Where did all of these options come from all of the sudden? Well…
It’s been quite the month for the world of distributed social networking. Both Facebook Connect and Google Friend Connect – two services designed to help user manage a single profile across multiple sites – launched on the same day. Then, MySpace followed in close succession with their MySpaceID offering, another distributed social option built on the Open Stack. In a matter of days, the distributed social space went from nascent to completely confusing.
JanRain is hoping to make it a little less confusing, for both developers and users. And if they have to work with big-time music types—like 50 Cent, Fergie, and Guns n’ Roses—to get that done, so be it.
Portland-based Vidoop has been working on a project they’ve been calling “Identity in the Browser” (IDIB), a means of employing an intelligent browser control that recognizes OpenID enabled sites and allows users to access those sites without having to jump through the often-confusing hurdles of relying party redirects.
Relying party redirects? Who duh how du wha? If you’ve ever used OpenID, you know that there’s a little dance that takes place: you provide your OpenID, the site then redirects you to your OpenID provider to confirm that you are you, you confirm—maybe view some images along the way, and are transported back to the original site to do whatever it is you came to do.
Vidoop (and a number of others) thought it would be easier to skip all of that and let your browser handle some of the heavy lifting.
The concept was solid. And a prototype Firefox extension had been created. But what Vidoop really needed was one of the popular browsers to step up and promote OpenID to its users.
It’s big news for OpenID and for Vidoop. And a number of people are taking notice:
ReadWriteWeb: Vidoop and MySpace Bring OpenID to Flock
“While OpenID is one of the more interesting online identity concepts, usability issues have clearly hampered its mainstream adoption. Flock, MySpace, and OpenID provider Vidoop have now come together to develop a browser extension for Flock that makes using OpenID a lot easier for Flock users. Besides managing your OpenID credentials, the extension also detects when a site supports OpenID and lets you sign in with the click of a button.”
The Social: MySpace helps develop OpenID extension for Flock
“The OpenID Flock extension allows for easier credential management within the browser and makes it more apparent when a site will accept an OpenID login. A handful of OpenID extensions already exist for the open-source Flock, but this one’s got the seal of approval from some big names.”
O’Reilly Radar: Getting OpenID Into the Browser
“Imagine if your web browser really knew who you were on the web. Just as you login to your computer, what if when you fired up your browser, it said “Hello Dave” and asked you to “unlock it” as well (Chris Messina was quite influential in my thinking about it this way). In doing so you become securely logged into your OpenID provider (or maybe more than one of them) and as you move around the web your browser takes care of automatically logging you into the sites that you want to be, asking you about others, and helping you register with new ones using your OpenID. Argue as much as you want about the details in making this happen, but I think it’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.”
ComputerWorld: MySpace, Flock, Vidoop unveil prototype for storing OpenID credentials
“OpenID for Flock is now available to all users of Flock 2.0 as an alpha extension to the browser. The tool automatically notifies users when they surf to a Web site that supports the OpenID framework. The framework, supported by Microsoft Corp. and Yahoo Inc., allows people to use a single username and password to enter sites that support it.”
CenterNetworks: Flock Partners With MySpace and Vidoop on OpenID Browser
“Just a month after the public launch of the Flock 2.0 browser, Flock has announced the addition of OpenID to the Flock 2.0 browser today. I’ve been saying for a long time that if OpenID wants to succeed, they have to get it into the browser so when you hit a site that offers OpenID login, it could be as close to seamless as possible.”
Mashable: OpenID Management Comes to Flock
“MySpace, Flock and Vidoop have developed OpenID for Flock. I’ll skip the talk about standards which you don’t care about, cut to the chase and tell you what it does.”
