It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct
public / private data with logging on
Overview of the security principles identity, authentication and authorization.
Ver clear description of the problem. Identity - "who are you?" - public assertion - locally unique. Authentication - "how can you prove it?" - secret response - non-unique. So biometrics are identity, not authentication.How to Build a Login System for a Simple Website - NETTUTS
User AccountsGetting OpenID Into the Browser - O'Reilly Radar
Getting OpenID Into the Browser - O'Reilly Radar - http://radar.oreilly.com/2008/12/getting-openid-into-the-browse.htmlgpeerreview - Google Code
Peer Review für "Jedermann"
We intend for the peer-review web to do for scientific publishing what the world wide web has done for media publishing. As it becomes increasingly practical to evaluate researchers based on the reviews of their peers, the need for centralized big-name journals begins to diminish. The power is returned to those most qualified to give meaningful reviews: the peers.
GPeerReview attempts to makes it easy for authors to seek post-publication endorsements of their works. We provide the following tools: * A command-line tool to digitally sign endorsements (done and available). * A web-based version of the signing tool (about 70% done). * Client tools for analyzing endorsement graphs to establish credibility (in planning stages). * Additional tools to facilitate the running of endorsement organizations (in the brain-storming stages). * Tools for analyzing citation graphs (in the brain-storming stages).TwitterAuth: For Near-Instant Twitter Apps - Intridea Development Blog
Neat gem that uses Twitter as the login authentication for your app. Interesting idea and makes it one less thing to worry about when building a secured app.
TwitterAuth is a Rails plugin that provides a full external authentication stack for Rails applications utilizing Twitter.Twitter API Wiki / Sign in with Twitter
pattern of authentication that allows users to connect their Twitter account with third-party services in as little is one click. It utilizes OAuth and although the flow is very similar, the authorization URL and workflow differs slightly as described below.
Use your twitter account as an openID account to sign-in40+ Invaluable PHP Tutorials and Resources - Nettuts+
tutorialsMatasano Chargen » Blog Archive » Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!
Professional crypto people don’t even get this stuff right. But if you have to encrypt something, you might as well use something that has already been tested.
Matasano ChargenHow to Add Simple Permissions into Your Simple App. Also, Thoughtbot Rules! // RailsTips by John Nunemaker
I didn't realize the automatic boolean attributes part.
how to use mixins in Rails, with loads of useful stuff about testing at the end
Shoulda examplesAuthenticating Users With Facebook Connect and Google Friend Connect - Nettuts+
Most social networks have API tools that allow almost any website to authenticate users through their system. In today's tutorial, we will learn how to use
Authenticating Users With Facebook Connect and Google Friend Connect - Nettuts+Getting Started With Restful Authentication in Rails - Nettuts+
>認証済みアカウントとは？ アカウントが本人のものかという混乱を避けるため、Twitterは「認証済みアカウント」の実験（ベータ版テスト）を始めます。われわれは、日頃からなりすましや、本人かどうかという混乱に悩まされる人たちの信頼性を確立するよう働きかけています。Verifiedのついたアカウントは本物です！ どういう意味？ この仕組みがあれば、われわれが知っているプロフィールのどれが「本物」で信頼できるかを、簡単に見極めることができます。これは、われわれがその人や存在と連絡を取り合い、プロフィールが確認されたものであることを表し、認証されたことを意味します。（これは、実際に誰がTwitterに書き込みをしているかを認証するものではありません） これはまた、「認証済みアカウント」マークがないプロフィールが偽物であるというわけでもありません。Twitter上の大多数のアカウントはなりすましではありませんし、われわれはなりすましを100％チェックできるわけでもありません。今後は、誤ったアイデンティティーやなりすましがあった場合に対処するため、一部のプロフィールを認証するにすぎないのです。 もし、まだ認証されていないアカウントが本物か迷っている場合は、その当人の公式ウェブサイトを確認し、その人のTwitterプロフィールにリンクが貼られているかを見てみることができます。（たびたびになりますが、リンクがないからといってなりすましということではありません） 誰のアカウントに「認証済みアカウント」マークが表示されるの？ われわれは、なりすましやアイデンティティーの混乱等の問題を抱える著名な方のプロフィールから認証を始めます。（例えば、著名なアーティスト、アスリート、俳優、政府関係者や公共機関等です。）将来はもっと沢山のプロフィールを認証する予定ですが、まずは費用と時間の関係で、一部のアカウントのみから始めます。何ヶ月かを経てテストが進歩してきたら、もっと沢山のプロフィールにまで範囲を広げてこのテストを行なっていけるでしょう。 なりすましなどの問題に困ってます。自分のアカウントを認証できるの？ すべてのプロフィールを認証することはできませんが、もしあなたのアカウントが日常的になりすましなどの問題がある場合は解決に向けてお手伝いします。 …
With this feature, you can easily see which accounts we know are 'real' and authentic. That means we've been in contact with the person or entity the account is representing and verified that it is approved. (This does not mean we have verified who, exactly, is writing the tweets.)
