OpenID with Strong Authentication

Aaron Topance on big league OpenID providers that don’t accept OpenIDs from other providers:

There seems to be a trend, as of recently, for large companies to become OpenID providers, but now allow logging into their service with your OpenID account. The trend I’m noticing, is everyone wants to be a provider, but no one wants to support OpenID logins. Well not “no one”, but not the major players. Consider the following major corporations or web sites that are OpenID providers:

• America Online
• Orange
• LiveJournal and Vox
• WordPress.com
• Yahoo!
• Blogger
• Verisign
• … and more

Supposedly, news has hit the front that Microsoft will be supporting OpenID as a provider, and rumors have it that your GMail account can be used as an OpenID identity. But what about logging into these providers with an existing identity? Here’s the question posed: Can I login to AOL, or create and AOL account, with an already existing OpenID identity? What about LiveJournal? WordPress? Yahoo!? Blogger? etc.

There’s an interesting discussion on Mark Evan’s blog about the potential of a killer application for OpenID:

One of the biggest challenges facing OpenID is it’s a solution (universal identity management) looking for a problem to solve.

Sure, it’s a pain having to remember different usernames and passwords (unless you lazily use the same ones for everything) but most people don’t see it as a huge issue, which means OpenID has failed to gain much traction. And to be frank, that won’t change much even with major players such as Google, Yahoo and AOL starting to climb on the OpenID bandwagon recently.

One of the applications the Evan’s points to with some enthusiasm is PageOnce, which is a universal dashboard for the web.

Johannes Ernst’s discuses the business ramifications of Yahoo joining the OpenID space:

Instead of being a technical curiosity, web businesses can now assume that the majority of their visitors have an OpenID. Okay, Yahoo and AOL and Blogger and all of the existing implementations don’t add up to more than 50% of internet users, but you can bet that more telcos become OpenID providers for their broadband customers, as Orange showed, and that all major internet portals, Microsoft and Google included, will offer OpenIDs with each of their accounts shortly. (It’s easy for them to do, and they don’t want to lose even one of their subscribers for the reason that they didn’t add a small bit of code to their site, that, boy, might even benefit them strategically, and not just create competitive parity.) It’s a very safe assumption for web businesses that by the time they can do anything about OpenID, regardless how fast they move, more than 50% of their visitors will have an OpenID, and Yahoo!’s move yesterday made that a virtual certainty.

As OpenID gains recognition, how will other standards be developed to cooperate with decentralized single-sign-on?

Scott Kveton considers portable social networking and solutions that make it viable along side OpenID:

Social network fatigue is getting worse with every new site that comes along and it doesn’t have to. I should be able to sign up for a site with my OpenID and be prompted to import my contacts/friends accordingly. Ideally I could import them based on some criteria or tag; friends, colleagues, co-workers, etc. In the very near future, you won’t go to social networking sites to interact with your friends … every single site will have social networking built in.

There are a couple of solutions coming down the line. Tom and the folks at Barnraiser have been working on a portable social network solution that is based on OpenID. Videntity and claimID have also been working on ways to share contacts based on XFN. Both of these solutions adhere strictly to the limited format defined for XFN. These solutions suffer from the fax problem; faxes weren’t interesting until everybody had them … so how did they take off? There are also several other efforts as well.

Kveton post also touches on an interesting profile exchange protocol for OpenID, SREG.

Using TrustBearer OpenID on Linux is easy.

Doing so requires PC/SC Lite: most distributions include this package, for example as “pcscd” (Debian / Ubuntu) or “pcsc-lite” (Red Hat / Fedora).

First install, then start the service with “/etc/init.d/pcscd start” (Debian / Ubuntu) or “services pcscd start” (Red Hat / Fedora). To use the TrustBearer Security Key, first download the drivers for the ASEDriver IIIe Reader USB from Athena Smartcard Solutions and extract the files. Run “./configure” followed by “make” and “make install.” You will need the PC/SC Lite development files, usually provided by the distro in a separate package. You will need to restart PC/SC after installation, then just plug the key into a USB port.

(Note: these instructions are for x86 architectures; using another architecture like AMD64 is possible, but requires the use of 32-bit versions of PC/SC Lite and Firefox, plus some more work.)

In an effort to improve user security and convenience with online applications, TrustBearer Labs has released a secure OpenID service combined with its TrustBearer Access software that eliminates the risk of using multiple passwords across multiple sites while providing a central and secure way for users to login. The system leverages authentication devices such as smart cards, usb tokens, and fingerprint biometrics to provide advanced security and convenience.

As with OpenID, TrustBearer’s products provide users with a clean experience using credentials and digital identities with everyday services and applications. It requires no middleware software but rather works through the web browser on Windows, Mac, and Linux platforms - making it instantly deployable. TrustBearer leverages existing authentication devices, including the already over 6 million deployed Common Access Cards and PIV smart cards issued by the US and foreign governments with planned support for a variety of other national and government ID cards.

OpenID is an open architecture identity platform that allows users to have one ID which they use across a variety of online websites. While still in its adoption phase, the OpenID standard is steadily recognized by industry leaders such as Yahoo, AOL, and others. There are approximately 10,000 web sites and services that support OpenID and its growth and importance will continue.

More information on OpenID with TrustBearer including information on obtaining a TrustBearer Security Key for use with OpenID can be found at:https://openid.trustbearer.com

About TrustBearer LabsTrustBearer Labs delivers adaptive and effective identity solutions by creating software that simplifies and extends the use of authentication credentials. With over 10 years experience in developing applications in government, consumer, and health care - TrustBearer Labs is a recognized expert in making strong authentication and security simpler and more effective.