I read Dion Almaer’s post about moving the responsibility for authentication from the website into the web browser itself with great interest.
What I really want is for the browser to [sign in] for me. If a site groks OpenID the browser should be able to pass that over without having me intervene at all. It could hide the entire login process if we came up with a microformat to let all sides know what is going on.
Yes! That’s exactly what we need. You log in once at the start of your browsing session and from then on all that’s required is a simple “Do you want to tell this site who you are? Yes/No” dialog box each time a site requests your identity. This would also neatly work around the phishing problem as the browser sign in mechanism would presumably be fashioned in such a way as to be unfakeable by a website. And if it was all done through microformats it would degrade gracefully in older browsers.
In fact it shouldn’t be too hard to come up with a Firefox extension to do it once the APIs are sorted out.
James Henstridge also talks about client-side Open ID but I think he’s looking at it the wrong way.
So it certainly looks like it is possible to migrate almost everything to the client side. That still leaves open the question of whether you’d actually want to do this, since it effectively makes your identity unavailable when away from a computer with the extension installed.
The aim is not to move everything to the client side but rather to allow the browser to mediate the authentication process between the relying party (RP) and the OpenID provider (OP)
PS I remembered that VeriSign have an OpenID extension of Firefox called SeatBelt. I tried it out but as far as I can tell all it does is provide phishing protection by redirecting users to their OpenID provider to authenticate before signing in to the relying party. Still, it could be a starting point for a more complete client-side OpenID implementation.
This entry was posted by Tamlyn Rhodes on Thursday, March 27th, 2008 at 7:49 pm and is tagged with OpenID, Phishing, seatbelt, verisign and is posted in the category Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
I completely agree. In fact so much that I have done something along these lines: a FF extension to secure the communication between OP and user and as a way to improve overall usability. I hope to open source it as soon as I can and it would be great if it can act as a starting point as you envision.
[...] And it will come. Chris Messina is on the case. Or what about using SMS to authenticate? Or why not build OpenID right into the phone browser? It’s no lie that the internet is generally filled with a bunch of scam artists, thieves, and [...]
Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!
We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.
© Plusnet plc All Rights Reserved. E&OE
Community Site News is powered by WordPress
