OpenID has been gaining traction recently with news of Yahoo!, Google, IBM, Verisign and others giving users OpenID accounts. That’s certainly only good news for OpenID. Coincidentally, I recently encountered two more sites that are using OpenID:

1) Blogger comments

I’m not exactly sure how new this is, but I don’t remember an OpenID option being there before. Either way it’s there now. If I didn’t already have a blogger account, I’d most definitely use OpenID here. There’s no need in creating a blogger account if you simply want to comment.

2) Twitter Feeds

I’ve recently started Twittering. This is yet another example of something I thought would be stupid, but has turned out to be pretty cool. Anyway, I’ve been looking at integrating my Twitter account into my Facebook account, my ‘about me’ site, and other places like that. Then I see a Tweet from Scott Hanselman himself telling us about TwitterFeed. Perfect. And look at that: it even supports OpenID. Even more perfect. This is truly a website where I have no need to create a full fledged account with stockpiles of my info. I just need my login mapped to my feeds and we’re good to go:

I’m glad to see OpenID starting to be used in some sites that I actually use, since they’ve actually been pretty sparse up til now. Hopefully that trend continues. So do you regularly use any OpenID sites or have you seen any other cool OpenID enabled sites out there?

There has been a blog post floating around recently which discusses the many pitfalls of OpenID. The article breaks the problems down into seven areas: security, privacy, trust, usability, adoption, availability and patent. There are some valid points and some not so valid points., many of these issues are simple policy issues. They can be resolved by implementation decisions by the OpenID provider. Let’s dig in a bit…

1. Security

The main problem here is that of phishing. You’re trusting that the site you’re at will faithfully send you to your OpenID provider and not some man-in-the-middle masquerading as your provider. However, as I’ve shown before, VeriSign PiP doesn’t allow referring websites to redirect to the VeriSign site in order to log you in. You already have to be logged in. So as long as users know of this behavior of the VeriSign PiP OpenID provider, they can’t be phished by phony redirects.

2. Privacy

This one breaks down to recyclying of user ids and providers being able to track every site you use your OpenID at. Also, there’s the issue of if your provider gets hacked and all your login history gets exposed. Gary Krall, the technical director of VeriSign PiP, has told me how they don’t recycle user ids for this very same reason. And there’s no reason that other providers can’t do this as well. The usage history (which I talked about here) is kind of a mixed blessing. This allows you to see if your OpenID has been compromised, but also allows your provider to track your every move when using your OpenID. Sure all this information may be in a central location, but is this really any worse than what we have now? How often do you reuse the same username and email (and maybe even password) when registering from site to site? How much information can a google search already return on your activities? And I would expect OpenID providers to take more precautions and be much more secure than some run of the mill web 2.0 website that I have an account at.

3. Trust

Here it’s the problem of trust and identity and which is required for which. This is another case where the provider could verify your real identity when issuing OpenIDs, but they simply don’t. This may be a case where people are trying to make OpenID deal with more than its designed to. OpenID is meant to facilitate you being able to prove you own an identity similar to an email verification loop. It’s not supposed to be able to prove that the identity is actually you. That would most likely require an offline action.

4. Usability

Here the claim is that using OpenID is no easier than using a password manager and that using OpenID is actually a double login since it doesn’t fill out your account information for you at each website. In this case, OpenID is more convenient because its very existence absolves the need for a password manager. And again, the OpenID provider can help provide the referring website with account information as I’ve shown before. Sure it can never completely fill out the account information for all websites it may encounter, but there’s simple no way to do this. It’s simply not possible to have every mapping of every field in your provider to every other field in every website you may encounter.

5. Adoption

Basically, there are many more OpenID providers than OpenID enabled websites. The blog post is trying to claim that if your website supports OpenID then users will just use OpenID to sign in. And since the users don’t have an account, they aren’t locked into your website and so won’t be compelled to come back. However, I have about 140 accounts in my account manager app and I consistently only go to maybe 10 or 20 of the sites. Just because I create a username and a password at a website does not compel me to go back to that website. If the site has good content and is well designed then I’ll go back. Contrary to their point, if the website supports OpenID I’d be more likely to go back to that site since I don’t have to create and manage yet another username/password pair.

