Security Questions Secure?
June 24, 2009
Found this fun read on SFGate.
So here’s a thing: According to New Scientist, the British journal of cool new facts, researchers at Microsoft did an interesting little study: “Acquaintances of 32 webmail users – people with whom they would not normally share their login details – were asked to try and guess the answers users assigned to protect their accounts. The volunteers managed to guess correctly nearly a fifth of the time, raising questions over how secure the commonly used system is.”
Ad the interesting part…
The Microsoft researchers, however, had a better plan, they thought: “Under the new system proposed by Stuart Schechter and Rob Reeder at Microsoft, users select several ‘trustees.’ If a user becomes locked out of their account their trustees receive a message asking them to download a ‘recovery code.’ The user must collect codes from multiple trustees to unlock their account.
“A group of 19 Hotmail users trialed the system and 17 successfully regained access to their Hotmail account. That 90-per-cent success rate compares favourably to [the] 80-per-cent success rate of the standard secret question system, say Schechter and Reeder. In the trial, most users recovered their accounts within two days.”
Yahoo Updates extended via JS-Kit
March 4, 2009
Yahoo announced a joint development collaboration between Yahoo! and JS-Kit, a leading distributed social network connecting more than 600,000 sites across the Web, including AOL, Evite, Experian, JetBlue, Sun Microsystems, and WorldNow. Through this integration, JS-Kit is making it easy for their vast network of publishers to benefit from the power of Yahoo! Updates.
Here’s how it works: Integration with the Social Directory API allows JS-Kit to display a user’s Yahoo! nickname and avatar picture on the site. Integration with the Updates API allows JS-Kit to publish an item to the Yahoo! Updates feed when a user adds a comment to a web site powered by JS-Kit. At all times, your users remain in control of their data by leveraging OAuth to broker data access between Yahoo! and JS-Kit.
Yahoo! Updates allow publishers (and publishing partners like JS-Kit), to syndicate user-generated actions (ratings, reviews, comments, favorites, and uploads) to Yahoo!’s massive global distribution network. In the coming months, as Updates are implemented across Yahoo!, publishers will enjoy referral traffic back to their sites from across the Yahoo! Network (more than 500M+ monthly unique visitors).
One of my collegues, Allen Tom, bloged about the Y! Updates plug-in he’s developed using iGoogle as the distribution platform.
With Yahoo! Updates, sites can broadcast the activities of their users to Yahoo!’s massive global audience of over 500M+ monthly unique users. Sites integrating with Yahoo! Updates receive referral traffic from everywhere the Yahoo! Updates feed is published, including Yahoo! Messenger, Yahoo! Mail, Yahoo! Toolbar, and… even on iGoogle!
Checkout his complete blog post here: http://developer.yahoo.net/blog/archives/2009/03/igoogle_open_updates.html
Allen's app running on iGoogle
SB Nation and Yahoo partner using OpenID
February 25, 2009
Looks like the Yahoo Sports and SB Nation partnership went into affect last night. SB is an aggregate of sports publishers that has pretty significant readership. In addition to their proprietary login, they now include sign in links using a user’s Yahoo ID (which is an explicit Yahoo/OpenID path), or the user’s OpenID.
This is a big win for the OpenID movement.
See it in action: http://www.bigblueview.com/2009/2/25/770745/sbn-partners-with-yahoo-sp
Kudos to the Y! Sports guys for doing this type of deal. Hope we see more of these in the future. Very cool!
OpenID UX Summit @ Facebook
February 11, 2009
I attended the OpenID UX Summit, which was hosted by the fine folks at Facebook this afternoon. This was a collaboration event, comprised of product managers, engineers, usability designers, intended to tackle some of the usability issues associated with OpenID.
Joseph Smarr from Plaxo gave an eye opening presentation on a test his company ran with Google. The intent of the test was to measure a combined OpenID + OAuth authentication offering, for users with GMail accounts.
What Joseph reported was that the test saw a 92% success rate. Yes, I said 92% success rate!
Here is the deck the Plaxo folks presented:
Here’s a twitter hash (#openidux) of the event.
PayPal joins OpenID
January 28, 2009
From OpenId.net:
Building on the momentum from last year, the OpenID Foundation is pleased to announce the addition of PayPal as a sustaining corporate member of the Board. PayPal selected Andrew Nash, Sr. Director of Information Risk Management and a longstanding advocate for OpenID, as their representative and joins the current board of seven community elected board members and five sustaining corporate members: Google, IBM, Microsoft, VeriSign and Yahoo!. According to Andrew, PayPal decided to become a sustaining member of the Foundation for a few key reasons:
- Open standards-based user-centric identity is clearly becoming an increasingly important part of the evolving web infrastructure
- PayPal has significant experience and expertise with security, trust, reputation and retail transactions that can be directly relevant as OpenID expands into new market and application areas
This is certainly a positive for the push to being OpenID to the masses as PayPal brings a wealth of practical online payments experience into the mix. Simplifying online commerce is a golden egg, but more importantly this association may bring more credibility to the OID initiative.
