Sunday, August 3, 2008
Official OpenID Support
It's official! I've just completed the first phase of OpenID support. You no longer have to remember a username and password for this site.
How does it work? When you sign in simply type in your OpenID and you'll be taken to your provider which will validate your username and password. Depending on your provider, you might have to pass some tests (like captchas) or set an expiration date for your login.
OpenID is a fairly new and big concept for the Internet. Version 2.0 has just recently been ratified, so it's starting to get big exposure. In fact, Yahoo! now officially supports OpenID. For Yahoo! it's easy: just type in "yahoo.com" as your OpenID and they do the rest. Others who are known to offer support with a "special" URL are Blogger, AIM/AOL, LiveJournal, Verisign and Wordpress. For instance, my LiveJournal OpenID would be the same as my LiveJournal user page (efesar.livejournal.com). Others are jumping on the bandwagon as we speak. Myspace has officially announced support for OpenID, but when it will launch is unknown. In some cases, mine for instance, you can even "centralize" an OpenID on your own domain, a feature which works with many sites, but unfortunately not with Yahoo. But it does work with Verisign. For example, I set up my site efesar.com as a "relying party" for my Verisign OpenID. I have a Verisign OpenID, but I can also use "efesar.com" as my OpoenID, which then takes me to Verisign.com, which then validates my identification (username, password, fingerprints, security devices, pictures, captchas, etc). Once I'm signed in, it sends me back to the site where I was trying to login, and -- presto-change-o -- I'm logged in.
I'm excited about OpenID and I'm happy to offer it on this site. Personally, I hate having a username and password for every single site I visit. Sometimes my username is not available. Sometimes they have weird password rules. Some are longer, some are shorter, some want more numerals, more symbols and more uppercase letters. It gets to be a real hassle. Someday I hope to narrow my "password" list down to three logins total: a "throwaway" login, a "normal security level" login, and a "high security level" login. We should all be so lucky.
OpenID is very secure (using a lot of back-and-forth encryption and verification) but the "mental process" or "social engineering aspect" does present some security risks for you, but only if you're not careful. Always make sure that any site which accepts OpenID sends you to the real site. don't type in your password unless you're positive you're on the right site! Any hack can mockup a "fake" (but real-looking) Verisign or Yahoo! login page. It's up to you to make sure it's the real deal. Look at the address bar in your browser -- if it's real, it'll be at yahoo.com or verisign.com. If it's fake, you'll see sometihng stupid like loginsite.partner.yahoo.fakerussianpasswordstealingsite.cc). Never ever ever trust an OpenID in a "new window" or in a "new tab" or in a "popup." Those are almost surely fakes.
Sorry about the rant, but since OpenID is such a new technology, there are going to be a lot of losers out there trying to take advantage of this great technology. Now, back to our regularly scheduled update...
There are a few features that I still have to implement to make this site's OpenID implementation perfectly complete: allowing you to change your OpenID once you've started an account, remembering your OpenID between sessions, and merging multiple accounts. But those aren't big show stoppers, and anyway these features should be up and running shortly. Enjoy!