Selector
box to the proper field on the form-->
<script type="text/javascript">
<!--
idselector_input_id = "openid_url";
-->
</script>
<!-- insert the ID SELECTOR script that
you generated at idselector.com AFTER THIS LINE -->
<!-- BEGIN ID SELECTOR -->
<script type="text/javascript"
id="__openidselector"
src="https://www.idselector.com/selector/hex"
charset="utf-8"></script>
<!-- END ID SELECTOR -->
<!-- the rest of the interface.php
proceeds as originally written-->
<?php
}
Tags:
administrivia,
authentication,
janrain,
openid,
plugin,
WordPress