Download Squad: MySpace, Flock and Vidoop release OpenID for Flock plugin
“OpenID is a really great concept. The ability to use a single digital identity across the web and avoid having to sign up for yet another user account is a real productivity boon. More and more high profile sites and services are adopting OpenID, but the project still hasn’t gained the traction that many of us think it deserves. This is partially because it still isn’t easy to use OpenID — or even find out if a site supports OpenID — on all services. MySpace, Flock and Vidoop think they’ve come across a solution: let the browser handle it.”
Social Times: MySpace Teams with Flock, Vidoop to Push OpenID
“MySpace announced its support of OpenID earlier this year, with certain hopes for its potential alongside its own Data Availability initiative. Such an integration makes sense, especially in light of Facebook’s ongoing efforts to become the central platform for online social interaction. So how can MySpace hope to stay ahead? Deeper OpenID integration.”
Ars Technica: Flock OpenID support a small step for slow-moving standard
“The potential of a ubiquitous online login is slowly being realized with emerging identity systems like OpenID. With one username to rule them all and broad industry support from companies like Yahoo, Microsoft, Google, and VeriSign, users may finally be able to simplify their online presence and save a few post-it notes—if OpenID can be made simple and easy to manage for the general consumer. Amid a confusing array of options for creating and using OpenIDs, MySpace and Vidoop have partnered with Flock, the social web browser, to create an open source implementation of OpenID in a browser.”
How? By focusing not on those people holding an OpenID, but on those who want to allow people to use that OpenID—but simply can’t figure out how.
With this new software-as-a-service solution (that’s a lot of “s”s, isn’t it?), RPX, JanRain has the makings of a service that allows anyone to drop OpenID support—and OAuth support for that matter—into place on their site. Simply and easily.
With RPX you don’t need to become a security expert, a protocol expert, or play through a number of security and data flow problems, RPX handles all of this for you and delivers a simple payload in either JSON or XML.
Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?
But now, Microsoft has decided to increase the number of relying parties by 50%. To three.
So who was the lucky relying party who made it through the door? Portland-based JanRain‘s myOpenID.
A number of folks—me among them—are surprised it’s taken Microsoft this long to add another relying party. And it seems like the list is still missing a few other obvious and highly secure choices.
But myOpenID is a great place to start:
JanRain’s myOpenID service, the first and most popular independent OpenID service on the Internet, provides consumers with a free, fully featured, reliable, and secure solution for managing their personal online identity. Every myOpenID user receives several choices for secure authentication beyond password. These enhanced security options include: Microsoft InfoCard, Client Certificate, or Phone-based two factor authentication.
So where better to launch the latest version of the leading OpenID plugin for WordPress—wp-openid—than Portland?
Will Norris, the lead developer of the wp-openid plugin, happens to be in town this week. And, as such, he has just announced that he will be launching wp-openid 3.0 this Wednesday at Portland Web Innovators “Demolicious!“, the new hip spot to unveil cool new tools here in town.
What does wp-openid do?
This plugin allows verified OpenIDs to be linked to existing user accounts for use as an alternative means of authentication. Additionally, commenters may use their OpenID to assure their identity as the author of the comment and provide a framework for future OpenID-based services (reputation and trust, for example).
So, if you’re a WordPress type who’s been using OpenID or who is interested in deploying OpenID on your blog, make sure to attend Demolicious! on Wednesday night at NEMO Design. Even if you’re just OpenID curious, I’d highly encourage you to attend.
Plus, as always, there will be some other cool stuff being demoed there, as well.
See? Smiling and nodding indeed. But at least it keeps a consistent theme to the week. That theme being “Great panel, but what is Rick doing up there?”
Sound interesting? I hear that there still a couple of seats left. So if you’d like to attend, swing by the Silicon Forest Forum site to register. And if you’re going to be there, please make sure to grab me and introduce yourself.
Now, Vidoop’s Will Norris and Michael Richardson have helped take the concept of Emailtoid a step further by working on the development of a new spec. It’s a spec that may simplify the issue even further.
Introducing EAUT—pronounced “yute“—a distributed email address to URL translation that allows anyone to take the conversion from email address to OpenID URL and hide it behind the scenes of the transaction. With just a little bit of code.