"To prevent identity confusion, Twitter is experimenting (beta testing) with a 'Verified Account' feature. We're working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a [check mark indicating they are] Verified are the real thing!"
"With this feature, you can easily see which accounts we know are 'real' and authentic. That means we've been in contact with the person or entity the account is representing and verified that it is approved. (This does not mean we have verified who, exactly, is writing the tweets.)"
To prevent identity confusion. Test-Version.
To prevent identity confusion, Twitter is experimenting (beta testing) with a 'Verified Account' feature. We're working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis.Hueniverse: Introducing 'Sign-in with Twitter', OAuth-Style "Connect"
adding site sign-in using twitter
Interesting differentiations between OpenID and OAuth ... neither of which I have played with that much. But twitter has recently implemented an OAuth solution.
From HueniverseDjango-SocialAuth - Login via twitter, facebook, openid, yahoo, google using a single app. — The Uswaretech Blog - Django Web Development
Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system.
TL;DR version: Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system. (@login_required, User and other infrastructure work as expected.) Demo and Code.Longer version follow:Beta Blog: Kill Your Signup Form with Rails
Even though the gradual engagement meme has been around for a while, and everyone just hates signup forms, they just seem to keep popping up like a bad habit.
Tips for eliminating the signup process - other ways to discourage spam bots, and track users without passwords.
Even though the gradual engagement meme has been around for a while, and everyone just hates signup forms, they just seem to keep popping up like a bad habit. My site, Newsforwhatyoudo.com was one of the guilty parties. We saw users coming back to the site repeatedly, but not signing up. The percentage that looked at the signup form and then bolted was uncomfortably high. It was time to kill the signup form. This blog post documents how we implemented gradual engagement using Ruby on Rails and restful authentication.Google is Now an OpenID Provider - ReadWriteWeb
give Google Account users the option to sign in to websites with their Google credentials and without having to sign up for a new account at those sites
rd data formats such as Portable Contacts and OpenSocial REST APIs."UserCake - Opensource PHP user management system
This looks great. Object Oriented PHP 5, MySQL, easy to set up and customize. This should be a good solution for a quick project that needs user login functionality.Chroma-Hash Demo
Chroma-Hash is a sexy, secure visualization of password field input
Kind of pointless but cool
awesome password confirmation tool using color
<elderec> a sexy, secure visualization of password field input - http://foxxtrot.github.com/Chroma-Hash/Log in or sign up? - Leah Culver's Blog
clever signup/login ui
For one of my side projects, Leafy Chat, we have just added the concept of user accounts. This includes the need for registration and log in (as well as log out and forgot password and so on). Leafy Chat only requires an email address and a password for both registration and log in, so it would be great to have some clever way to have both forms on the homepage.
Designing login/signup for a web server
Very smart. Stealing this idea for a current project
Interesting thoughts, but I don't like the end result. People have been trained over the years on how to do login/signup. Putting them both on the same page seems like the right idea, but there's something wrong with this implementation--it looks different from most forms.
This is the way the web should work. Facebook - pleas join this!
Google, Yahoo! and MySpace support for OpenIDThe Rails Way: Users and Passwords
a simple best practices article on handling passwords and authentication. There’s nothing particularly new here, but it’s always worthwhile revisiting the basics.How the OAuth Security Battle Was Won, Open Web Style - ReadWriteWeb
And that's how a decentralized community solved a security threat in an open identity spec, quickly. One company (Twitter) took a risk at implementing a new technology advocated by an employee of another company (Yahoo's Hammer-Lahav), then an engineer at yet another company found the beginning of the security hole, then news of the whole problem was sent out to contacts on a Wiki, an email list was formed, companies donated their employees' valuable time to aid in the effort, everyone more or less kept their mouths shut (including the unfairly criticized Twitter) and then everyone worked together to find a solution just in time. I think that's a pretty cool story.
RT @jayrosen_nyu: I understood about 40% of this, but wow, what a story. How OAuth Security Battle Was Won, Open Web Style http://tr.im/jICt [from http://twitter.com/CircleReader/statuses/1617435709]
At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too... OAuth has support, but it doesn't have a centralized authority ready to deal with problems like this. Over the next week a story unfolded as the community moved to deal with the security issue. It's a dramatic story.jQuery OpenID Plug-in
jQuery OpenID Plug-inHueniverse: Explaining the OAuth Session Fixation Attack
when it comes to login pages where our most sensitive data are being held. Hence, there is a need to better understand how well your login page has been implemented to be considered as really secure. In this article, you will get a list of PHP secure login tips and tricks that will definitely help you decide on your secure rating of your login page.Ruby Best Practices - Blog
Sharing model data via ActiveResource -- good stuff.ゼロから学ぶOAuth：第1回 OAuthとは？―OAuthの概念とOAuthでできること｜gihyo.jp … 技術評論社
The Dam Just Broke: Facebook Opens Up to OpenID - http://ow.ly/83c3 [from http://twitter.com/barbhd34/statuses/1859036448]
RT @rww Facebook Opens Up to OpenID; http://bit.ly/fNmJE (via @tweetmeme) [from http://twitter.com/jcookaz/statuses/1841594646]
RT: @rww: The Dam Just Broke: Facebook Opens Up to OpenID http://bit.ly/I5Pjv [from http://twitter.com/CircleReader/statuses/1840467882]
In a few minutes Facebook will become the biggest example of a social network that allows users to log-in with OpenID credentials granted to them by other companies' websites. Major networks have said for months that their ID could be used as OpenID, but becoming "relying parties" that accepted OpenID from elsewhere was the step everyone was waiting for. The dam has broken.
