openid intro @ barcamp brussels 3
DESCRIPTION
I gave a talk about OpenID at Barcamp Brussels 3, may 2007TRANSCRIPT
OpenID Intro“Identity 2.0 - Forget your passwords”
~/ $ who am i
• Frank Louwers - [email protected]
• Partner in Openminds & Metatale
• http://frank.be
• Openminds offers high-quality, high-performance Internetsolutions
• Openminds launched the first Belgian OpenID identity server
Quick Poll?
Quick Poll?
• Who uses same username / password for every new account?
Quick Poll?
• Who uses same username / password for every new account?
• Who loses usernames / passwords for some sites?
Quick Poll?
• Who uses same username / password for every new account?
• Who loses usernames / passwords for some sites?
• Who has a blog?
Quick Poll?
• Who uses same username / password for every new account?
• Who loses usernames / passwords for some sites?
• Who has a blog?
• Who has OpenID? (Wordpress.com, AOL, Typepad, Yahoo!, ...)
Passwords, usernames, and amnesia
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
needs login
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
needs login
needs login
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
needs login
needs login
needs login
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
needs login
needs login
needs login
needs login
Morning workflow
• Read Mail
• Read RSS feeds
• Use company Intranet / wiki
• Write blogpost
• Comment on other blogs / wiki
needs login
needs login
needs login
needs login
needs login
Even worse ...
http://www.monuments.nu/monuments/2007/05/pure_annoyance.html
Our best friend ...
Not only do we need to remember the password
We also need to rember the (random) username!
Solutions
Lazy solution
• Same password everywhere
• Not safe
• One site compromised, all sites compromised
• When your mail-address changes, accounts lost?
Solution: Single Sign On
• Previous attempts: Microsoft Passport.net
• Centralised (not everyone trusts MS)
• Expensive to integrate
• Not extendable
OpenID: KISS
• De-centralised
• Open Standards based
• easy, lightweight protocol
• providing Single Sign On
• Based on proven standards (dns and urls)
• A blog identifies a person
De-centralised
• You choose one of the many OpenID i-providers (http://openid.openminds.be)
• You choose who you trust and why
• Even set-up your own OpenID server if you want
• It’s the only place where your credentials are stored
A life without passwords
How does it look like?
Login to OpenID sites
• Enter your OpenID identifier url as “username”
• Site contacts your OpenID Server (based on url)
• OpenID Server checks if you are logged in
• OpenID Server passes token to site
Only the first time I login to an OpenID site that day.Next time, only a confirmation is needed.
What data should be transfered to the site?
Wikitravel doesn’t have a local account for this OpenID. Suggests me to create one. This happens only the first
time. It binds my OpenID (openid.openminds.be/frank) to this new account.
Blog url as OpenID
• My OpenID: openid.openminds.be/frank
• My blog: frank.be
• Solution? Simple HTML tags!
Add html headers tags
No other plugins or code needed on your blog!
Who is using it?
Who’s in the game?
Plugins available for:
• Blog software (Wordpress, MT, Mephisto, ...)
• Wiki software (MediaWiki, DokuWiki, ...)
• Almost all Web frameworks (Drupal, Ruby on Rails, Joomla, Django, ...)
Add OpenID to your project
• Lower barrier (users don’t need to create an account) eg: http://iusethis.com
• Simplifies account setup
• Specific hacks
• AIM integration
• Company Intranets or wiki’s and Company OpenID
Problems?
• Google isn’t in, and won’t be in soon
• Login is slower (browser redirects ...)
• Vulnerable to Phishing
• risk actually less than with username / password logins
• can be fixed with plugins (and FF3)
Future versions
• Exchange of more attributes
• Gravatars?
• Address (eg for shipping)
• Language / timezone settings
• Verified email address or not
• Security enhancements
Links
• http://openid.openminds.be (still beta)
• http://myopenid.com
• http://openid.net
• http://janrain.com/openid
• http://openiddirectory.com