It’s become quite fashionable to criticise OpenID these days and the latest tirade to come to my attention is from Kyle Neath. Although he raises some valid points, none of them are problems with OpenID. Rather they are general problems with proving identity on the internet. Like most critics of OpenID, Kyle seems to ignore the simple fact that we already have a single, centralised identity: email. Your email address is your identifier for most online services and shares many issues with OpenID. OpenID is not the be all and end all of online identity but it does offer many advantages over the currently favoured username/password system. More…
Peter Nixey’s fantastic write-up of his experience launching Clickpass at SxSW reads like an edge-of-your-seat, action-thriller-adventure!
…
11:25am: As I shut my Mac and go to do the screencast I happen to glance at TechCrunch. We’re on. Top story. It’s an incredible review — everything we could have hoped for. Fantastic, except that we didn’t expect this for another two hours and the site’s still behind a password!
11:25am 10s: I call San Francisco: “Immad, we’re live, TechCrunch just published the story — let’s push!”
11:25am and 30s: <ping> Aral Balkan twitters that he can’t see the site — how do people find these things out so quickly?!
11:26am: Immad, as fast as ever, IM’s to say that everything’s live. Clickpass is go.
11:37am: An email arrives kindly offering to sell me Clickpass.cn. Un. Believable. I start buying other countries.
…
Comments Off
I read Dion Almaer’s post about moving the responsibility for authentication from the website into the web browser itself with great interest. More…
Clickpass has just launched a new OpenID offering which aims to make single sign-in easy enough for the masses. It takes a rather different approach to OpenID than other sites I have tried. The first obvious difference is that sites must, in addition to supporting OpenID, add a special Clickpass button to their sign-in screen. Behind the scenes it also generates a new, unique OpenID URL for each site you use. This is an interesting extra layer of privacy as it makes you completely unidetifiable to the relying party (i.e. the website you are signing in to). I gave it a whirl with Plaxo but was shocked to find that upon clicking the Clickpass button I was taken to a page on clickpass.com which asked me for my Plaxo username and password!
Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought:
There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.
A comment on that post from Clickpass boss Peter Nixey goes some way to explaining why they chose to do it that way:
We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server – they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.
It’s true that the form goes direct to the server of the relying party (it is used to send them the randomly generated OpenID URL) but how is anyone to know that? Half the point of OpenID is avoiding sharing passwords between sites. Most users probably wouldn’t think twice about entering their private login details into a third-party site (especially when presented as part of a login process) but that is exactly the kind if blind trust that we, as conciencious web developers, should be educating against.
Ultimately though I think Clickpass’s biggest problem will be getting sites to implement their special button. There are few enough sites that accept standard OpenIDs.
(or How Random Internet Funkiness Can Spoil Your Basecamp Experience)
At the end of last week’s hacking session, I was happy to report that I had a working PlusNet beta OpenID and was able to use it to access my Basecamp account.
That following Saturday I wanted to show off to my partner (who uses Verisign PIP for OpenID) my working PlusNet OpenID by logging into Basecamp. It didn’t work. PlusNet’s server wasn’t responding.
“Ah well”, I said, “as it’s a beta, maybe it’s only accessible from within the PlusNet network. I’ll switch back to logging into Basecamp with my username and password like before.” Oh no, I won’t! I clicked the “Login with your username and password” link to switch to the conventional login form and found that I still couldn’t get in. Mild panic ensued.
As it turns out, registering an OpenID against a Basecamp account disables the password-based login! Fortunately, my partner is also the administrator of my Basecamp account. She was able to login, de-register the OpenID from my account and set up a new username/password combination to let me get in.
It was only a minor inconvenience but it worried me for a while. What if my partner’s OpenID provider goes offline? The administrator of a Basecamp account being locked out would be a major inconvenience.
The problem here isn’t with OpenID as such. It’s a problem with the implementation of OpenID on Basecamp but it highlighted for me the good practice of having a backup identity provider for important services. The OpenID specification has an elegant solution to the problem – delegation.
My OpenID identifying URL isn’t my PlusNet one, it’s the URL of my blog. Placing a couple of META tags in my blog header template allows me to redirect the relying party to my identity provider of choice. So, in the situation I found myself in, where my primary identity provider was not available, using delegation allows me to switch to my backup identity provider as and when I need to.
Footnote:
PlusNet’s beta OpenID server was taken off-line last weekend as a security measure to protect it and our customers from an attack that had been perpetrated against one of my colleagues’ accounts. That’s a correct reponse that any provider of OpenID identities will instigate from time to time. Beware random internet funkiness!
Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!
We're a Yorkshire-based provider selling broadband and phone services to homes and businesses throughout the UK. Winner of the ISPA 2010 'Best Consumer Customer Service ISP' Award, we're proud to offer the UK's best value standalone broadband.
© Plusnet plc All Rights Reserved. E&OE
Community Site News.. is powered by WordPress
