It’s become quite fashionable to criticise OpenID these days and the latest tirade to come to my attention is from Kyle Neath. Although he raises some valid points, none of them are problems with OpenID. Rather they are general problems with proving identity on the internet. Like most critics of OpenID, Kyle seems to ignore the simple fact that we already have a single, centralised identity: email. Your email address is your identifier for most online services and shares many issues with OpenID. OpenID is not the be all and end all of online identity but it does offer many advantages over the currently favoured username/password system. More…
Peter Nixey’s fantastic write-up of his experience launching Clickpass at SxSW reads like an edge-of-your-seat, action-thriller-adventure!
…
11:25am: As I shut my Mac and go to do the screencast I happen to glance at TechCrunch. We’re on. Top story. It’s an incredible review — everything we could have hoped for. Fantastic, except that we didn’t expect this for another two hours and the site’s still behind a password!
11:25am 10s: I call San Francisco: “Immad, we’re live, TechCrunch just published the story — let’s push!”
11:25am and 30s: <ping> Aral Balkan twitters that he can’t see the site — how do people find these things out so quickly?!
11:26am: Immad, as fast as ever, IM’s to say that everything’s live. Clickpass is go.
11:37am: An email arrives kindly offering to sell me Clickpass.cn. Un. Believable. I start buying other countries.
…
I read Dion Almaer’s post about moving the responsibility for authentication from the website into the web browser itself with great interest. More…
Clickpass has just launched a new OpenID offering which aims to make single sign-in easy enough for the masses. It takes a rather different approach to OpenID than other sites I have tried. The first obvious difference is that sites must, in addition to supporting OpenID, add a special Clickpass button to their sign-in screen. Behind the scenes it also generates a new, unique OpenID URL for each site you use. This is an interesting extra layer of privacy as it makes you completely unidetifiable to the relying party (i.e. the website you are signing in to). I gave it a whirl with Plaxo but was shocked to find that upon clicking the Clickpass button I was taken to a page on clickpass.com which asked me for my Plaxo username and password!
Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought:
There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.
A comment on that post from Clickpass boss Peter Nixey goes some way to explaining why they chose to do it that way:
We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server – they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.
It’s true that the form goes direct to the server of the relying party (it is used to send them the randomly generated OpenID URL) but how is anyone to know that? Half the point of OpenID is avoiding sharing passwords between sites. Most users probably wouldn’t think twice about entering their private login details into a third-party site (especially when presented as part of a login process) but that is exactly the kind if blind trust that we, as conciencious web developers, should be educating against.
Ultimately though I think Clickpass’s biggest problem will be getting sites to implement their special button. There are few enough sites that accept standard OpenIDs.
(or How Random Internet Funkiness Can Spoil Your Basecamp Experience)
At the end of last week’s hacking session, I was happy to report that I had a working PlusNet beta OpenID and was able to use it to access my Basecamp account.
That following Saturday I wanted to show off to my partner (who uses Verisign PIP for OpenID) my working PlusNet OpenID by logging into Basecamp. It didn’t work. PlusNet’s server wasn’t responding.
“Ah well”, I said, “as it’s a beta, maybe it’s only accessible from within the PlusNet network. I’ll switch back to logging into Basecamp with my username and password like before.” Oh no, I won’t! I clicked the “Login with your username and password” link to switch to the conventional login form and found that I still couldn’t get in. Mild panic ensued.
As it turns out, registering an OpenID against a Basecamp account disables the password-based login! Fortunately, my partner is also the administrator of my Basecamp account. She was able to login, de-register the OpenID from my account and set up a new username/password combination to let me get in.
It was only a minor inconvenience but it worried me for a while. What if my partner’s OpenID provider goes offline? The administrator of a Basecamp account being locked out would be a major inconvenience.
The problem here isn’t with OpenID as such. It’s a problem with the implementation of OpenID on Basecamp but it highlighted for me the good practice of having a backup identity provider for important services. The OpenID specification has an elegant solution to the problem – delegation.
My OpenID identifying URL isn’t my PlusNet one, it’s the URL of my blog. Placing a couple of META tags in my blog header template allows me to redirect the relying party to my identity provider of choice. So, in the situation I found myself in, where my primary identity provider was not available, using delegation allows me to switch to my backup identity provider as and when I need to.
Footnote:
PlusNet’s beta OpenID server was taken off-line last weekend as a security measure to protect it and our customers from an attack that had been perpetrated against one of my colleagues’ accounts. That’s a correct reponse that any provider of OpenID identities will instigate from time to time. Beware random internet funkiness!
It’s Thursday again. A quick update on our progress:
Paul has been playing with our current implementation: He now has a Plusnet OpenID, delegated it via his blog, and successfully logged into his Basecamp account using it. He’s happy!
Colin has been taking a look to see if the current server we are using will support OpenID2, which is appears not to do 
.
After reviewing those other implementations last week, Tam has been experimenting with some prototypes for how we could implement it on our portals and community site. We’ll show you them when we’ve got something together!
Finally, I’ve been looking at Phishing with OpenID and Google has a whole host of links. Scary stuff.
Anyway, I think it’s home time!
Update: Added review of VeriSign’s offering below.
As Kelly mentioned yesterday, I have spent a few hours looking at how other sites have implemented their OpenID interfaces. Yahoo!’s new service was my favourite because it explains everything and makes it very clear and simple. On the other hand it lacks some features that I think are essential. More…
Yes, we missed a week. Last Thursday was a long standing members leaving do, so Paul and Colin snuck out to work on their drinking skills, rather than our OpenID implementation. I can’t say I blame them 
More…
A while ago we announced that we were running an OpenID alpha based off our community site code. Since that we’ve been pretty quiet about it, and to be honest, any further development has stalled.
More…
I mentioned Microformats briefly when I blogged about OpenID previously.
I just wanted to touch on them again – as they are proving to be very useful in a number of situations. Imagine you have a webpage (such as the about us or contact us page on your site) with your name, address, email and telephone number on it. Right now your expecting the visitor to your site to copy and past them into their contacts / address book if the information is useful to them.
With microformats you “tag” the data to give it context. ie. You mark up in the HTML that the data is of type “email” or of type “name”. So now its able to be consumed as information and not just data.
Using a tool such as Operator which is a plug-in for Firefox any visitor to that site now knows there is information on that page of a certain type. ie. “Name” and “Email” and the plug-in allows your user to consume that data more easily and readily. ie. they can auto copy it into their outlook contacts or view your company address on a google map etc.
All nice / cool functionality.
However, real power can be derived from this type of solution when you start to enable a lot more data.
eg. Imagine having a web app generate a report which displays customers with name, address, total spend to date etc..
You can then use this technology to “mashup” the data results with google maps and get a view of where your customers are geographically located and when the “hot spots” are regarding your most revenue generating locations.
The possibilities for these “mashups” are endless.
The really interesting stuff though is that Operator is being developed by Mozilla (the people who brought us FireFox) and it doesn’t take a genius to see that sooner or later this type of technology will make it into the browser iteself (and not require the plugin) which then opens up a whole world of visually rich data display and content interaction.
Or what about if Adobe’s Apollo started to use Microformats – now that would be interesting.
If your in the web apps / development game – I would recommend taking a look at Microformats over the next couple of months.
regards
Dean
Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!
We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.
© Plusnet plc All Rights Reserved. E&OE
Community Site News is powered by WordPress