In basic terms EAUT makes it easy to take an email address and transform it into an URL, making your email work with services like OpenID. The goal with Emailtoid is to demonstrate the technology and provide a fallback solution for a larger, decentralized network based on the EAUT specification.
What’s more, it’s decentralized. Meaning any email address—any email address—now holds the potential to become an OpenID:
EAUT is designed to work in a distributed fashion, so that no one authority controls it. Every email provider can control how email addresses at their domain are resolved into URLs.
So, now that bright and shiny new Emailtoid—instead of leading the charge—becomes the fallback service should this validation fail. According to plan.
Hopefully, the release of the EAUT spec continues to chip away at the barriers that are preventing major providers—providers that serve as relying parties but don’t allow users to login via OpenID—to move into the realm of becoming full-fledged OpenID supporters.
And in so doing, here’s hoping that EAUT helps accelerate the adoption of OpenID, a concept that today may only save headaches for a handful of geeks with innumerable logins, but which may one day serve as an open foundation for credentials and security on the open Web of the future.
Combining the power of OpenID with the ease of email addresses. And making it open and distributed.
Interested in placing a penguin on your posterior? Or maybe the Debian swirl? Or the Ubuntu circle thingee? Or maybe—just maybe—putting your OpenID somewhere you’re sure to never, ever forget it?
Well, next week at OSCON here in Portland, you may be able to make that dream come true. Because it seems that the nice—or is that sadistic?—folks at Sourceforge are offering to ink you up with your favorite open source icon—for free.
That’s right. Ten lucky winners will get the opportunity to go under the needle to make their ass officially open source. Well, or their arm or leg or what have you:
We are looking for people that are willing to sign up for a tattoo and show it off at the CCA party later on in the week. Only requirements – participants have to be able to meet with Ross Turk, Sourceforge’s Community Manager, at the beginning of the week to get the gift certificate, they have to sign a couple waivers (one for the tattoo parlor and one for Sourceforge), the tattoo has to be open source themed or techy in nature, and they have to show up at the CCA party Thursday night.
I’m not sure exactly which tattoo studio is going to be doing the work, but given that it’s going to be one near the Jupiter Hotel, I’m going to assume that it’s Colorbomb Tattoo with the drawing honors.
Is your interest piqued? You willing to take the pain all for love of open source? Maybe you should contact Ross at Sourceforge and let him know: rturk at corp.sourceforge.com.
And please, oh please, if you’re crazy enough to do this—and (and!) you happen to get picked—do let me know.
At AOL we had a chance to try out their ‘ImageShield’ technology since last few months. What we did is basically provide our AOL OpenID users (AOL users using their openid.aol.com/) with a way to secure their accounts by binding an ‘ImageShield’ password, so from next time when they try to login with their AOL OpenID at a 3rd party Relying Party site, instead of the traditional ‘password’, they can login securely using the ‘ImageShield’. In that way they can make sure they are always signing in from the secure AOL login page and also make sure they are not giving away their ‘real’ password to any possible attackers. This has been deployed on our closed beta environment as a trial run to see how our beta OpenID users would feel about the overall user experience and of course the security of their accounts.
I hear you. “So what?” Well, the “so what” is this…
For OpenID logins, Vidoop’s ImageShield technology has generally been available to users of myVidoop. And that’s been about it.
And as much as I respect the Vidoop team and their accomplishments, I feel pretty safe saying that the myVidoop user base is slightly less than the AOL user base. Just a smidge.
But now? Now there is no difference.
Now, the Vidoop ImageShield user base is the AOL user base. Because Vidoop ImageShield is accessible to more than 100 million AOL users.
And, if I had to guess, I would say that that potential—the potential to have more than 100 million people using Vidoop technology to log in to OpenID-enabled sites—would make Vidoop ImageShield about the widest deployment of OpenID-based authentication technology on the market.
