billso.com

I recently implemented OpenID on billso.com. OpenID is a single sign-on (SSO) system that lets web users log on to multiple sites with the same username and password. SSO support is becoming a key success factor for social networking and social media web sites, as new users struggle to manage a growing number of passwords.

With OpenID, no one needs to apply for a user account on billso.com. They can use their username and credentials from another site to join billso.com, or to post a comment on a billso.com article.

Kyle Neath posted a long rant about OpenID yesterday. He won’t be implementing OpenID on his site because he thinks the system too confusing for users. I don’t think OpenID is that difficult to understand - here are two brief explanations from OpenID.net and Wikipedia.

Phishing phears

Kyle’s concerned that phishers might target OpenID users, and he uses PayPal as an example. That site has become a primary target for phishing attacks.

OpenID does have an identity system that lets an authorized user revoke their OpenID as a last resort. Anyone who uses an OpenID should select a strong passphrase, as I described in this billso.com article from 24 Aprill 2008. OpenID can also add multifactor authentication to their service. Checking a user’s location, or asking for a token or passphrase that only the user should have, in addition to the regular passphrase, would provide a strong defense against phishers. Virtual keyboards and other systems could also be used, as I described in this billso.com article from 17 April 2008.

The provider’s burden

I understand some of Kyle’s points. Any web site that implements OpenID for SSO could also become a provider of OpenIDs. I decided not to do this right from the start. I don’t want to provide perpetual support users who request a billso.com OpenID username. There is a system that lets departing OpenID providers delegate their users to another provider.

On 30 April 2008, I posted some programming code that lets a popular WordPress OpenID plugin use JanRain’s ID Selector tool. There are several providers of OpenIDs that can carry the long-term burden of maintaining these accounts, including VeriSign, AOL, Google, Flickr, and WordPress.com.

Universities could become OpenID providers. It makes sense to give students and employees access to a global SSO system, as long as schools are willing to provide stable, permanent usernames for their stakeholders.

Users can also purchase a personal identity domain for around US$10 a year and get a personalized OpenID URL.

Related posts and pages from billso.com

• OpenID
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 24 April 2008: Change that password into a passphrase
• 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
• 12 April 2008: Finding business contacts and passwords on the Internet
• 14 March 2008: Social media in action
• 2 July 2007: CXOs face malware email attacks
• 11 January 2007: How to create a secure password

From Lifehacker comes a link to a free virtual keyboard called Neo’s SafeKeys. The keyboard is displayed on the computer screen, and lets a Windows user type their password without accessing the computer’s keyboard.

It’s trivial to monitor keystrokes through software and hardware called keystroke loggers or keyloggers. This New York Times describes a new phishing attack against executives, involving an email with a link to a fake subpoena. Click the link and a Windows keystroke logger gets installed.

Executives are excellent targets for such attacks. CXOs often want to bypass corporate security systems for the sake of personal convenience. When executives insist on carrying confidential or valuable corporate data on their laptop’s hard drive, they may as well paint a target on their foreheads.

CXOs might also disable virus scanners and security software to make the computers run faster. This only makes their personal computers much more vulnerable. When executives are reluctant to admit their mistakes or ask for help, the damage is already done.

I’ve seen virtual keyboard systems deployed on banking web sites, so that users can use a mouse to enter their passphrase. Of course, this can be very tedious if the user has a long passphrase. These virtual keyboard systems may become more common as banks implement multifactor authentication schemes that address consumer, regulator and compliance issues.

Keyboards and keystrokes

It’s still possible to use a keyboard for multifactor authentication, however. This article from Windows in Financial Systems describes a system from BioPassword that requires the user to enter their password ten times in a single enrollment session. Software determines the rhythm of their keystrokes, and stores that data along with the user’s account on a Microsoft Active Directory server. Anyone who tries to access the account will have to simulate that user’s typing behavior for that specific password.

