OpenID and ASP.NET web sites

andarno — Tue, 15 Apr 2008 01:21:10 GMT

If you are a web developer I hope you've considered accepting OpenID credentials for logging in your users. If you have an ASP.NET web site, the process of adding OpenID support to your web site couldn't be easier when you use the free C# DotNetOpenId library.

Supporting OpenID is a great idea:

No more "I forgot my username/password" pages.
No more "Change Password" pages.
Your users have one less username/password to make-up/reuse when they join your site.
Users who prefer greater security than a username/password provides can choose an OpenID Provider that provides that assurance, without you having to enhance your site.
It's free. And so are the libraries that you can drop in to add support for it.

Where are the InfoCard sites?

andarno — Thu, 06 Sep 2007 16:53:54 GMT

InfoCard is the greatest invention since the web browser! In my opinion anyway. If you don't agree or you haven't heard of InfoCard, please read from the www.identityblog.com, and in particular the post on the Laws of Identity. It's really quite impressive what engineering problems InfoCard has been able to solve.

I'm just getting impatient with web sites to start accepting InfoCard. It's not that hard to accept InfoCard on your site. Microsoft has released tools to help. There are also 3rd-party implementations already available for ASP.NET, Ruby, PHP, Python, and Java.

But what's really scary...

But what is really scary (to me), is this tendency that is picking up for web sites to say "Log in with your Google Account" or "Log in with your PayPal account" or Amazon account, or Windows Live ID or whatever. What assurance do we have when we pass our private credentials to some rogue site that those credentials are being safely passed to the site they claim?

If I'm logging into blogger.com, I'm asked for my Google Account username and password. Ok, so I happen to know Google owns Blogger, so I'm going to feel comfortable (mostly) passing my Google credentials to Blogger. But if phishing is so successful already, what's to stop me from putting up an impressive-looking site and putting up a login that says "Don't create another account to manage! Log in with your Google Account now!" How many people will just assume I have a partnership with Google?

Amazon is going to be sharing their login system, and Windows Live ID recently shared out theirs as well. This problem is just getting bigger.

The solution is already here

Now if we just switch to InfoCards, we can completely safely pass our cards to any web site. Since they are encrypted, we could even pass our card encrypted for PayPal to eBay.com for eBay to pass onto PayPal to verify our identity for payment without eBay ever knowing our PayPal credentials. (Again, eBay happens to own PayPal but you get the idea... other sites use PayPal in the same way).

Let's get to adding InfoCard logins to our web sites, people. Let's build a safer community for everyone.

Andrew Arnott : Identity

OpenID and ASP.NET web sites

Where are the InfoCard sites?

But what's really scary...

The solution is already here