How? By focusing not on those people holding an OpenID, but on those who want to allow people to use that OpenID—but simply can’t figure out how.
With this new software-as-a-service solution (that’s a lot of “s”s, isn’t it?), RPX, JanRain has the makings of a service that allows anyone to drop OpenID support—and OAuth support for that matter—into place on their site. Simply and easily.
With RPX you don’t need to become a security expert, a protocol expert, or play through a number of security and data flow problems, RPX handles all of this for you and delivers a simple payload in either JSON or XML.
Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?
But now, Microsoft has decided to increase the number of relying parties by 50%. To three.
So who was the lucky relying party who made it through the door? Portland-based JanRain‘s myOpenID.
A number of folks—me among them—are surprised it’s taken Microsoft this long to add another relying party. And it seems like the list is still missing a few other obvious and highly secure choices.
But myOpenID is a great place to start:
JanRain’s myOpenID service, the first and most popular independent OpenID service on the Internet, provides consumers with a free, fully featured, reliable, and secure solution for managing their personal online identity. Every myOpenID user receives several choices for secure authentication beyond password. These enhanced security options include: Microsoft InfoCard, Client Certificate, or Phone-based two factor authentication.
So where better to launch the latest version of the leading OpenID plugin for WordPress—wp-openid—than Portland?
Will Norris, the lead developer of the wp-openid plugin, happens to be in town this week. And, as such, he has just announced that he will be launching wp-openid 3.0 this Wednesday at Portland Web Innovators “Demolicious!“, the new hip spot to unveil cool new tools here in town.
What does wp-openid do?
This plugin allows verified OpenIDs to be linked to existing user accounts for use as an alternative means of authentication. Additionally, commenters may use their OpenID to assure their identity as the author of the comment and provide a framework for future OpenID-based services (reputation and trust, for example).
So, if you’re a WordPress type who’s been using OpenID or who is interested in deploying OpenID on your blog, make sure to attend Demolicious! on Wednesday night at NEMO Design. Even if you’re just OpenID curious, I’d highly encourage you to attend.
Plus, as always, there will be some other cool stuff being demoed there, as well.
Now, Vidoop’s Will Norris and Michael Richardson have helped take the concept of Emailtoid a step further by working on the development of a new spec. It’s a spec that may simplify the issue even further.
Introducing EAUT—pronounced “yute“—a distributed email address to URL translation that allows anyone to take the conversion from email address to OpenID URL and hide it behind the scenes of the transaction. With just a little bit of code.
In basic terms EAUT makes it easy to take an email address and transform it into an URL, making your email work with services like OpenID. The goal with Emailtoid is to demonstrate the technology and provide a fallback solution for a larger, decentralized network based on the EAUT specification.
What’s more, it’s decentralized. Meaning any email address—any email address—now holds the potential to become an OpenID:
EAUT is designed to work in a distributed fashion, so that no one authority controls it. Every email provider can control how email addresses at their domain are resolved into URLs.
So, now that bright and shiny new Emailtoid—instead of leading the charge—becomes the fallback service should this validation fail. According to plan.
Hopefully, the release of the EAUT spec continues to chip away at the barriers that are preventing major providers—providers that serve as relying parties but don’t allow users to login via OpenID—to move into the realm of becoming full-fledged OpenID supporters.
And in so doing, here’s hoping that EAUT helps accelerate the adoption of OpenID, a concept that today may only save headaches for a handful of geeks with innumerable logins, but which may one day serve as an open foundation for credentials and security on the open Web of the future.
Combining the power of OpenID with the ease of email addresses. And making it open and distributed.
Interested in placing a penguin on your posterior? Or maybe the Debian swirl? Or the Ubuntu circle thingee? Or maybe—just maybe—putting your OpenID somewhere you’re sure to never, ever forget it?
Well, next week at OSCON here in Portland, you may be able to make that dream come true. Because it seems that the nice—or is that sadistic?—folks at Sourceforge are offering to ink you up with your favorite open source icon—for free.
