Main

The New Personal Identity Portal (PIP)

Today, we are releasing a brand new version of the Personal Identity Portal (PIP). With support for two-factor authentication, the PIP remains a strong OpenID provider as VeriSign remains committed to the broad deployment of OpenID across the Internet. Beyond OpenID, the new PIP also includes some unique identity management features. As the user-centric identity movement reaches beyond authentication and attribute exchange, we wanted to evolve the PIP into an identity aggregation service that enhances control, convenience and security over personal data even when the data is scattered across non-interoperable Web sites.homepage.jpgThis theme of identity aggregation is going to remain an important product philosophy for us moving forward. Our first implementation focuses on personalization, convenience and security. This post provides a brief overview of the new features. For those of you who never read product description, you can sign up for a free PIP account here. For the more curious minds, please, read on, and let us know what you think.


Personalization and the Personal Identity Page
The Personal Identity Page allows you to aggregate public identities and presence across multiple Web sites under your OpenID. In my case, my personal identity page can be found at nico.pip.verisignlabs.com. You can see that I have chosen to aggregate my Blog, my Flickr pictures, my YouTube videos, and other personal links to provide a complete reflection of my public Web persona. With a Personal identity page, my OpenID URL now provides a simple way for people to find and discover my "aggregate me". Think of it as a modern version of public white pages. We have tried to keep it simple enough that it can be built within a few minutes, but rich enough to keep it interesting.
idpage.jpgOf course, for many, the logical place to share their identity is their social network. For that reason, we have also created a FaceBook application. As shown below, the PIP FaceBook application lets you embed your "identity carrousel" into your FaceBook profile to share it with your friends.


Convenience and 1-Click Sign-in across any Web site
The PIP 1-click sign-in service may be one of the most interesting new features. The service aims at enabling single sign on across all popular Web 1.0 and Web 2.0 sites (whether they support OpenID or not). We have devised a client-less authentication solution that only requires one single click for you to log in across your social sites (FaceBook, Yahoo!, Google, MySpace...), your travel sites (TripIt, Expedia, United...), your financial site (Wells Fargo, E*Trade, ....), almost any of your sites, really! Think of it as a password vault in the cloud. Think of it as a universal single single-sign-on Web service. 1Click.jpgSince, we did not think you wanted to give all your names and passwords to VeriSign, we have designed it in such a way that VeriSign never sees your actual names and passwords (we only receive and store an encrypted form of them and you keep the secret key for yourself). Of course, you still need to log into the PIP (that is the one required login). Unlike most existing solutions out there, there is no client to install, only an optional bookmarklet to save in your browser (the install is drag and drop in Firefox and Safari and we have an automated install script for IE6 and IE7 users). It works on Windows, and the MAC. It will work in your 3G iPhone too, making OpenID and general login really user-friendly in a mobile environment (more in my next post). Note that the Beta 1-click service only supports 70 popular Web sites at this point. If your feedback is positive, we will add many more, so once again, let us know what you like and what you dislike.1CkickJS.jpgThe bookmarklet is also a nifty navigation tool. When you are not on the login page of a Web site, it triggers a small navigation window (see above). The window displays the list of all the Web sites that you have registered with the 1-click sing-in service. Simply click any of these links; you will navigate to the site and be logged in automatically. No more URL to enter, no more name and passwords to remember or type, only your PIP OpenID!


Security and Free Digital certificates
Since the 1-click vault security hinges on the PIP authentication, we wanted to offer you a broad choice of strong authentication solutions. Last year, we enabled VIP credentials (OTP tokens) within the PIP. This year we added a free layer of security that does not require any hardware. Indeed, we are giving our PIP users a free VeriSign certificate to secure their PIP account. Certificates and PKI have often been blamed for poor user experience. Therefore, we decided to create a new user interface for logging in with a certificate. Instead of issuing an identity certificate, we are issuing what we call a "browser certificate. A browser certificate is anonymous. It does not contain any information about you. Think of it as an opaque token that you link against you PIP account to protect it (it provides a second authentication factor: "something you have". Your PIP login name and passwords remains your first authentication factor: "something you know"). You can install these certificates on Mac and Windows (as many as you need). The certificates are free. We are still working on the iPhone (we have encountered a few challenges with certificates with the iPhone Safari, but with a little help from Apple, we will get there).


Voila!
The whole PIP team has worked hard during the last 8 months to bring you all this new functionality. We are really excited to release this new version of the Personal Identity Portal to our growing PIP community. We hope you will enjoy using it as much as we enjoyed building it. Feel free to drop us a note, report bugs and make product suggestions. Our support email is support@verisignlabs.com. We are looking forward to your feedback!


08/20/08 | permalink | comments [0]

PiP and the "Fun" Test

As referenced on Mike Jones's blog, Fun Commutations has deployed a service at: http://idtheft.fun.de/ that attempts to demonstrate a man-in-the-middle based phishing attack against a number of OpenID providers using Janrain's IDSelector. Since our Personal Identity Provider or "PiP" is one of the providers included in the Selector we naturally had a look.


The good news is that there are a couple of features specifically designed in the PiP to combat the attacks noted in the demonstration. The first is found within the PiP itself. The optional feature is called "Secure Sign-On" and the way it works is that if the user has enabled it, they must first be logged into the PiP *before* they attempt to login to a RP. If they are not logged in and they attempt to login they will be presented with this message:


PIP Warning Message


The important point is that any PiP user who has enabled this knows that they must first login, so in the "Fun" case seeing a login screen while having the feature enabled would immediately flag the user that they were being phished.


Secondly, this feature combined with our SeatBelt being used in conjunction with the PiP beta product affords even more detection. With SeatBelt if a user is entering their identity URL we immediately detect whether or not the user is logged in and if they aren't we give them the option to login to their account. With SeatBelt installed Firefox 2 and 3 users can clearly see if they are on the "correct" login page through a visual indicator in their status bar. There are a number of checks SeatBelt performs to insure that the login page the user is entering their credentials into is correct for their configured OP. In addition to the PiP, SeatBelt is supported by 9 other providers some of which are listed in the selector (more on this in a follow-up post).


In addition to these features our PiP product also provides 2 factor authentication through our VeriSign Identity Protection ("VIP") Authentication Service so at the end of the day our view is balancing usability with the layering of functionality to thwart the very thing that Fun in their demo attempts to bring forward. "Secure Sign-In" backed with 2 factor authentication and SeatBelt we believe is a step to providing a level of comfort to the OpenID community in continuing to drive usage and adoption.

05/30/08 | permalink | comments [0]

Search


Categories

Blog Tools | Blogosphere | DRM | DRM | --> Digital Movies DRM | | Feeds | Identity | Miscellaneous | PIP / SeatBelt | Ping | RailsConf | RailsConf2006 | RubyonRails | Tags | VeriSign |

Archives

May 2008
March 2008
July 2007
June 2007
February 2007
August 2006
July 2006
June 2006
May 2006
March 2006
February 2006
November 2005
October 2005
September 2005

Recent Posts

PiP and the "Fun" Test
Federation 2.0: In Search of a Switzerland for Identity Portability
Friend Connect or the Deportalization of Social Networks
The Business of Identity
Been a Busy Two Weeks!
Updating the PIP
Bringing Useful Scalable Security to OpenID
OpenID IPR: Past and Future
VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace
Stopping blog spam

Comments

We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate.
Powered by
Movable Type 4.2-en
Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy