About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


OpenID with myVidoop

I like OpenID. I've been an avid user (and consumer) of OpenID for well over a year now, but I've only recently found time to explore Vidoop, whose self-described mission is one username, no password.

I keep meaning to write a more general post about OpenID, but this is what's on my mind at the moment. (Sorry for posting out of order.) In the meantime, you can watch Simon Willison's video tutorial for a good introduction.

You can learn more about Vidoop on their web site, but if you like to learn by example, I recommend registering for a myVidoop account. (They get extra credit for dropping the superfluous www subdomain and using a secure connection.) When registering, you choose three categories for your Image Shield, a grid of images that looks something like this:

An Example Vidoop Image Shield

The Image Shield is what replaces the need for a password, or more precisely, it's an innovative way to give you a one-time password. Each time you log in, you're presented with a completely new Image Shield, and among the images are going to be three that match your three previously-chosen categories. For example, if the categories you choose are cars, cats, and boats, then your one-time password is opu according to the above Image Shield. (Note the letters on each image.)

This is worth explaining in more detail, because it's the primary differentiator, and there's a bit more to it. (This innovation is what compelled me to explore myVidoop, now my primary OpenID provider.) Alone, the Image Shield is convenient but otherwise unimpressive. However, you can only log in from an activated browser. Browser activation is what qualifies myVidoop's authentication as two-factor authentication, because it uses an alternative communication medium that you choose when registering. If you choose text messaging and try to log in from an unactivated browser, you see something like this:

Logging In with an Unauthenticated Browser

In many ways, browser authentication is equivalent to a traditional authentication system that uses a username and password, with two important differences:

  • Instead of providing a username and password, you provide an activation code that is sent to you using an alternative form of communication. (In other words, not the web site.) This protects you against security problems in the web site, because a successful attack must exploit multiple mediums.
  • Instead of being considered logged in, you're simply allowed an opportunity to log in via the Image Shield. Thus, the Image Shield is an additional security measure that is traditionally absent.

This might sound like a lot of trouble, but browser activation is very long-lived, so logging in via the Image Shield is what you'll be doing most of the time. The Image Shield is a last line of defense that happens to be pretty good, so even if someone steals your computer, there's still hope. You can even log in and deactivate a browser, but of course you'll have to activate another browser first. Try to make sure someone can't easily steal both your computer and your phone. :-)

If you want to try myVidoop as your OpenID provider, you can either use the OpenID myVidoop provides (mine is shiflett.myvidoop.com), or delegate your own as I do with shiflett.org:

<link rel="openid2.provider" href="https://myvidoop.com/openid" />
<link rel="openid.server" href="https://myvidoop.com/openid" />
<link rel="openid2.local_id" href="http://shiflett.myvidoop.com/" />
<link rel="openid.delegate" href="http://shiflett.myvidoop.com/" />

You can view the source of this page to see this in context. Be sure to replace shiflett with your own username, unless you can authenticate as me. :-) You can try your OpenID by leaving a comment below.

I've also been enjoying the myVidoop Plugin, a Firefox extension that replaces the login manager. The biggest advantage is that I'm able to decide whether to remember a password after observing the next page to see if I remembered it correctly myself. :-) The biggest disadvantage is that the extension does not support HTTP auth, and because it disables the login manager, there's actually no way for Firefox to remember HTTP auth credentials. I really hope this gets fixed, because it's a huge problem for anyone that has to deal with HTTP auth on a daily basis. (I do.)

If you use Twitter like I do, you can follow Vidoop there. Unlike Pandora, the Vidoop bio doesn't mention who is responsible, but whoever it is responds to feedback, which is a plus. For example, I asked about the lack of HTTP auth support and received a prompt response:

When the myVidoop plugin is added we disable the Firefox login manager (else you would get multiple 'remember this' prompts)

This didn't exactly answer my question, but I asked a more direct question and got a more direct answer.

It's nice to be able to provide feedback so easily, and it's even nicer to have your feedback acknowledged. With any luck, the HTTP auth issue will be addressed at some point, so I can complain about less important things. :-)

I may write more about myVidoop in the future, because there are a number of features I haven't mentioned. If it sounds interesting, I encourage you to give it a go and tell me what you think. (You can tell them, too, by emailing myvidoop-fb@vidoop.com or using Twitter. I'm sure they'd appreciate it.)

About this post

OpenID with myVidoop was posted on Tue, 06 May 2008. If you liked it, follow me on Twitter or share:

21 comments

1.Kevin Fox said:

Thanks for the post Chris, I run the twitter account. We have a new plugin coming out for FF3, then I will see whats next and let you know about HTTP Auth.

Please pass on any other feedback you may have.

Cheers,

Kevin

p.s. If you run a web site and want to make it easy for your members to get an OpenID from myVidoop check out our affiliates program http://affiliates.vidoop.com

Tue, 06 May 2008 at 07:53:28 GMT Link


2.Ben Ramsey said:

Very nice and much more full-featured that myopenid. I've made the switch. Thanks, Chris!