6. Availability

This addresses the problem of needing your OpenID provider up and running every time you need to use your OpenID. If it goes down temporarily or permanently, you can’t log in. This is a valid point, but again if the provider does things right, this won’t be a problem.

7. Patent

Now this could get bad. There are several patent claims on OpenID which threaten its longevity. This is a problem that will play out in court (if it gets that far) and that no OpenID provider can fix.

So to sum up everything here, out of the box OpenID has several problems. However, if the OpenID provider implements it right and uses some offline methods, it can be as good or better than other authentication methods out there.

Today the EFF confronted congress on the government’s surveillance of Americans and on the repercussions to those Americans’ privacy that could result. The government is collecting vast amounts of personal data and storing them in those oh so secure government databases:

We have all heard about security problems with government databases. A report from the Department of Homeland Security found 477 breaches in 2006 alone.

These databases are a black hat hacker’s dream come true. This is, of course, why OpenID is such a great idea. Sure it has its problems, but using OpenID means that login data doesn’t need to be distributed across the Internet at every website you visit. This decreases the black hats’ vector of attack tremendously. If I could have all of my login data being held at VeriSign, instead of having some of it at Yahoo, some at Tumblr, and some at Facebook… I’d be fine with that.

Anyway, while the distributed login data issue has a solution in sight, the government surveillance issue does not. The RESTORE Act will hopefully reinstate those checks and balances that were lost when the Protect America Act granted the telecoms immunity when helping the NSA spy on Americans. So I’ve said it before, and I’ll say it again: Support the EFF!

You can still use your own domain if you’re using VeriSign PiP in the same way as other OpenID providers. This allows you to use your own domain:

And that’s very convenient when your OpenID is something like mike6024.pip.verisignlabs.com. Anyway, all you need to do is add these tags in between your head tags:

<link rel=”openid.server” href=”https://pip.verisignlabs.com/server” />
<link rel=”openid.delegate” href=”http://mike6024.pip.verisignlabs.com/” />

And of course put your id in place of mine. If you aren’t already logged into VeriSign PiP, you’ll still see the login page:

But if you’re already logged in, things will be just fine.

A couple weeks ago I talked about a little problem I had with VeriSign PiP. I thought you had to create a unique PiP account for each OpenID you wanted, but it turned out that PiP lets you use multiple OpenID’s in the same PiP account. So I emailed PiP support and Gary Krall, the technical director of PiP, replied. I explained the situation in which I created the extra PiP account and registered the OpenID. Then I realized my error and removed the OpenID from the new account, so I could add it on to my original PiP account, but PiP kept saying the OpenID was still in use. Here’s Gary’s reply:

The way the system is currently structured is once an identity has been created “claimed” if you will, and then deleted in our database we do not “release it”. The reason behind this is we’ve given some thought to in the future allowing users to reclaim identities they have previously deleted. Also there is a chance that a user may have actually established a trust request with a relying party and we do not want to get into a situation where a user established a trust, deleted it, and then suddenly that persona was claimed by another user. We’re trying to keep accounts bound as close as we can.

I totally agree with Gary. I don’t like letting old email addresses go stale and subsequently get released. I may no longer use them, but they still might have some accounts tied to them and I wouldn’t want that to be vulnerable. This solution the VeriSign guys came up with seems to fix that problem. So I decided to poke and prod Gary a little more to find out some other details.

First I asked him why there is no overall account info that is tied to each of the OpenIDs so that they all use the same info.

He explained that they originally had this feature, but it was dropped in lieu of customization of each OpenID. In this way, each OpenID could serve as a different persona that you may want to present to one website but not another. I can see that argument, but I don’t think I personally would want to be a 29 year old male on some site and a 14 year old female on another… unless I was a creepy guy on myspace… Anyway, they did include a little feature as you can see above where it will copy the data from the right pane to the selected field in the left pane. This means you’d have to update all your OpenIDs if any of your info changes, but this is still a nice shortcut to have.

