PlusNet Community Website

It’s become quite fashionable to criticise OpenID these days and the latest tirade to come to my attention is from Kyle Neath. Although he raises some valid points, none of them are problems with OpenID. Rather they are general problems with proving identity on the internet. Like most critics of OpenID, Kyle seems to ignore the simple fact that we already have a single, centralised identity: email. Your email address is your identifier for most online services and shares many issues with OpenID. OpenID is not the be all and end all of online identity but it does offer many advantages over the currently favoured username/password system. More…

1 Comment »

I read Dion Almaer’s post about moving the responsibility for authentication from the website into the web browser itself with great interest. More…

1 Comment »

Clickpass has just launched a new OpenID offering which aims to make single sign-in easy enough for the masses. It takes a rather different approach to OpenID than other sites I have tried. The first obvious difference is that sites must, in addition to supporting OpenID, add a special Clickpass button to their sign-in screen. Behind the scenes it also generates a new, unique OpenID URL for each site you use. This is an interesting extra layer of privacy as it makes you completely unidetifiable to the relying party (i.e. the website you are signing in to). I gave it a whirl with Plaxo but was shocked to find that upon clicking the Clickpass button I was taken to a page on clickpass.com which asked me for my Plaxo username and password!

Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought:

There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.

A comment on that post from Clickpass boss Peter Nixey goes some way to explaining why they chose to do it that way:

We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server - they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.

It’s true that the form goes direct to the server of the relying party (it is used to send them the randomly generated OpenID URL) but how is anyone to know that? Half the point of OpenID is avoiding sharing passwords between sites. Most users probably wouldn’t think twice about entering their private login details into a third-party site (especially when presented as part of a login process) but that is exactly the kind if blind trust that we, as conciencious web developers, should be educating against.

Ultimately though I think Clickpass’s biggest problem will be getting sites to implement their special button. There are few enough sites that accept standard OpenIDs.

2 Comments »

Yes we did meet up last night

• Tam continued is work on some prototypes for how we’d model the login boxes for the community site with OpenID in mind. You can take a look at his current prototype concepts.
• Colin has resurrected his work with combining OpenID with Cryptocard’s two part auth system. He’s been struggling with getting the RADIUS client working.
• Paul consulted with Nigel (one of our architects) about how to get OpenID into our portal authentication system. There’s a convenient spot for it to go in, a gotcha to do with accessing a PlusNet identity provider from a PlusNet webserver and the necessity of a security review of any code added intended for live.

What did I do? I refreshed myself on the phishing stuff following last weeks Cryptocard conversation. I was mostly working through the examples talked about in Marco Slot’s Beginners Guide to OpenID Phishing.
He describes 3 different ‘levels of phishing’ which openID is susceptible to. I’ve made the links available to our developers internally to make sure they are aware of thinking of these things.

I can’t help but wonder if you can get around the ‘level 2′ phishing approach via the use of some sort of referrer checking. I.e. are the images being loaded on this page being called from the correct OpenID login form. If not, display phishing warnings. Is that simple to get around? Or does it add a sufficient level of difficulty for the phishermen to not warrant the effort?

Feel free to debate below

3 Comments »

This week we had Mark Kacary from Cryptocard in to talk to about their managed 2 part auth services. We’ve been mulling over integrating it with a PlusNet OpenID system for a long time but have never been able to dedicate the time to progress it. The guys seemed quite enthusiastic about implementing it and were confident that it wasn’t going to be too taxing.

No Comments »

(or How Random Internet Funkiness Can Spoil Your Basecamp Experience)

At the end of last week’s hacking session, I was happy to report that I had a working PlusNet beta OpenID and was able to use it to access my Basecamp account.

That following Saturday I wanted to show off to my partner (who uses Verisign PIP for OpenID) my working PlusNet OpenID by logging into Basecamp. It didn’t work. PlusNet’s server wasn’t responding.

“Ah well”, I said, “as it’s a beta, maybe it’s only accessible from within the PlusNet network. I’ll switch back to logging into Basecamp with my username and password like before.” Oh no, I won’t! I clicked the “Login with your username and password” link to switch to the conventional login form and found that I still couldn’t get in. Mild panic ensued.

As it turns out, registering an OpenID against a Basecamp account disables the password-based login! Fortunately, my partner is also the administrator of my Basecamp account. She was able to login, de-register the OpenID from my account and set up a new username/password combination to let me get in.

It was only a minor inconvenience but it worried me for a while. What if my partner’s OpenID provider goes offline? The administrator of a Basecamp account being locked out would be a major inconvenience.

The problem here isn’t with OpenID as such. It’s a problem with the implementation of OpenID on Basecamp but it highlighted for me the good practice of having a backup identity provider for important services. The OpenID specification has an elegant solution to the problem - delegation.

My OpenID identifying URL isn’t my PlusNet one, it’s the URL of my blog. Placing a couple of META tags in my blog header template allows me to redirect the relying party to my identity provider of choice. So, in the situation I found myself in, where my primary identity provider was not available, using delegation allows me to switch to my backup identity provider as and when I need to.

Footnote:
PlusNet’s beta OpenID server was taken off-line last weekend as a security measure to protect it and our customers from an attack that had been perpetrated against one of my colleagues’ accounts. That’s a correct reponse that any provider of OpenID identities will instigate from time to time. Beware random internet funkiness!

3 Comments »

It’s Thursday again. A quick update on our progress:

Paul has been playing with our current implementation: He now has a Plusnet OpenID, delegated it via his blog, and successfully logged into his Basecamp account using it. He’s happy!

Colin has been taking a look to see if the current server we are using will support OpenID2, which is appears not to do :(.

After reviewing those other implementations last week, Tam has been experimenting with some prototypes for how we could implement it on our portals and community site. We’ll show you them when we’ve got something together!

Finally, I’ve been looking at Phishing with OpenID and Google has a whole host of links. Scary stuff.

Anyway, I think it’s home time!

1 Comment »

Update: Added review of VeriSign’s offering below.

As Kelly mentioned yesterday, I have spent a few hours looking at how other sites have implemented their OpenID interfaces. Yahoo!’s new service was my favourite because it explains everything and makes it very clear and simple. On the other hand it lacks some features that I think are essential. More…

6 Comments »

Yes, we missed a week. Last Thursday was a long standing members leaving do, so Paul and Colin snuck out to work on their drinking skills, rather than our OpenID implementation. I can’t say I blame them More…

2 Comments »

A while ago we announced that we were running an OpenID alpha based off our community site code. Since that we’ve been pretty quiet about it, and to be honest, any further development has stalled.
More…

2 Comments »