Evan Prodromou‘s open source Twitter-like site identi.ca supports OpenID for logging in. This basically means that if you have set up an OpenID with an OpenID Identity Provider, and you want to sign in to a site that supports OpenID login, that site sends you back to your Identity Provider site to authenticate with your password, waits for your Identity Provider’s secure handshake verifying that you really do own that OpenID, and then lets you in. The key: your Identity Provider is the only site where you enter the password for your ID. This is a huge win, and avoids some evil anti-patterns. A bonus is that you can use that same OpenID with multiple sites, and none of them needs to know your password. This also means that Single Sign On is really easy.
Here’s a walk-through of how OpenID login works on identi.ca (the process is similar on any site that allows logging in using an OpenID). First, the site gives you the option of using a conventional username/password Login, or of using an OpenID login:
Since I’m already registered on identi.ca with an OpenID, I choose that option, and am asked to enter my OpenID. In my case I’m using the iNames form of OpenID (=mark.szpakowski), which I type into the form.
Note that there is no password field!
When I click the Login button, I am taken to my Identity Provider, 2idi.com. That is the only site to which I ever present my password!
I enter my password there (if I need to – if I’d previously authenticated here, and my session here was still alive for my current browser, 2idi would not need this step to know who I am!), and then 2idi and identi.ca perform some handshaking in the background which assures identi.ca that I am indeed =mark.szpakowski, and identi.ca logs me in.
Why is this important? Well, consider the hellotxt site, which offers to aggregate and display status updates from any site I belong to. However, to do this it asks me to login to each of those sites, using the Username and Password for each of those sites. For example, for the Brightkite site:
This is scary! As Earle Martin says, “hello.txt is also full of password antipattern. I don’t think so…”. Do I really want to enter all my usernames/passwords for all the sites I belong to on some other site’s page?
If my sites supported OpenID, this could be deftly avoided: I simply enter the OpenID I use for each site, but I only type in my password on my trusted OpenID provider site. And in fact after the first time I do so, I don’t need to re-authenticate with my password as long as I don’t close down my browser session.
The preceding has been a public service announcement….
I recently got me a id at certifi.ca which avoids the passwords alltogether! Awesome awesomeness. 🙂
A bit too much for a regular user though to download a certificate.
What happens if your identity provider is down or worse yet is on the wrong side of the San Andras and moves to Alaska permanently?