Jan 29

Brady Forrest

Brady Forrest

OpenID, Get it from Yahoo! & Avoid Phishing


OpenID, the lightweight, decentralized identity system (Radar post) had an interesting weekend. There is now a method for using your Yahoo ID with OpenID (unofficial, but sanctioned) and there are new measures designed to reduce the risk of phishing.
First, ex-Yahoo Simon Willison has created a proxy to allow you to use your Yahoo Id as an OpenID., launched today, is my attempt at speeding up the process. It uses Yahoo!’s Browser-Based Authentication API to allow you to sign in with a Yahoo! account, then lets you create one or more OpenIDs (of the form to use with sites that support the OpenID standard.
In effect, it lets you use your Yahoo! account as an OpenID.

Click thru for more..

I've used it. It works (as seen in the image above). It took me all of 30 seconds to create an OpenID via Simon's server. Yahoo! as you can see below allows you disable the connection quite easily and does a good, non-scary job of explaining what you are doing when you press the "Allow" button. From the Yahoo! page:

Now we need your permission!
In order to use, you need to give us permission that may recognize you once you return to this application.
Keep in mind:
* will not be able to access any data you keep on Yahoo! other than the data identified above.
* The permission will expire in 2 weeks.
* You can change this permission by visiting Account Info and selecting the Partner Accounts link. Note that revoking permission may take up to 24 hours.
* If you change your password, you may be required to give permission again.
* Yahoo! has no affiliation with and cannot guarantee the security of any user data that you permit to access.

For further reading also check out Sam Sethi's thoughts on this topic; based on his tip I am going to try Sxip's new Firefox plugin Sxipper to manage my various OpenIDs - I'll report back later. [Found via Techmeme and currently on Digg]

Second, it's notable the OpenID developer community has responded to the phishing concerns. If you are not aware, phishing is when a malicious website pretends to be another website (GMail, Yahoo!, MySpace) in order to get your login information (protect yourself, learn more). When logging in to a site with OpenID you are redirected away form that original site to your OpenID provider -- this is a prime place for a phishing site to harvest your credentials. Because of these concerns it was great to see Scott Kveton posting that MyOpenID, an OpenID provider, is implementing two methods to try to combat phishing. From his post:

  • Personal Icon: A Personal Icon is a picture that you can specify that is presented to you in the title bar of MyOpenID every time you visit the site. The image is shown based on a cookie that is not tied to your account. This aids in fighting phishing as you’ll get used to seeing the same picture at the top of the page every time you sign in. If you don’t see it, then something might be up. Carl worked on this feature for us over the last few days and it employs several of the techniques discussed on the list to make it happen. You can see the picture next to this text that shows my Personal Icon which is a picture of my son Živio in the bathtub.
  • SafeSignIn: The SafeSignIn feature was inspired by Simon Willison and was implemented by Mike on our Identity Provider team. SafeSignIn is an option that users can set on their settings page that makes it so you cannot be redirected to your to enter a password. If you are redirected to from another site, you are presented with the dialog you see below prompting you to either use a bookmark or enter the address in your location bar in the browser. This is an optional feature but we highly recommend you enable it.
Simon Willison has implemented similar measures for (he uses MonsterID for the personal icon).

Working on phishing and unofficial support by another large company (Six Apart is a major backer) will hopefully get some more mainstream movement happening in this space. As our previous post noted, OpenID is on the upswing, but it still needs to gain acceptance at more, larger sites. I think it is safe bet that Yahoo! will be the next member of the Alexa 100 to implement OpenID.
Kaliya Hamlin, Identity Woman, will be doing a session on User-centric Identity Systems (including OpenID) and David Recordon (Verisign) will give a session on Implementing OpenID at the Web 2.0 Expo this April. Simon Willison will also be speaking.

tags: web 2.0  | comments: 9   | Sphere It

Previous  |  Next

0 TrackBacks

TrackBack URL for this entry:

Comments: 9

  Marco Barulli [01.29.07 04:48 AM]

the title of your post is misleading ...

I think that the both "solution" and the two methods implemented in MyOpenID add very little to the overall security of OpenID.

It seems like everyone is eager to support and integrate OpenID, but nobody really cares about the incresead exposure to phishing.

And the new OpenID 2.0 draft keeps not addressing this problem ...

I've written more on this issue here: "OpenID, before you get too excited".

What do you think?

  Marc Hedlund [01.29.07 06:57 AM]

I think Marco is right.

  Emory [01.29.07 07:00 AM]

If you're looking for another OpenID provider, I'm a little biased but I have to suggest you take a look at the VeriSign PIP:

  Anonymous [01.29.07 08:28 AM]

There's also which does OpenID-based e-mail.

  Michael Sparks [01.29.07 06:01 PM]

What confuses me is the number of people who think they can "fix" the OpenID phishing problem by fixing the providers of OpenIDs. The problem with PayPal phishing is not PayPal. The problem with Amazon phishing is not Amazon. The problem with RandomBank phishing is not RandomBank. The problem with OpenID-from-providerX is not providerX.

The problem is the user's willingness to hand over their data to forms that are at best only vaguely similar to the original website.

I DO like OpenID it's a great step forward towards where we need to go, and it fits the maxim that we've bounced around for some time that any sufficiently complex and heavy network technology is likely to be replaced by something that can be engineered by a small team over a weekend when the underlying tech is in place. However, I haven't seen any "solution" so far to OpenID's phishing problem that really takes note of the fact that the OpenID providers themselves are not the problem.

  Anonymous [01.30.07 03:13 AM]


  Dmitry Shechtman [01.31.07 01:57 PM]


You can't "fix" the users, so this has to be either an provider-based or a browser-based solution.

  Amir Guindehi [02.07.07 03:55 AM]

To prevent the pishing problem couldn't we simply move the authentication page of the OpenID provider to a SSL secured page?

That way you could be sure that the server you get redirected to is the one which you expect it to be...

  JD [09.21.07 02:21 PM] has solved these issues with phishing as well as other threats with no hardware or hassle. I think it is the strongest solution for this space. Plus now it will save my passwords and allow access to any website, openid or not!

Post A Comment:

 (please be patient, comments may take awhile to post)

Type the characters you see in the picture above.