That’s right. Ten lucky winners will get the opportunity to go under the needle to make their ass officially open source. Well, or their arm or leg or what have you:
We are looking for people that are willing to sign up for a tattoo and show it off at the CCA party later on in the week. Only requirements – participants have to be able to meet with Ross Turk, Sourceforge’s Community Manager, at the beginning of the week to get the gift certificate, they have to sign a couple waivers (one for the tattoo parlor and one for Sourceforge), the tattoo has to be open source themed or techy in nature, and they have to show up at the CCA party Thursday night.
I’m not sure exactly which tattoo studio is going to be doing the work, but given that it’s going to be one near the Jupiter Hotel, I’m going to assume that it’s Colorbomb Tattoo with the drawing honors.
Is your interest piqued? You willing to take the pain all for love of open source? Maybe you should contact Ross at Sourceforge and let him know: rturk at corp.sourceforge.com.
And please, oh please, if you’re crazy enough to do this—and (and!) you happen to get picked—do let me know.
At AOL we had a chance to try out their ‘ImageShield’ technology since last few months. What we did is basically provide our AOL OpenID users (AOL users using their openid.aol.com/) with a way to secure their accounts by binding an ‘ImageShield’ password, so from next time when they try to login with their AOL OpenID at a 3rd party Relying Party site, instead of the traditional ‘password’, they can login securely using the ‘ImageShield’. In that way they can make sure they are always signing in from the secure AOL login page and also make sure they are not giving away their ‘real’ password to any possible attackers. This has been deployed on our closed beta environment as a trial run to see how our beta OpenID users would feel about the overall user experience and of course the security of their accounts.
I hear you. “So what?” Well, the “so what” is this…
For OpenID logins, Vidoop’s ImageShield technology has generally been available to users of myVidoop. And that’s been about it.
And as much as I respect the Vidoop team and their accomplishments, I feel pretty safe saying that the myVidoop user base is slightly less than the AOL user base. Just a smidge.
But now? Now there is no difference.
Now, the Vidoop ImageShield user base is the AOL user base. Because Vidoop ImageShield is accessible to more than 100 million AOL users.
And, if I had to guess, I would say that that potential—the potential to have more than 100 million people using Vidoop technology to log in to OpenID-enabled sites—would make Vidoop ImageShield about the widest deployment of OpenID-based authentication technology on the market.
And that, my friend, is a big win for Vidoop. And for OpenID.
Look. You’re in Portland. Arguably the de facto hub of OpenID. So it happens. The OpenID soapbox is literally right here. I can jump on it at practically any time.
So yes, I’m talking about OpenID, again.
But this time, I think even the staunchest critics will find the discussion interesting. Because it solves a very common complaint.
You see, once you get past initial objections surrounding OpenID and the “we should push the value, not the technology” discussion—once you get into actually trying to convince people to use OpenID as a form of credential for online services—one criticism tends to pop up time and time again…
Why is OpenID a url? Why can’t OpenID be an email address?
Why does this complaint come up so much? Because email passes the “mom ‘n’ pop” test. As in mom ‘n’ pop are growing increasingly comfortable with the idea of having an email address. They “get it.” And they’re far more comfortable managing that type of address than they are managing a url.
Long story short, email seems easier to grasp.
And we’ve been so conditioned to plug an email address into the “username” box, that it’s almost becoming second nature.
The concept is simple. And congruent with current OpenID logins.
One box. One credential to enter. The basic difference being that you’re using an email address instead of url.
So how do you validate that you are who you say you are? Well, there are a couple of ways.
If you don’t have know that you already have an OpenID, you can just use your email address and Email to ID will create an OpenID association for you.
The first time you sign into a new site, Email to ID will send a validation code to that email account. (Much in the same way CAN-SPAM encourages people to confirm their membership on email lists.) Using the code, you can validate that the email address is, in fact, yours and that you are who you say you are.