Tue, 06 May 2008 at 15:07:50 GMT Link


3.Chris Shiflett said:

Hey, Kevin, thanks for the comment. I just registered for an affiliate account.

Hope you like it, Ben. I'm glad I convinced you to try it out. :-)

Tue, 06 May 2008 at 15:41:13 GMT Link


4.Laura Thomson said:

The biggest advantage is that I'm able to decide whether to remember a password after observing the next page to see if I remembered it correctly myself.

This feature is built in to Firefox 3.

Thanks for the interesting post!

Tue, 06 May 2008 at 15:53:39 GMT Link


5.Kevin Fox said:

Hi Chris,

Thanks for registering, if you have any thoughts/suggestions on how we can make the affiliate program better please let me know.

@Laura with the myVidoop plugin you can save all the passwords to a encrypted file that is local to your machine, or save the passwords with myVidoop and have them accessible from anywhere.

Cheers,

Kevin

Tue, 06 May 2008 at 18:08:05 GMT Link


6.Koesmanto Bong said:

Hi Chris,

As far as browser activation goes, you can have a lot or no browser activated at all. The main purpose for the browser activation is so you don't have to keep on requesting a one-time activation code to sign in to your account on a computer that you either own or use frequently.

But say you are at a coffee shop, using a public computer, you can request a one-time activation code, not activate that browser permanently, and get into your myVidoop account. That browser will be temporarily activated until you sign out.

-Koes

Tue, 06 May 2008 at 18:33:58 GMT Link


7.Chris Shiflett said:

Thanks for the additional information, Kevin and Koes. :-)

One nice combination I failed to mention is that you can activate a browser temporarily per Koes's instructions, and you can then have access to all of your saved passwords. (This requires a specific choice to save your passwords with myVidoop instead of locally.) I can see this coming in handy if I need to do something on a friend's computer at some point, because I can never remember my passwords.

Tue, 06 May 2008 at 18:55:05 GMT Link


8.leveille said:

Thanks for sharing Chris. I've been using the service now since you originally posted. I really like the model they have set up. Very smooth.

Wed, 07 May 2008 at 13:15:58 GMT Link


9.Jon Tan said:

Thanks for posting this Chris. The only thing stopping a typophile like me using it is that lack of a Safari plugin (hint, hint, guys). :)

Wed, 07 May 2008 at 23:02:35 GMT Link


10.John Layman said:

Thanks for the tip. This should come in handy for all those passwords I never remember.

By the way, it was neat to see your article on foiling XSRF referenced in my database class this semester. It's always fun when I'm ahead of the curve.

Thu, 08 May 2008 at 05:14:26 GMT Link


11.John Layman said:

I had one more thought after I attempted to post a comment. If a user decides to change which OpenID provider they use, currently this would not be possible on your site. I got a duplicate key error, because I'm assuming you use a natural key for the users table. Do you think it would a good idea to allow users to update the OpenID attached to their account in the same way you might have previously permitted a user to update their email address?

Fri, 09 May 2008 at 00:55:07 GMT Link


12.Chris Shiflett said:

Hi John,

I agree with you. I think the optimal solution for this site is for me to let people have as many OpenIDs as they want and authenticate using any of them.

I hope to find the time to improve a few things, and OpenID integration is near the top of the list.

Delegation is also a good option, so you don't have to change OpenIDs whenever you change providers. For example, I use shiflett.org as my OpenID everywhere, and this didn't change when I switched to myVidoop.

Fri, 09 May 2008 at 01:16:57 GMT Link


13.hossein said:

Hi!

May you give me an example how to use mcrypt_encrypt() in order to save passwrod in database?

There is nothing in your blog about encryption ...

Thanks

Fri, 09 May 2008 at 13:05:11 GMT Link


14.Laurent Cottereau said:

I am very interested in the possibilities of this service. However, I am wondering about what is used to identify a browser. I suppose this cannot be guessed and spoofed by an attacker who could then easily arrive at the picture screen... But I wonder how this can be done...

And if it is easily guessed and spoofed, the whole activation-through-another-medium is lacking utility...

Anybody can correct me ?

Wed, 14 May 2008 at 11:55:52 GMT Link


15.Mitch Pirtle said:

Trying out Vidoop now, and it's all your fault.

Sat, 17 May 2008 at 18:39:35 GMT Link


16.Chris Shiflett said:

I'm happy to take the blame, Mitch. :-)

Hope you like it as much as I do.

Sat, 17 May 2008 at 21:30:31 GMT Link


17.Garret Heaton said:

Just switched from ClaimID. Glad this article convinced me to!

Sat, 31 May 2008 at 20:14:29 GMT Link


18.Chris Shiflett said:

Hope you enjoy it, Garret. :-)

Sat, 31 May 2008 at 20:43:16 GMT Link


19.Laurent Cottereau said:

Hello again Chris,

Do you have an idea how the browser is uniquely identified by the service ?

Tue, 10 Jun 2008 at 22:03:19 GMT Link


20.Andrew Ellis said:

Thanks Chris. I've setup an account now.

Fri, 13 Jun 2008 at 18:50:20 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.