Simon Willison's Weblog: identity

RasterWeb: Lanyrd

2010-08-31T20:49:00+00:00

Pete Prodoehl calls me out on Lanyrd’s integration with the Twitter auth API at the expense of OpenID. I’ve posted a comment with my justification—essentially, tying to Twitter’s ecosystem means I can actually implement the features I’ve been talking about building on top of OpenID for years, with far less engineering effort.

Tags: identity, oauth, openid, twitter, recovered, pete-prodoehl

Fixing the Google Account problem

2010-01-25T11:21:34+00:00

Fixing the Google Account problem

3,000+ words explaining how to open a Google Doc invitation sent to an e-mail address that isn’t associated with your Google account. Worth reading just to get an idea for the enormous complexity involved in running a large scale identity system and designing an interface for managing aliases and multiple profiles. Google haven’t got it right yet—has anyone else?

Tags: accounts, drummondreed, gmail, google, identity, usability

OpenID: Now more powerful and easier to use!

2009-09-25T21:08:21+00:00

OpenID: Now more powerful and easier to use!

The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age.

Tags: google, hybrid, identity, myspace, oauth, openid, yahoo

"Recover my account" link on the login page

2009-02-16T22:22:27+00:00

"Recover my account" link on the login page

For the record, collecting and verifying e-mail addresses is a VERY good idea, even (especially?) if you accept OpenID. A verified e-mail address is still absolutely the best way to deal with lost passwords or “my OpenID isn’t working”.

Tags: accounts, email, identity, openid

FluidDB domain names available early (and free) for Twitter users

2009-01-24T23:44:46+00:00

FluidDB domain names available early (and free) for Twitter users

It’s interesting how Twitter has revitalised the concept of usernames as first class identifiers. FluidDB hasn’t even launched yet, but it’s allowing people to reserve their Twitter username within the FluidDB system just by following @fluidDB.

Tags: fluiddb, identity, terry-jones, twitter, usernames

Getting OpenID Into the Browser

2008-12-03T10:00:24+00:00

Getting OpenID Into the Browser

David Recordon makes the case for online identity management as a key browser feature (I like the “your browser is currently locked” concept), and argues that Gears is in a great position to deliver it.

Tags: browsers, david-recordon, gears, identity, openid

Figuring out OpenSocial

2007-11-02T10:29:25+00:00

So it's out, and lots of people are talking about it, but I'm still trying to work out exactly what it is. There seem to be two parts to it: a standardised set of GData APIs for accessing lists of friends and their activities (like the Facebook news feed) and a bunch of JavaScript APIs for enabling developers to write hostable widgets and "container sites" to embed those widgets.

Unfortunately the official documentation confuses things horribly by referring to Google Gadgets in various places. From that my guess is that the embedding part consists of externally hosted code running in an iframe, along with the clever fragment hack to mediate controlled communication between the container site and the embedded widget (and bypass the same-domain restriction). Not sure how that would defend against a malicious widget that uses frame-busting to send the user to a completely new page though - Facebook rewrite and sanitise all of the CSS and JavaScript that they serve, but I seriously doubt Google's open source container API pack will include that level of sophistication.

My other question at the moment is how much OpenSocial relates to the larger goal of an open social network, where import and export APIs allow people to easily move from network to network and still find their friends. I don't see anything in the GData People API that explicitly addresses the need to correlate the same user's account across multiple sites (it looks like it doesn't include an e-mail address for example) which seems to me to be pretty essential.

Am I getting this right, or have I missed something important? I'd love to hear from people who have been properly briefed on all of this.

Tags: apis, google, identity, opensocial, portablesocialnetworks

Sun's OpenID IdP: Real vs Fake

2007-09-25T22:39:47+00:00

Sun's OpenID IdP: Real vs Fake

The thinking behind Sun’s decision to allow users of their OpenID provider to pick fake names and assign personal e-mail addresses.

