openid intro @ barcamp brussels 3

OpenID Intro“Identity 2.0 - Forget your passwords”

~/ $ who am i

• Frank Louwers - frank@openminds.be

• Partner in Openminds & Metatale

• http://frank.be

• Openminds offers high-quality, high-performance Internetsolutions

• Openminds launched the first Belgian OpenID identity server

Quick Poll?

Quick Poll?

• Who uses same username / password for every new account?

Quick Poll?

• Who uses same username / password for every new account?

• Who loses usernames / passwords for some sites?

Quick Poll?

• Who uses same username / password for every new account?

• Who loses usernames / passwords for some sites?

• Who has a blog?

Quick Poll?

• Who uses same username / password for every new account?

• Who loses usernames / passwords for some sites?

• Who has a blog?

• Who has OpenID? (Wordpress.com, AOL, Typepad, Yahoo!, ...)

Passwords, usernames, and amnesia

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

needs login

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

needs login

needs login

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

needs login

needs login

needs login

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

needs login

needs login

needs login

needs login

Morning workflow

• Read Mail

• Read RSS feeds

• Use company Intranet / wiki

• Write blogpost

• Comment on other blogs / wiki

needs login

needs login

needs login

needs login

needs login

Even worse ...

http://www.monuments.nu/monuments/2007/05/pure_annoyance.html

Our best friend ...

Not only do we need to remember the password

We also need to rember the (random) username!

Solutions

Lazy solution

• Same password everywhere

• Not safe

• One site compromised, all sites compromised

• When your mail-address changes, accounts lost?

Solution: Single Sign On

• Previous attempts: Microsoft Passport.net

• Centralised (not everyone trusts MS)

• Expensive to integrate

• Not extendable

OpenID: KISS

• De-centralised

• Open Standards based

• easy, lightweight protocol

• providing Single Sign On

• Based on proven standards (dns and urls)

• A blog identifies a person

De-centralised

• You choose one of the many OpenID i-providers (http://openid.openminds.be)

• You choose who you trust and why

• Even set-up your own OpenID server if you want

• It’s the only place where your credentials are stored

A life without passwords

How does it look like?

Login to OpenID sites

• Enter your OpenID identifier url as “username”

• Site contacts your OpenID Server (based on url)

• OpenID Server checks if you are logged in

• OpenID Server passes token to site

Only the first time I login to an OpenID site that day.Next time, only a confirmation is needed.

What data should be transfered to the site?

Wikitravel doesn’t have a local account for this OpenID. Suggests me to create one. This happens only the first

time. It binds my OpenID (openid.openminds.be/frank) to this new account.

Blog url as OpenID

• My OpenID: openid.openminds.be/frank

• My blog: frank.be

• Solution? Simple HTML tags!

Add html headers tags

No other plugins or code needed on your blog!

Who is using it?

Who’s in the game?

Plugins available for:

• Blog software (Wordpress, MT, Mephisto, ...)

• Wiki software (MediaWiki, DokuWiki, ...)

• Almost all Web frameworks (Drupal, Ruby on Rails, Joomla, Django, ...)

Add OpenID to your project

• Lower barrier (users don’t need to create an account) eg: http://iusethis.com

• Simplifies account setup

• Specific hacks

• AIM integration

• Company Intranets or wiki’s and Company OpenID

Problems?

• Google isn’t in, and won’t be in soon

• Login is slower (browser redirects ...)

• Vulnerable to Phishing

• risk actually less than with username / password logins

• can be fixed with plugins (and FF3)

Future versions

• Exchange of more attributes

• Gravatars?

• Address (eg for shipping)

• Language / timezone settings

• Verified email address or not

• Security enhancements

Cool sites using OpenID

http://iusethis.com

Cool sites using OpenID

http://jyte.com

Cool sites using OpenID

http://jyte.com

Cool sites using OpenID

http://shopify.com

Cool sites using OpenID

http://heardontv.com

Links

• http://openid.openminds.be (still beta)

• http://myopenid.com

• http://openid.net

• http://janrain.com/openid

• http://openiddirectory.com

Q & A

Frank Louwers - frank@openminds.be

• Do you use OpenID?

• Do you consider it?

• Why (not)?