jbdeboer (jbdeboer) wrote,

Password-Free Zone

While working on my hawt new web app, I was somewhat sidetracked by OpenID, the open authentication model. It allows applications to authenticate users through a side-channel. The web app redirects the user to the OpenID server to log in. Then the app will connect directly to the OpenID server which says 'Yes, this user is who they say they are'.

This is what allows you to log into blogs using, say, your Yahoo ID.

I spent a couple hours putting an OpenID server on huronbox.com. But instead of hosting a standard username and password scheme, I set it up to use my phone to authenticate. When the web app connects to my OpenID server, the server sends a random hash to my Blackberry in a message saying Web app XYZ want to log you in. If this is what you want, simply reply. I reply to that message and the OpenID server verifies that my reply included the hash it sent. Then it responds to the web app, saying 'Yep, that's James.'

The net result is that now I can log into LiveJournal or a TypePad hosted blog without ever having a password. In the past, you could guess my password and break into my account, now you would need to steal my phone.

Insanely cool and this was only possible because OpenID is, well, open. Useful? Not in the slightest. There are very few sites that accept OpenID; even with the ones that take it, you can't link an existing account to OpenID. Really cool demo, though.
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.