If you’re already a typical OpenID user, you can associate your existing OpenID(s) and relying parties with an email address. This allows you to use the inherent security features of your relying party instead of having to check your inbox every time you want log into a new site.
Technically, what’s Email to ID doing?
Okay. I can see you geekily salivating over there. But I’m not going to try to explain it. Instead, I’ll let the people doing the work explain that:
Emailtoid is a simply a mapping service – we take a GET request to our mapper ( eg, http://firstname.lastname@example.org ) and return an HTTP redirect (a 302) to an OpenID. If the email address is not in our system, we create an OpenID account for the user on the fly. The user logs into the OpenID account by verifying his or her email address through a one time URL or confirmation code sent to that email address. The RP (relying party, the site that originally sent the request) then has the user returned to it.
Get it? Good. Explain it to me sometime.
All I care about is that it works. And it does. Quite gracefully. And that is technology as it should be.
So is OpenID “mainstream” now?
I don’t know that making OpenID mainstream should even be a goal. But I do know that making services and technologies more useful to the general populous should.
“Basically, OpenID is great, it’s a wonderful technology, but it can be a bit confusing to the end users,” said Richardson, lead developer for Email to ID. “Users are already trained to use email as an identifier, so this bridges the gap between email and OpenID.
“Ideally, this service will go away as all top level domains will implement their own mapping. But until that time, we provide a way for sites to have people to use OpenID through their email address. The barrier of entry into OpenID is significantly lower.”
Conceptually, this service marks a huge step forward for “bending the OpenID technology to the needs of the common user.” And as such, it could definitely be one avenue for introducing a new way of logging-in to a wider group of people.
But, whether the term or concept “OpenID” needs to travel along with that form of credentialing is still a matter of debate.
To paraphrase something that Kveton, who in addition to efforts at Vidoop happens to chair of the OpenID Foundation, often says, “My mom doesn’t says she’s going to go establish an SMTP connection. She says she’s going to go check her email.” Or to put it another way, “Sell the sizzle, not the steak—or Gardenburger, as the case may be.”
Make no mistake, this is progress for OpenID and its potential. And progress very much in the right direction for a very fledgling technology with a number of benefits.
I, for one, feel that—with Email to ID—one of the major gripes against OpenID is now a thing of the past.
And that means, it’s time to attack the next one. What’s next?
Portland-based JanRain, arguably the leading developer for OpenID solutions, is on a roll. It seems like they just released ID Selector, and now they’ve come forward with another OpenID solution: CallVerfID.
CallVerfID allows OpenID users who login with an *.myopenid.com identity to take an extra security precaution with their login: getting a phone call.
And here’s the best part: it’s on any phone. Well, okay, any phone with buttons.
Instantly receive a call when signing into myOpenID. Simply answer and press # to authenticate. No certificates or text messages. Use any phone.
My point was: it’s not SMS messaging. It’s an actual phone call.
I even tried it with Skype and it worked flawlessly.
Since I’m always one to try to shoehorn an analogy into any situation, I’d say that CallVerifID is akin to your credit card company calling you when a strange charge request is made. It’s simply an added precaution to ensure that your credentials are being used by you, and only you.
So, why the added precaution? Do I really want to get called every time I post a blog comment?
No, of course not. But as OpenID begins to take hold, and more and more personal and business applications become available, this type of multi-factor authentication is going to become necessary. Because, at some point, there’s going to be some fairly sensitive information and access rights tied to that OpenID. Banking, travel, and shopping just to name a few.
JanRain’s solution is quite simple and elegant. And it’s easy to adopt, no matter what your technical expertise. I, for one, think this is a step in the right direction.
Last week, after reading Aaron Hockley’s call to implement OpenID, it got me to thinking: How many sites in Portland—arguably the de facto leader in OpenID development—and the Silicon Forest have actually implemented OpenID?
Well, thanks to Kevin Fox at Vidoop/ConfIdent and a number of other folks chiming in, we were able to gather the following list of 23 30+ velvet ropes behind which your OpenID will let you.