Facebook Expanding FB Connect
December 1, 2008
From the Washington Post…
Facebook, in an increasing attempt to prove its utility beyond its own site (and hence build on its advertising potential in the long run), is expanding its Facebook Connect service on some major media and services sites, including Discovery.com, SFChronicle, Digg, Citysearch, CBS.com, Hulu and others. The Connect service allows a federated identity system of sorts, competing with other services/efforts such as OpenSocial (backed by Google and MySpace) and OpenID, and also allows Facebook services to go outside its own site onto other services. It allows Facebook users to sign in on these third-party sites, connect with their friends who also use the sites, and then share their info and action on the social networking service.
FB Connect is an interesting stance taken by Facebook, which still limits access to its users. This is a way to attract traffic on FB, but presents limited exposure to its user data outside its walled garden. Entities like SFGate are struggling to generate content that will attract users to its site. The newspaper industry is grassping at straws in an attempt to hold on to readers. It’ll be interesting to see how contained Facebook keeps things with the likes of OpenSocial and OpenID making headways.
Yahoo! starts limited test of OpenID SReg
November 20, 2008
Yahoo! announced a limited test of OpenID Simple Registration extention with Plaxo and Jyte this afternoon. This limited test will allow Yahoo! users to have certain core account information optionally passed back to Plaxo or Jyte, for the pusrposes of registering on those sites in a more seemless fashion. Yahoo! users will be permitted to pass Full Name, Nickname, Email Address, Gender, Language, and Timezone.
Here is an excerpt from the Yahoo Developer Network Blog:
Today, we are announcing the start of a limited test of the Simple Registration extension for the Yahoo! OpenID service. The Simple Registration extension allows OpenID RPs to request user profile data from the OpenID provider. Yahoo! will be providing Yahoo! OpenID users the ability to share the following Simple Registration fields for this initial test: Full Name, Nickname, Email Address, Gender, Language, and Timezone. The Yahoo! OpenID user will have full control on whether to share their profile data with the OpenID relying party. We will use the Yahoo! Profiles API to populate the user card, which will be presented on the Yahoo! OpenID Review and Confirm page.
Details in the YDN user faq: https://open.login.yahoo.com/openid/op/html/us/sreg_faq.php
Plaxo was quite complimentary of us in a blog post announcing this release:
This announcement comes on the heels of Yahoo’s pioneering usability studies on OpenID, which they published for everyone to benefit from (they even went a step further by hosting an OpenID UX Summit on their campus). And Yahoo! is eating their own dogfood–they also recently streamlined and clarified their own OpenID flow. These guys are on a roll, and they’ve been great to work with!
Here are the TheSocialWeb.TV guys talking about the announcement
MapQuest supports OpenID
November 20, 2008
Rafe Needleman from CNet write about some simple enhancements that MapQuest introduced into its MyMapQuest service, including OpenID support.
Since I’m sick of creating new accounts for every new service I try, I also like that you can log in to the new personalized MapQuest with my OpenID.
MapQuest continues to be relevant for a large number of users, and it also has deals with publishers who use its APIs. The cool QuickBooks data visulization service I covered recently, for example, use MapQuest data and maps.
Google launches OpenID support
October 29, 2008
Eric Sachs announced on Wednesday that Google is now supporting the OpenID 2.0 protocol in a limited fashion. They’re offerring a reg form of sorts for developers to apply with their URL in order to gain access to Plaxo and Zoho. Sachs also mentions that Google is working on an OpenID / OAuth solution in order to bring identity services to the masses.
This is a good thing for the open movement, albeit from one of our competitors.
More here: http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html
Welcome to Identity Pro
October 29, 2008
The title may be a stretch, but I thought it was time to start writing about the things that matter to me most as a technology professional. For those that don’t know me, I work for Yahoo! in Sunnyvale, have been wih them for almost 7 years, and have spent most of that time working on all things identity related. I work in the Membership group, responsible for Yahoo’s account, registration, and authentication systems.
We’re the team that makes it possible for hundreds of millions of people to sign up for Yahoo accounts, to be able to log back into them when they want to, and to maintain core account information when they feel inclined to do so.
With the advent of so much cutting edge technology I felt as if I was missing an opportunity to a) convey some of the cool things we’re working on at Yahoo and b) force myself to be more enaged with teh identity community at large.
So here it is. We’ll see where it goes.
Mike