In this 15 May 2007 article, ha.ckers.org pointed out some potential problems with BitPassword’s system. The timing needs to be loose enough to accommodate different keyboard styles. A laptop computer’s keyboard often is laid out differently from a standard desktop keyboard. otherwise, the timing checker might flag users who include numerics, international characters (such as € £ ß Ω) and typographical symbols (like % @ © ^#~) in their passphrase.

Dots and dashes

The concept dates back to the 19th century. Experienced telegraph operators could identify each other by through their fist, or their distinctive patterns of keying Morse code. The same concept was also used during both World Wars to match radio operators with their message content.

Some banks might have each user to enroll several different passphrases, as many banks now require for their web-based customer portals.

BioPassword’s software is designed for business and enterprise users. PC Magazine has an excellent review here, and the London Times and Baseline have good recent articles. This Wired article from 2000 describes how the system was used by a Canadian company, Musicrypt.com, as part of a user management service for music web sites.

Related posts on billso.com

• 12 April 2008: Finding business contacts and passwords on the Internet
• 4 April 2008: Get LinkedIn with [billso.com]
• 14 March 2008: Social media in action
• 3 January 2008: Impression management and Facebook
• 10 August 2007: Forty-somethings flock to Facebook
• 2 July 2007: CXOs face malware email attacks
• 20 June 2007: Facebook vs MySpace
• 11 January 2007: How to create a secure password

I mentioned OpenDNS on 3 September and 13 July of 2007. This is a free service that looks up domain names. Domain names represent the numeric IP (Internet Protocol) addresses that are used on every server. The Domain Name System (DNS) is highly distributed, and a good target for all sorts of legal and illegal opportunities.

OpenDNS is much faster than the domain name servers I’ve used at other ISPs. Every ISP has to provide DNS services to subscribers. The DNS servers are an important part of maintaining a fast connection, but some ISPs just do not manage their DNS servers well.

OpenDNS a great way to speed up an Internet connection, especially for residential and WiFi users, by outsourcing every domain name lookup request to a dedicated set of very fast servers in North America and Europe.

It’s hard to beat secure, fast and free.

OpenDNS also includes some nice security features. The service will block phishing and adult web sites, using a constantly updated list of known servers. This is a more elegant solution that proprietary security software that usually slows down a Windows or Mac computer.

Late last year, OpenDNS asked users to recommend the service to schools and universities. A recent article in THE Journal reports that over 10,000 educational organizations have adopted OpenDNS services.

Crackers have started to attack domain name servers, inserting false domain name entries that redirect users from well-known sites to forgeries. Schools and educational institutions are an attractive target for these attacks, as their IT security is sometimes less than adequate. In the past, school email servers have been a primary target for botnets. Hackers break into these servers, which can then be used to send spam. The legitimate users of these servers may not realize their email system has been compromised until their ISP cuts off their email access.

Installing OpenDNS on a personal computer is easy to do. I would not recommend that employees do this on their company computer without the support of their IT department, as some companies maintain specific entries in their own domain name servers.

Tech: InfoWorld reports that phishing attacks up by 50 percent per month. No surprises there. I was discussing e-mail with my father, who is having problems with his Mailblocks account. He agrees with me that e-mail is broken. John Dvorak’s recent column on broken e-mail is an interesting perspective from a mailing-list owner’s point of view. His call for a central registry of permanent e-mail addresses seems premature, however. To close today’s posts, AOL just bought Mailblocks today, in a desperate attempt to improve AOL’s spam-ridden e-mail service.

Related posts on billso.com

• 22 August 2006: 95 percent of all email is UCE
• 22 April 2008: It’s 2008 and email is still broken
• 25 July 2004: How I protect my Windows boxen from email evil

Tech: Larry Seltzer of eWeek reports on a new phishing scam involving the Kerry campaign. the phishers seem to be using look-alike domains, including johnkerrys.com and yahoogoogle.biz.

Also, it seems that the Kerry office has finally removed me from their e-mail list. I’m no longer getting their despreate pleas for money.