I also asked Gary about whether you could have multiple security tokens per PiP account. Earlier I mentioned how Steve Gibson talked about this on a recent Security Now! podcast. Well, Gary replied:

Not in the immediate future. It is on the list of possible enhancements but we have more to do than team members to do it.

More enhancements than team members. Don’t we all know how that goes…

So I recently had a support experience with VeriSign’s PiP provider that I’ve been talking a lot about. Here’s the story (in all its gory detail):

The Setup

I got the great advise from Steve Gibson in episode 107 of Security Now to register several OpenIDs using different mutations of your name. So I go to the VeriSign PiP website and create another account with the name michaelhall:

I got all the way through creating the new account which brings me to the my new my account’s homepage. I scroll down a little and then see something I didn’t notice before:

Crap. You can add multiple OpenIDs to the same PiP account:

I’m a moron. So I click on the delete link next to my newly created OpenID. The page refreshes, but I get an error saying “Last identity could not be deleted.” Well, that makes sense. Why would you have a VeriSign PiP account, but no OpenID in it? So I go ahead and create a throwaway OpenID, so that I can delete the michaelhall OpenID that I really want. I create the throwaway OpenID and delete the michaelhall OpenID. Ok, everything seems fine. I logout of the new PiP account and log in to my original PiP account… Click on “Create a new OpenID”. Click on “Add an OpenID”. Type in “michaelhall”. Click on “Add OpenID”. Bam!

Ok, now that’s unexpected. What did I do wrong? I deleted the OpenID from the new account and am trying to add it to my new account. hm…

The E-mail

So I click on the “Help and Support” link. It brings me to the FAQ. Reading… reading… no help here. I click on “Contact Us” and get a support email address. Ok, let’s see where this gets me. I type up an email explaining the situation. Clicked send and it’s off.

The Response

Less than 24 hours later (on a Saturday no less) I get a reply. Wow, not too bad. And it’s from the technical director of the PiP program at VeriSign. Not too bad at all! He introduces himself, explains that he can’t fix it until the start of the next work week, and then asks me to confirm the deletion. Now that’s great support:

1. The reply was immediate.

2. I didn’t have to deal with some shmuck in support that didn’t know what they were doing (not referring to VeriSign support here, but to general tech support in the industry).

3. I didn’t have to jump through hoops to get my problem fixed. Two simple emails. Fixed.

I applaud VeriSign for their efforts. They’ve really done a great job with PiP. I may even go buy a spare VeriSign Keychain Token just to support this great program.

Yesterday, I talked about using a VeriSign security token with your VeriSign PIP OpenID. I kinda gleaned over the fact that you can use the PayPal Security Key. And that is actually a big deal…

PayPal Security Key

You want, neh… you need a PayPal Security Key and here’s why:

1. The PayPal Security Key is only $5 compared to the $30 for the VeriSign Keychain Token. (Note: The two photos aren’t to the same scale. The tokens are actually the same size):

2. The PayPal Security Key makes use of VeriSign’s backend, so it’s just as secure as VeriSign’s own VeriSign Keychain Token. (PayPal’s security token is in actuality just a rebranded VeriSign security token.)

3. The VeriSign Keychain Token can only be used with VeriSign PIP. The PayPal Security Key can be used with PayPal, eBay, and VeriSign PIP. That doesn’t mean that PayPal and eBay support OpenID; that simply means that you need to enter the number displayed on the screen in addition to your PayPal/eBay username and password when logging in.

VeriSign PIP

When VeriSign developed their PIP framework, they did it right:

1. You’re forced to use SSL when accessing their site:

Even if you go to http://pip.verisignlabs.com/, you’ll be redirected to the secure, certificate-fied https://pip.verisignlabs.com/.

2. It makes use of a site key by showing your personal icon:

…not that site keys are that great, since they can still succumb to man-in-the-middle attacks, but they’re better than nothing.

