The other day I started talking a little bit about my experiments with OpenID, a new, portable, and universal authentication scheme for web sites. I’ve been continuing this since then, and have some newer information I want to share with you. Originally, one of my primary concerns was that of security. For general purpose use, I mentioned that MyOpenID.com seemed to be an all right solution. It is. The problem was that there were still holes that seemed ripe for exploiting since it was still password based, and required nothing special to get into beyond that. But, a site called MyVidoop.com (who comes up with these names?) really raised the bar in my opinion (click here to get an OpenID from them). At the end of this blog, there will be a couple white sheets you can download that will have more information on what I’m about to share. So, if you don’t think I tell you what you want to know (girls tell me that all the time), look there. There’s also a short video about how OpenID works.
MyVidoop appears to have been created with the idea of securing OpenID as priority number one (well, making money was probably number one, but security a close second!). And next to MyOpenID, they blow them away. Some of you might be familiar with the kitten captcha. This clever system suggested using image identification as a captcha method in place of current text obfuscation techniques which are constantly being broken. That introduced the need for human level cognition to process the form, eliminating most bots from the equation. MyVidoop used this style of technique with regard to authentication. Instead of a static password you type in each time, you identify 3-5 image groups when you set up your account, then when you log in, you select images from a grid that match your groups. This is connected to a pass key (each image has a letter associated with it) which is never the same twice since the grid, images, and letters tied to them change on each log in. The only static information used in the process is the categories of images, and only you know them. Thanks to other steps, there is no effective way for a bot to glean that information or put it to use.
It’s rather clever, because it inherently defeats two account cracking methods: brute force and keystroke logging. Since the login key is never the same twice, a compromised key does no good. Since it is random each time, there’s no way to brute it effectively. But what about phishing? This is where it gets interesting. MyVidoop has created a token based system for security. If I go to a site to register, MyVidoop will ask me about the computer I am at. It will send a token, either to a predefined email address, or even as a text or voice message to my cell phone! And yes, it’s immediate. You must have this 6 digit token to even be allowed to see the image grid. This makes phishing nigh impossible since tokens only come to you. It’s also a level of security unheard of with other sites. Even my bank doesn’t personally check with me about a login. Once you have entered the token, you can have it remember the computer for the future (such as a home system or laptop you use frequently) so that you aren’t getting tokens at every single login with a computer you trust. Likewise, there is no way to provide an effective man-in-the-middle attack, because a token is good only once, and you need a human component to decrypt categories, assuming you bypassed the token and were able to capture a grid. This login information never leaves an OpenID provider, regardless of who it is. It’s similar to LDAP in that all the web site gets back from the provider is a yes or a no with regards to if a person is who they say they are (along with information they require, like an email address, which you say is okay for them to have). At no point are login credentials handled by the originating site.
All in all, this seems quite effective at preventing an ID from being lifted. To emphasize OpenID’s portability, I’ve already changed my server and delegate to point away from MyOpenID to MyVidoop by changing the code in the header of my website (WordPress has a handy plugin for this called WP-Yadis). I would speculate that eventually, other providers will follow suit to try and keep up. At the moment though, MyVidoop is the only company offering this level of security for your ID.
Like other services, it supports useful features like multiple profiles, and also ID forwarding. Unlike others, they have an affiliate program that will pay you to get others to sign up. That situation is very win-win. They are funded through companies like SmartUSA.com, and have mentioned selling images spots like ads, so Pepsi might show up in the beverages category, or Cessna in airplanes, Fend in musical instruments, etc. Besides funding the site, they pass that back to affiliates (and thank you for that).
Lastly, consider a comparison. Assume that you get an email from a phisher that tricks you into going to their site to log in (tsk, tsk, you should be ashamed for not catching that!). In scenario one, you are using MyOpenID. You go in, and they load up the login screen with a wrapper that logs your password (you did check the URI (Uniform Resource Identifier) of the page you are on, right?). Like any site that requires a static log in, they can lift and reuse your credentials. It’s not so much a fault of OpenID as it is static logins, but it can be worse since OpenID allows access to so much. One password later and you’re compromised. With MyVidoop, first it asks for the token. That gets sent only to you, so the phisher can’t intercept it. Once you use it, it’s done, so if the token is logged, it can’t be used again. You are shown a screen next, with an image grid. You enter the letters matching your image categories. The letters have a random association, so it can’t determine what the connection to images is, and that key is also only good once, so the phisher can’t reuse it. Even if they capture the grid, human intervention is required to figure out what categories you might be using. These scams usually rely on automated bot systems, so stopping to physically check each grid isn’t cost effective (this would also hold true for trying to do it with a Turk, in theory, if enough people do it). Even if they got the categories, step one, the token, will prevent them from getting to the grid in the future.
To be fair, other services like MyOpenID, do offer an option to use an SSL certificate to log yourself in, which is much better than passwords, but it isn’t the default mechanism and you must dig it out of the Account Settings area to enable it. It’s also only really useful with computers that you use regularly since the certificate must be installed on the machine. What I would like to see, is someone attach OpenID login to one of the PayPal/Verisign style RSA keyfobs.
You’ll notice on the right you can now log in directly with OpenID on this site, and there’s a link there to go get an OpenID from MyVidoop. If you want to get started in OpenID, I’m not sure there’s a better place at the moment. Video and PDFs below.