Tags: identity, lauren-wood, openid, pii, privacy, sun, sunmicrosystems

Quoting Thomas Huhn

2007-09-25T12:03:43+00:00

Your telco knows who you are, where you live and even your credit card number or bank account. It's their business to provide you physical access from a real location and identify you as a customer by sending you invoices and receiving money from you. This means that Orange OpenIDs are verified IDs of real people as a matter of principle.

— Thomas Huhn

Tags: identity, openid, orange, strongidentity, thomas-huhn

Quoting Bradley Horowitz

2007-07-01T08:54:00+00:00

There is a problem of managing identity across the internet, so when I say Darren Waters I mean this person and all of the manifestations and representations and personas of that person. The ability to knit those together is a huge challenge and opportunity for us as an industry.

— Bradley Horowitz

Tags: bbc, bradley-horowitz, identity, openid

Wrong-headed impersonation

2007-03-05T14:38:58+00:00

Wrong-headed impersonation

Kim Cameron discusses user absent authentication, and emphasises the importance of delegation using delegation coupons.

Tags: authentication, delegation, delegationcoupons, identity, kimcameron

SMTP Service Extension for Yadis Discovery

2007-02-05T09:44:50+00:00

SMTP Service Extension for Yadis Discovery

Could potentially let you use your e-mail address as an OpenID, although personally I wouldn’t always want to hand my address over to third-party sites.

Tags: dmitryshechtman, email, identity, openid, yadis

Firefox3/Firefox Requirements

2007-01-11T18:56:48+00:00

Firefox3/Firefox Requirements

OpenID and CardSpace are both listed as mandatory features.

Via Brady Forrest

Tags: cardspace, firefox, identity, openid

An OpenID is not an account!

2007-01-10T10:53:35+00:00

I'm excited to see that OpenID has finally started to gain serious traction outside of the Identity community. Understandably, misconceptions about OpenID continue to crop-up. The one I want to address in this entry is the idea that an OpenID can be used as a replacement for a regular user account.

Update at 23:55pm: I originally tried to illustrate this misconception with a quote from Don Park; unfortunately I misunderstood the quote and consequently misrepresented his position, for which I apologise unreservedly.

The old OpenID homepage (which I miss; the new one uses jargon-heavy terms like "a free framework for user-centric digital identity") included this in nice big letters:

What about trust?

This is not a trust system. Trust requires identity first.

OpenID solves the identity problem, not the trust problem. When a user authenticates with OpenID, what they are doing is stating "I have the ability to prove my ownership of this URL".

I used the phrase "have the ability" deliberately. Just because the OpenID authentication was successful doesn't mean that the user is the only person who can authenticate against that OpenID. It would be trivial to create the OpenID equivalent of Mailinator: an identity provider that says "Yes, that's them!" to any identity request. I'm tempted to build it just to emphasize this point! Update: Jayant Gandhi has built one.

The key thing here is that you should never trust an OpenID on its own. It could be a real person, or it could be a spammer, psycopath or general undesirable.

Does this mean OpenID is completely useless? Absolutely not! You just have to think of it in the same way that you think of username and password combinations: as the "key" to an account.

Most web application signup processes work something like this:

Bob selects a username
Bob enters a password, twice
Bob enters his e-mail address
Bob clicks a validation link in an e-mail sent to that address

Some sites throw a CAPTCHA in there for good measure.

OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you'll almost certainly want them to jump through the e-mail and/or CAPTCHA steps.

In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.

A nice thing about the above flow is that it demonstrates how easy it should be to add OpenID support to an existing Web application. If you've already got a user account system that's fine - just give your users a mechanism to associate an OpenID with their existing account so they can log in without using their password. You could even require new users to set up a full account (complete with password that they never intend to use) and then associate it with their OpenID, although doing so eliminates the lower barrier to entry advantage for OpenID users.

The trust issue is now null and void. An OpenID is just as trustworthy as a regular username and password (which could have been posted to bugmenot and shared with thousands of people).

One last time: an OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can't go wrong.

Tags: identity, openid, trust