3. It maintains and display logs of your security token usage. By clicking on the My Activities link on the right panel, you’ll see:

And these three things are all good to have. You need that much more security for your OpenID identity since OpenID is meant to be used on multiple websites. And since multiple websites will potentially have the same OpenID for you, it needs to be kept that much more safe and secure.

[Update] You can also have multiple OpenIDs in the same VeriSign PiP account which I just recently found out about.

SeatBelt
VeriSign also has a new Firefox plug-in called SeatBelt that detects your VeriSign OpenID login status:

…and asks you if you want to login if it detects that you just went to a page asking for your OpenID:

You can’t add too much more convenience without sacrificing security than that.

It looks like Verisign has answered my prayers. While listening to last week’s Security Now! episode, they revealed that’s Verisign’s PIP OpenID provider that I blogged about yesterday has the option to use a Verisign security token (which includes the Paypal security token). Here’s how you add it:

1) Login to Verisign Lab’s OpenID provider PIP:

2) Click on the My Account link on the right side.

3) Click on “Add Credential” under VIP Credential:

4) Enter the ID on the back of the security token and the current security code from the screen:

5) And you’re done:

On Security Now!, Steve said that you can register up to three security tokens per OpenID in case you misplace one or one dies or you want to keep one at home and one at work (even though that inherently makes it less secure), I don’t see this option on the Verisign site. However, you can also get a crazy cool red Verisign security token or use your Sandisk U3 flash drive (which I coincidentally just uninstalled U3 from mine) from Verisign’s site (once you’ve logged in):

…so now wherever you go that uses OpenID, you can be assured that via two-factor authentication your OpenID will only be used by you.

I’ve talked about how I want OpenID to be my one authentication provider. One account with them and that’s it. I thought I should go over how it works, so…

Here’s how it works

1) You go to a site that supports OpenID authentication:

2) You enter your OpenID URL or XRI:

2) You are sent to *your* OpenID provider. This is the provider specified by your OpenID ID. Usually, it’s in ID itself: claimid.com/xxx, xxx.pip.verisignlabs.com, etc. The provider is not at all specified by the site you’re currently at, since that is pretty much the point of OpenID: you can use any provider you want… even your own.

3) The OpenID provider can do want they want now. If you’re already logged in, they can simply ask you if you want to login to and/or trust the originating site, or they may need to ask for additional information to send to the originating site, or they may simply redirect you back to the originating site, since you’re already logged in. However, if you’re not logged in, they may allow you to login in right there:

or they may force you to intentionally go to their page to login first:

The point is that it’s up to the provider to make that choice.

4) If you successfully logged into your OpenID provider, a cookie is saved on your computer that records that you’re logged into your OpenID provider.

5) You are then redirected back to the originating site.

Now that you’re logged into your OpenID account, any future use of OpenID on any other sites from that computer won’t ask you to login.

OpenID Providers and Supporting Sites

First, you need to sign up with an OpenID provider. Some are pay. Some are free. I use ClaimID, a free OpenID provider, and my blog’s domain which uses Wordpress as the OpenID provider. Verisign has a free OpenID provider as well. The form of the ID created by these services can vary, although they’re generally of the form <ID>.<OpenIDDomain> or <OpenIDDomain>/<ID>. And although it’s definitely not a standard yet, there are more and more sites that support OpenID. However, it is still a little problematic since it can prove you own the ID you claim to own, but it doesn’t necessarily guarantee that you are who you are.

I’m digging all these new authentication methods coming out. OpenID will hopefully be the end all be all all of single sign methods. Passport is pretty much dead (I mean come on, who wants Microsoft to be their identity provider) even though it was a step in the right direction. Hopefully more and more websites will take OpenID so that I can permanently delete my passwords file… um, that I don’t store on my hard drive…
I also just sent off for my Verisign Paypal Security Key. Having two factor authentication for something non work related is pretty sweet. Hopefully this will catch on, but at same time I don’t want to have to carry one key for paypal, one for my bank, one for my email… if they all used OpenID and all shared the same tokens… now that would just be peachy.