5/18/09 In a few minutes Facebook will become the biggest example of a social network that allows users to log-in with OpenID credentials granted to them by other companies' websites.Interop: Authenticate Linux Clients with Active Directory
AT A GLANCE: How authentication works in Windows and Linux Using Samba and Winbind Implementation strategies Walking through the Linux-to-Active Directory integrationItem
Article from technet.Random Key Generator
A variety of random keys that can be used for passwords, encryption keys, etc. - all randomly generated
Here you will find a variety of random keys that can be used for passwords, encryption keys, etc. - all randomly generated, just for you! Simply refresh this page for a completly new set of keys.Official Google Data APIs Blog: Bringing OpenID and OAuth Together
Every OAuth provider should encapsulate OAuth authorization inside OpenID. Better UX, lesser redirects http://bit.ly/7qbfPB
OAuth-enabled APIs suYour Gmail Account is Now An OpenID
RT @tweetlicius: Your Gmail Account is Now An OpenID - http://tcrn.ch/aAxVXq
You may not know it, but you probably have an OpenID. If you have a Yahoo account, you have an OpenID. If you have a Windows Live account, you will soon have an OpenID. And today, if you have a Google e-mail account, you can also start using your Gmail address as an OpenID. By joining the OpenID movement, Google completes the trifecta and adds all of its Gmail users to the hundreds of millions of Yahoo and Windows Live accounts that can also be used as a single login for any Website that accepts OpenID. While Google is more than happy to become an issuer of OpenIDs, what is not so clear is whether it will accept other OpenIDs for people who want to sign up for Google services.
Google appears to be an OpenID “provider,” not a “relying party.” In other words, you cannot sign into Google with your Yahoo account. But this still helps the OpenID movement as a whole because it gives smaller sites more incentive to join as “relying parties.” Among the first sites to accept Gmail accounts for sign in are Zoho and Plaxo.Authenticating Twitter API calls with PHP & jQuery | Steve Reynolds Blog
In my previous post on this subject I spoke about making a simple call to the Twitter Search API to return some results every 30 seconds using jQuery and ajax.
Authenticating Twitter API calls with PHP & jQuery
Ejemplo de autenticacion de Twitter con PHPケータイのユーザーIDを取得する方法まとめ - IDEA*IDEA ～ 百式管理人のライフハックブログ ～
携帯のID取得方法まとめGoogle Code Blog: Google OpenID API - taking the next steps
Google Abandons Standards, Forks OpenID http://ow.ly/1NncJ
well they're not Microsoft but well on their way
OpenIDOAuthプロトコルの中身をざっくり解説してみるよ - ゆろよろ日記
2 lines of HTML code make your domain map to an openid provider... meaning you can type $DOMAIN_NAME into an openid space and not (gmail|yahoo|etc)
OpenID is an open standard for logging onto various web services with a single digital identity. The tool puts your online identity back in your hands—and as it turns out, OpenID on your own domain is surprisingly easy.
lifehacker.com: Setting up OpenID thru your own domainAccessible Text CAPTCHAs: 157,500,799 logic questions
Weg met de captcha's met afbeeldingen http://textcaptcha.com/ #accessibility #textcaptcha
"This site provides a web service to generate text-based CAPTCHAs, based on simple logic questions."
Text Captcha is an accessible alternative to standard captcha methods and relies on logic.How to Set Up OpenID on Your Own Domain | Smarterware
For some reason I was under the mistaken impression that setting up an OpenID on my own domain, ginatrapani.org, would be a big hassle: that I'd have to host my own OpenID server software and that it would take all sorts of installation and maintenance BS to do so. I feel strongly about owning my identity online, mapping it to my nameplate domain, and actively choosing an authorizing party instead of just accepting the sign-in service du jour like Facebook, Twitter, Yahoo, or Google. Still, I never got set up with OpenID on ginatrapani.org because my perceived hassle factor was daunting. Instead, I used idproxy.net for my OpenID and put the domain setup on my "someday I have to do that" list. It meant that my OpenID was ginatrapani.idproxy.net instead of my own domain. Idproxy is a great service and I thank them for getting me started with OpenID; but still, I want my OpenID URL to be a domain name I own and control.How to Set Up OpenID on Your Own Domain | Smarterware
Profiles as an OpenID provider and to Chris for a great discussion of OpenID, OAuth, and verifying identity on the web.