mrtopf's page two

Raw scribbling for posts on http://mrtopf.de/blog

« Back to blog

Viewed
times
About Me

Podcaster, Python programmer, Open Source and Open Standards advocate, Data Portability Board Member, co-founder of http://comlounge.net

 

EIC2010: Improving the Security and Usability of OpenID

Speaker: Ariel Gordon

  • 1 Billion registered OpenID accounts
  • 9 million websites utilizing OpenID
  • US Gov and Facebook major adoption drivers

Needed Improvements

OpenID does not yet adequately address several key problems, thus preventing widespread adoption

Simplicity and consistency of a common OpenID solution still evades us

  • Every OpenID logon popup is different
  • URLs are confusing to users
  • Poor guidance and docs for the protocol. No relying party to hold up as a best practice for others to emulate
  • JanRain’s RPX service has custom code for every major OP because the services that they provide are inconsistent and not discoverable.

Not an end to end solution

  • Poor mobile phones support… 70% of the Japanese market
  • During a customer support call, how can the user identify?

“NASCAR” user experience

Clicking on logos is better than typing URLs… but has led to convoluted user interfaces.

RP needs to guess  what identities you might have… which only works for large OPs. You’d better be on that list! Small providers have no chance.

Poor experience when using vast majority of OPs, even worse for smaller ones e.g. MyCompany.com

 

Security Issues of current version of OpenID

Shows the fun communications open id theft demo which works via a proxy.

This even works for sites with security seals and OTP based auth.

That’s a serious problem.

The main problem is the redirection taking place.

Summary of Usability and Security issues

Basic OpenID UX requires remembering URLs

NASCAR experience easier but only for big OPS, doesn’t scale

Phishing easy to do.

 

An Active Client for OpenID

  • A collaborative effort between MS, Plax, Facebook, Google, Yahoo, Deutsche Telekom, JanRain, Azigo
  • An incubation effort for the past year
  • Assist the suer with his logon experience to make OpenID more usable and safer
  • Allows me to beings the identities I actually have to the site
  • remembers my identities
  • Supervises identity interactions from me

 

Shows an example of the active client at Plaxo (add ?test.selector=1)

The active client is an optional part of the experience! If you don’t have an Active Client installed then the normal OpenID flow will be used.

They are using a CardSpace based client to be that active client. For InformationCards you need cards though.

When I click on the OpenID login, a selector will popup and ask me to choose an account from the list of all of my accounts (OpenIDs).

If you go there a second time, then the selectors has this prefilled.

Posted