And that, my friend, is a big win for Vidoop. And for OpenID.
Look. You’re in Portland. Arguably the de facto hub of OpenID. So it happens. The OpenID soapbox is literally right here. I can jump on it at practically any time.
So yes, I’m talking about OpenID, again.
But this time, I think even the staunchest critics will find the discussion interesting. Because it solves a very common complaint.
You see, once you get past initial objections surrounding OpenID and the “we should push the value, not the technology” discussion—once you get into actually trying to convince people to use OpenID as a form of credential for online services—one criticism tends to pop up time and time again…
Why is OpenID a url? Why can’t OpenID be an email address?
Why does this complaint come up so much? Because email passes the “mom ‘n’ pop” test. As in mom ‘n’ pop are growing increasingly comfortable with the idea of having an email address. They “get it.” And they’re far more comfortable managing that type of address than they are managing a url.
Long story short, email seems easier to grasp.
And we’ve been so conditioned to plug an email address into the “username” box, that it’s almost becoming second nature.
The concept is simple. And congruent with current OpenID logins.
One box. One credential to enter. The basic difference being that you’re using an email address instead of url.
So how do you validate that you are who you say you are? Well, there are a couple of ways.
If you don’t have know that you already have an OpenID, you can just use your email address and Email to ID will create an OpenID association for you.
The first time you sign into a new site, Email to ID will send a validation code to that email account. (Much in the same way CAN-SPAM encourages people to confirm their membership on email lists.) Using the code, you can validate that the email address is, in fact, yours and that you are who you say you are.
If you’re already a typical OpenID user, you can associate your existing OpenID(s) and relying parties with an email address. This allows you to use the inherent security features of your relying party instead of having to check your inbox every time you want log into a new site.
Technically, what’s Email to ID doing?
Okay. I can see you geekily salivating over there. But I’m not going to try to explain it. Instead, I’ll let the people doing the work explain that:
Emailtoid is a simply a mapping service – we take a GET request to our mapper ( eg, http://firstname.lastname@example.org ) and return an HTTP redirect (a 302) to an OpenID. If the email address is not in our system, we create an OpenID account for the user on the fly. The user logs into the OpenID account by verifying his or her email address through a one time URL or confirmation code sent to that email address. The RP (relying party, the site that originally sent the request) then has the user returned to it.
Get it? Good. Explain it to me sometime.
All I care about is that it works. And it does. Quite gracefully. And that is technology as it should be.
So is OpenID “mainstream” now?
I don’t know that making OpenID mainstream should even be a goal. But I do know that making services and technologies more useful to the general populous should.
“Basically, OpenID is great, it’s a wonderful technology, but it can be a bit confusing to the end users,” said Richardson, lead developer for Email to ID. “Users are already trained to use email as an identifier, so this bridges the gap between email and OpenID.
“Ideally, this service will go away as all top level domains will implement their own mapping. But until that time, we provide a way for sites to have people to use OpenID through their email address. The barrier of entry into OpenID is significantly lower.”
Conceptually, this service marks a huge step forward for “bending the OpenID technology to the needs of the common user.” And as such, it could definitely be one avenue for introducing a new way of logging-in to a wider group of people.
But, whether the term or concept “OpenID” needs to travel along with that form of credentialing is still a matter of debate.
To paraphrase something that Kveton, who in addition to efforts at Vidoop happens to chair of the OpenID Foundation, often says, “My mom doesn’t says she’s going to go establish an SMTP connection. She says she’s going to go check her email.” Or to put it another way, “Sell the sizzle, not the steak—or Gardenburger, as the case may be.”
Make no mistake, this is progress for OpenID and its potential. And progress very much in the right direction for a very fledgling technology with a number of benefits.
I, for one, feel that—with Email to ID—one of the major gripes against OpenID is now a thing of the past.
And that means, it’s time to attack the next one. What’s next?