Gyorgy Ordody is one of the software developers in Autodesk Labs. In response to our consideration of requiring Autodesk Labs login to download utilities, Gyorgy wrote this blog article.
Modern browsers have "remember password" features:
- Firefox - Password Manager (Options/Security/Passwords)
- Chrome - (Options/Minor Tweaks/Passwords)
- IE6,7,8 - "Remember Passwords"
However, there is more: some sites support Yahoo Login, some support Google Login, Microsoft LiveID (formerly Passport), and there are independent initiatives like OpenID. The goal of all these to make it easier to log in, however they are not well adopted and their security features are not fully trusted. Mozilla Labs is trying to help this. They state the problem well here:
The current state of identity on the Web is not so great. Much of the ongoing discussion and efforts around user identity on the Web focuses on tying identities to new or existing networks and using various protocols for federating it. User experience in general suffers as protocols for federation (e.g. OpenID) involve complex redirects which jump the user from page to page and leave them open to phishing attacks-not to mention other "ajax" methods which are even worse from a security standpoint. So last week the Weave team took advantage of the Mozilla all-hands, and decided to sprint on the Weave Identity component to open it up to the Web. After only a few days of hacking we came up with some very exciting stuff to share!
The Mozilla Labs solution is Weave. It gives users more control over their information in the browser. For example, it syncs user preferences between Firefox instances. One feature, Weave Identity, securely shares login information among browsers of the same user on different computers. (Almost like user profiles in Windows.)
- Advantages: 1 password controls all passwords and all preferences, works with the password manager.
- Disadvantages: Only in Firefox, the users still have to sign up and sign in everywhere.
However, the Weave team reflects on a real problem: "The current state of identity on the Web is not so great." The biggest problem seems to be that security and user friendliness are in conflict: the simpler it is to login, the easier it is to phish. For example, banks employ the following solutions: The login window has images chosen by customers, no auto password can be used with randomized password field names, etc. Some banks hand out Secure ID key fobs as well. This might be anti-phishing, but it’s anti-user friendly as well: you have to remember all the user names and all the passwords for all the sites and type them in every time, too.
Another solution for this is Roboform a for pay product that keeps track of all passwords and logins and even synchronizes them between computers. The disadvantage is that it’s a Windows-only application that fully supports Internet Explorer but only supports Firefox to some extent.
There are other initiatives to achieve the single login on the web though. The foremost one is OpenID. "OpenID is a free and easy way to use a single digital identity across the Internet."
How does it work?
The user establishes an identity, at an independent and secure provider, that can be the user itself (http://willnorris.com/openid-support).
There are a set of well known, established OpenID providers, like Google, Yahoo, Wordpress, etc. or smaller, better known, simpler providers, like ClaimID, MyOpenID, VeriSign Labs, myid.net and myvidoop. You can compare the feature sets: http://willnorris.com/openid-support. Finally, here’s some info about how to create your own: http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers.
After the identity is established with a provider, that provider is used to verify users by the sites that support OpenID.
Question: Would you be interested in an Autodesk provided OpenID implementation? Would you use it? Let us know at [email protected].
There is a problem with the adoption of these mechanisms: users are now accustomed to creating a new login for every site for which they sign up. Questions arise frequently about trust and security, and it’s a question what happens if the provider’s server goes down? For answers, here are some OpenID resources:
We could also use a trusted 3rd party login that comes with an API: the Google login, the Yahoo login, Live ID, Facebook connect. (you can see a comparison between Live ID, OpenID and Facebook Connect here: http://identity20.com/?p=153). This article brings up a good point about the benefits of Facebook Connect:
The killer feature though is something that will be hard for other potential platforms to do. Facebook strives to only have real identities. In the participatory web, the enemy has been the lack of accountability. Trolls pollute the conversation, spammers fill the web with garbage, and promoters try to game the system. Facebook kills off accounts that are not real people. I know. We had an account for Sxipper on Facebook. Sxipper only lived a few weeks. With the rich profile and feed data that a real user has, the barrier to creating what appears to be a legitimate account is very high. For many Facebook users, losing their Facebook account would be a catastrophe - so the motivation to behave is high for many which is why there is little spam in Facebook. Put this in sharp contrast to the barriers to creating an OpenID at Yahoo!, Blogger, AOL or MySpace. (There is little, Orange being an exception for OpenIDs associated with their customers.) Other social networks such as MySpace, Orkut etc. can’t provide the same level of assurance of accountability.
Facebook will support OpenID to a certain extent (http://www.secpoint.com/Facebook-Becomes-More-Open-with-OpenID-Support.html): "New users of Facebook will now be able to make accounts using their Gmail ID, while existing users should be able to link their ID with their Facebook accounts and therefore log in with their Gmail ID or any other OpenID account that supports 'automatic login'."
There are competitors to OpenID as well, for example SlashID: (http://www.slashid.com) - "SlashID stores an encrypted personal profile for each user and encrypted credentials for every site the user is registered with." However, it’s revenue based, one company is trying to manage your personal info (even though it’s encrypted). If the service goes down, the user will have to fall back to the old login/password.
Question: what would the readers feel comfortable with?