fahy hgh

Archive for October, 2010

5
Oct

Don’t Lock Me Out

   Posted by: wkossen    in Uncategorized

OpenID Closed

ADVANCED WARNING: This post is going to be a bit rant-like… But you may will still like it. There’s some good information, too, that might keep you out of trouble…

You may already know I’m quite fond of OpenID. In fact, any security system that makes life easier for me is very welcome. For some time however, there’s something going on that makes the OpenID system a bit less attractive. Providers that quit. ‘Quit?’ I hear you ask? Yes, Quit!

And that wouldn’t necessarily be so bad if they told their users with advanced notice they were going to do just that. That’s just not what’s happening. I’ll just list a few of the OpenID providers that aren’t anymore:

  • Technorati Read about that one here
  • Identity.net
  • Yiid.com (which is also Identity.net) I got the mail from them this week telling me they just turned of OpenID. So much for advanced warning…
  • Cliqset.com I don’t even know what happened. It just stopped working.
  • Logmij.in (Dutch OpenID provider) The site doesn’t even exist anymore.
  • If you check each one on the list on this site, you’ll find quite a few more that seam to be terminated…

Just imagine that you’re using an OpenID from one of those providers. They gave you an OpenID which you actually used to log-in to other sites, for instance to update your weblog at LiveJournal. Now the provider quits. How are you going to access the sites you’re a valid member of? I’ll tell you, you’re not going to access it, and you’re going to have long talks with the helpful support team of those sites (if those even exist) to get your account back.

Since I’ve been fond of OpenID for a long time, I’ve been keeping multiple OpenIDs. That’s a reasonable back-up strategy, but unfortunately not all sites allow you to assign multiple OpenID’s to your account. This really puts you in a tight spot if your provider thinks it’s a good idea to quit. There are some good examples though. Plaxo for instance allows you to add many OpenID’s. What I don’t understand is why they put the management screen hidden as a sub-screen behind a link on the e-mail-addresses-management page, but this post isn’t about Usability…. :(

Even better as a back-up strategy is the ‘Roll-Your-Own’ method. phpMyID allows you to do just that. Host your own private OpenID provider. It will only quit if you decide it will… I’ve been running mine for a long time and that’s the OpenID I add to a site first. If it’s possible to add more, I’ll do so because my site can be down as well and that would lock me out immediately…

Another (very useful) method is to have your own domain or website delegate to your current provider. If you switch providers, you just delegate to the next one from the same domain or website. That way the OpenID doesn’t change even though the back-end provider does… Delegation is easy to set up if you have access to the HTML source-code of your website. In the <head></head> section, you add the following code:

<link rel="openid.server"
      href="https://www.myopenid.com/server">
<link rel="openid.delegate"
      href="http://wkossen.myopenid.com">

Naturally, the entry in href=”” changes depending on who serves your OpenID. Your OpenID provider will tell you what settings to implement or with a bit of thinking, you’ll figure it out… Just note that again, if the delegating website is down, or the OpenID behind that is down, you’re still locked out…

There’s a natural trade-off here. You get to use ONE log-in for MANY sites, but if that breaks, your locked out EVERYWHERE. The alternative is remembering all those passwords and user-names on all those sites the way you used to do. I’ll opt for the first strategy and try to alleviate it as much as possible by adding multiples…

Let me end with stating the obvious here:

  1. If you’re providing essential services people rely on like OpenID, don’t just quit,
  2. If you have to quit, tell the customer well in advance,
  3. Give those people options to move their data (it’s theirs in the first place) –> Dataportability,
  4. Assist them in setting up their OpenID elsewhere and tell them how to move their accounts,
  5. Even better, why not maintain their OpenID URL and let the user delegate it towards another OpenID?

It’s like the company that sells you petrol just quit and you come to the station in the middle of nowhere with your empty tank. What are you going to do, Push????

Your comments as always are very welcome below. Thanks for reading!

2
Oct

AuthentiHow?

   Posted by: wkossen    in Uncategorized

I’m always interested in adding security to information systems. One step in that process is adding authentication. Authentication is aimed at establishing without doubt the identity of the one trying to use (or abuse) the system. And that doesn’t stop with the old user-name-password combo. There are many alternative or additional means to do it, but that’s a topic for another post. There are also ways in helping people authenticate themselves more successfully. Without trying to be complete here, I’ll give you an overview of a few of the possibilities of helping you authenticate, even though it’s single factor authentication.

Passwords are problematic since our human memory isn’t quite foolproof. (how about that for an understatement…) This tends us to choose easy to remember, and therefor almost always easy to guess passwords. Difficult passwords are harder to remember locking the user out, rather then letting them in. Two services have created interesting ways to help you pick the right password without making it too easy for someone else to pick your password: MyVidoop and InkBlotPassword. Both will provide you with an open-id to use on several websites that support that technology.

MyVidoop is still alive.  It’s recently been acquired by http://www.confidenttechnologies.com, and hopefully it won’t shut it down  since this service really does a few thinks very well. Logging in means typing in your user-name and then selecting the pictures of your selected categories from a grid and entering the characters associated with those categories. An example of such a grid is here: 

MyVidoop

So if your categories are dogs, computers and buildings, you’d enter NJA (in any order you like). Remembering categories is much easier then remembering a password. Even though this password is very short, since it’s different every time, it’s very hard to guess. I think it’s very cool. The technology is called Confident Imageshield(tm). One added bonus of MyVidoop is the way it let’s you know what’s happening with your account via e-mail notifications. If someones trying to abuse it, you’ll know about it!

InkBlotPassword has a different strategy. The idea here is that people remember best by association. Association of words with pictures in this case. They show you a number of inkblot-type pictures during sign-up and ask you to enter the first and last character of the word you associate with that picture. You could choose another mechanism (like the first and third character), just as long as you remember what it is. You can practice this mechanism before fixing it as your password. When logging in after typing your user-name you are shown your inkblot-patterns in random order. You enter the characters (first and last or any other way you chose) for each inkblot. It’s indeed not that hard to remember or to ‘re-associate’ the blots with words. Best of all, you can select how many inkblots you want to use therefor you can set the strength of the password you are using. Pretty nifty. Also here, the password is different each time since the order of the blots changes,

InkBlotPassword

Do you know of other means adding security while helping you authenticate (even though it’s single factor)? Let me know in the comment-section.