(NOTE: The list is by no means exhaustive. So if your site is missing, please comment, and I’ll add it.)
“We connect businesses and websites with each other and their customers using a wiki-based resource of millions of editable pages of information.”
“Find a green place to live or work. Discover green buildings in your neighborhood. Get recognized for your sustainability efforts.”
“ICANNWiki is a wiki whose goal is to create a free, valuable and ‘community’ neutral, global Internet resource containing information for all aspects of the ICANN ‘community.'”
“Claim anything! Yes, anything. If you have something to say, then make a claim and let the community vote on it. Make claims about yourself, friends, and family. Put your stake in the ground and see where the votes go.”
“It’s your career. You need to take responsibility for it. That’s why we built Kumquat. To help make it easier to get the feedback you deserve. Whenever and however often you want it.”
“Pibb combines the best features of instant messenger, chat, email, and bulletin boards.”
Portland Small Business
“PortlandSmallBusiness.com is a collaborative website, where members of the Portland small business community can go for peer advice and networking.”
Portland Web Innovators
“Portland Web Innovators is a technology-agnostic group where you can meet like-minded web people without the excuse of a networking-only event.”
“WTF is Treasurelicious? It’s a widget to show off what you treasure.”
“Using Twitter followers, Tweetpeek is designed to help anyone build a pulse-of-anything widget in a few easy steps.”
“So what is twurl designed to do? Well, at the very most basic level, twurl is a URL shortener that allows you to track clicks.”
“Velog is a simple place to log your bicycle rides and connect with others in the cycling community.”
Bonus: Any Marshall Kirkpatrick post on ReadWriteWeb (You can actually use it for any comment, but I had to find a Silicon Forest hook.)
Need an OpenID?
If you haven’t had a chance to use your OpenID (it’s highly likely that you already have one) or aren’t quite sure how to get started, you might want to visit Portland’s own myVidoop or MyOpenID to get going. A few short steps and you’ll have access to all of the sites above.
I’m going to take a bit of a stand. Effective immediately, I will no longer comment on tech blogs that don’t support OpenID for comment authentication.
And I, for one, really respect his taking this stance. I think it’s these small, self-admittedly “mostly insignificant” kinds of actions that make things happen. The journey of 1000 miles and whatnot.
Aaron makes a strong argument for every blog pursuing its own OpenID login for comments:
OpenID is a win-win for blog comments. It’s a win for the comment author, since it means less info to type. It’s a win for the blog owner, since it means the comments have a “real” identity behind them.
I mean, if you really want to be part of the conversation, shouldn’t you make it as easy as possible for others to join in the conversation?
Of course you should. And OpenID can help you do that.
And you—as a Portlander or Silicon Forester—should be more than embracing OpenID. You should be singing its praises from the rooftops, if only to support great companies like Vidoop, ConfIdent, and JanRain who are the forefront of OpenID development.
And OpenID has more than a fighting chance. But it still needs the support of each and every one of us.
But what if it’s a technical issue that’s preventing your adoption? (Like me, for instance. I wrangled my OpenID WordPress implementation for hours before Chris O’Rourke was able to pinpoint the issue and help me resolve the problem.)
Well, you don’t have that excuse anymore. Because Aaron has offered to help:
And I’ll put my time where my mouth is: I’ll help you. If you follow those links above, and can’t figure it out, or you try it and it doesn’t work. I’ll help. Send me an e-mail. I want you to have OpenID.
I’m looking forward to using my OpenID to comment on your blog the next time I swing by.
So where’s that benefit for you? Right here, tiger
In fact, how about this? Let’s round up a list of all the Silicon Forest based blogs and services that support OpenID.
If you’re one of them, use your OpenID to comment below.
I’ll work on gathering a comprehensive list for posting. And then we’ll work on promoting your blog or service for being one of the ones who’s supporting OpenID.
Just as a way—albeit minor—of saying “Thank you for using OpenID.”