OpenID with myVidoop
I like OpenID. I've been an avid user (and consumer) of OpenID for well over a year now, but I've only recently found time to explore Vidoop, whose self-described mission is one username, no password.
I keep meaning to write a more general post about OpenID, but this is what's on my mind at the moment. (Sorry for posting out of order.) In the meantime, you can watch Simon Willison's video tutorial for a good introduction.
You can learn more about Vidoop on their web site, but if you like to learn by example, I recommend registering for a myVidoop account. (They get extra credit for dropping the superfluous www subdomain and using a secure connection.) When registering, you choose three categories for your Image Shield, a grid of images that looks something like this:
The Image Shield is what replaces the need for a password, or more precisely, it's an innovative way to give you a one-time password. Each time you log in, you're presented with a completely new Image Shield, and among the images are going to be three that match your three previously-chosen categories. For example, if the categories you choose are cars, cats, and boats, then your one-time password is
opu according to the above Image Shield. (Note the letters on each image.)
This is worth explaining in more detail, because it's the primary differentiator, and there's a bit more to it. (This innovation is what compelled me to explore myVidoop, now my primary OpenID provider.) Alone, the Image Shield is convenient but otherwise unimpressive. However, you can only log in from an activated browser. Browser activation is what qualifies myVidoop's authentication as two-factor authentication, because it uses an alternative communication medium that you choose when registering. If you choose text messaging and try to log in from an unactivated browser, you see something like this:
In many ways, browser authentication is equivalent to a traditional authentication system that uses a username and password, with two important differences:
- Instead of providing a username and password, you provide an activation code that is sent to you using an alternative form of communication. (In other words, not the web site.) This protects you against security problems in the web site, because a successful attack must exploit multiple mediums.
- Instead of being considered logged in, you're simply allowed an opportunity to log in via the Image Shield. Thus, the Image Shield is an additional security measure that is traditionally absent.
This might sound like a lot of trouble, but browser activation is very long-lived, so logging in via the Image Shield is what you'll be doing most of the time. The Image Shield is a last line of defense that happens to be pretty good, so even if someone steals your computer, there's still hope. You can even log in and deactivate a browser, but of course you'll have to activate another browser first. Try to make sure someone can't easily steal both your computer and your phone. :-)
If you want to try myVidoop as your OpenID provider, you can either use the OpenID myVidoop provides (mine is
shiflett.myvidoop.com), or delegate your own as I do with
<link rel="openid2.provider" href="https://myvidoop.com/openid" />
<link rel="openid.server" href="https://myvidoop.com/openid" />
<link rel="openid2.local_id" href="http://shiflett.myvidoop.com/" />
<link rel="openid.delegate" href="http://shiflett.myvidoop.com/" />
You can view the source of this page to see this in context. Be sure to replace
shiflett with your own username, unless you can authenticate as me. :-) You can try your OpenID by leaving a comment below.
I've also been enjoying the myVidoop Plugin, a Firefox extension that replaces the login manager. The biggest advantage is that I'm able to decide whether to remember a password after observing the next page to see if I remembered it correctly myself. :-) The biggest disadvantage is that the extension does not support HTTP auth, and because it disables the login manager, there's actually no way for Firefox to remember HTTP auth credentials. I really hope this gets fixed, because it's a huge problem for anyone that has to deal with HTTP auth on a daily basis. (I do.)
If you use Twitter like I do, you can follow Vidoop there. Unlike Pandora, the Vidoop bio doesn't mention who is responsible, but whoever it is responds to feedback, which is a plus. For example, I asked about the lack of HTTP auth support and received a prompt response:
When the myVidoop plugin is added we disable the Firefox login manager (else you would get multiple 'remember this' prompts)
It's nice to be able to provide feedback so easily, and it's even nicer to have your feedback acknowledged. With any luck, the HTTP auth issue will be addressed at some point, so I can complain about less important things. :-)
I may write more about myVidoop in the future, because there are a number of features I haven't mentioned. If it sounds interesting, I encourage you to give it a go and tell me what you think. (You can tell them, too, by emailing
firstname.lastname@example.org or using Twitter. I'm sure they'd appreciate it.)