Webware

What's something we often use for security in the real world but not online? PIN codes. We use them at stores, banks, and ATMs, so why not use them online? For one, a QWERTY keyboard lets you create a much stronger, and often easier-to-remember password than you could with numerical digits. But PINs are still a password and can be just as good with the right precautions.

Some companies are using PIN codes to add an extra layer of security on top of what sites already offers. Here are four companies at the FinovateStartup conference doing just that.

Aradiom's SolidPass system combines a PIN and a mobile token system, where you've provisioned your phone as yet another way to secure your identity. You can enter your PIN as usual, but you need to have the mobile application running to verify that you're making a purchase. When the system verifies you through the PIN and the software app, it lets you in. This system also works on sites, so if you have something securely locked down by password, you can also require that users validate their credentials on their handsets as well.

MoBank. This U.K.-based company acts as a gatekeeper for your financial information for use on mobile commerce sites. You give it all your credentials in return for a way to use a single, secure log-in across multiple vendors. It forgoes the usual password system in place of a financial PIN that you enter at the time of the transaction. It's also smart enough to jumble up the way the PIN pad looks between transactions so malicious third-party tools can't grab your information with repeated viewings.

Online sellers can add the system to their sites, and in return the company has an app that put all those shops in one place, letting users search and purchase items they want to buy. It's only available in the U.K. for now, but co-founder and CEO Dominic Keen says it's coming to the U.S. in a few months.

The HomeATM plugs into your USB port and lets you make purchases and transfer money instantly--and securely.

(Credit: HomeATM.net)

HomeATM.net is ATM hardware for the Web. It's a physical piece of hardware you have to lug around with you. You securely enter your PIN or swipe your debit card to use for P2P money exchanges and purchases on commerce sites.

The payoff is that, unlike money-transfer systems that go off the credit and check system (which can take up to three days to clear), the money gets transferred immediately. All the while your data isn't compromised by things like keyloggers or screen-grabbing tools. The only downside is that you and the person you're sending the money to need to have the hardware.

Acculynk PIN is an additional layer of security applied to online purchases. If you're using a debit card it checks to see if it can be verified by PIN. Instead of entering the security code to confirm (which is on the physical card), you need to enter a PIN. It uses the same PIN code that's on your card and lets you enter it with a number pad that changes between presses for security's sake. In a way it's part PIN, part captcha.

With all the buzz about Facebook Connect this week, it's worth asking the question: Whatever happened to OpenID?

The universal log-in standard was created in 2005 by Brad Fitzpatrick, founder of LiveJournal, while he was working at blog software company Six Apart. (Fitzpatrick now works at Google; Six Apart has since sold LiveJournal.) It has the support of Yahoo, MySpace (which just helped build an OpenID extension for the Flock browser), and President-elect Barack Obama's Change.gov. Even Google has dipped its proverbial toe in the pool.

But it wasn't until Facebook Connect started making headlines that the concept of data portability--a single log-in across multiple sites--made the jump from the tech press to the mainstream media. OpenID, some speculated, had been left behind in the dust.

Hardly. But Wired's Michael Calore hit the nail on the head on Monday: "Presenting a dialog that asks a user to log in to one Web site using a name and password from another Web site is jarring, but Facebook has managed to keep Facebook Connect simple enough for everyday users to understand. Such ease of use virtually guarantees it will win support quickly."

The truth is, the future of the "social Web" is in expansion. And expansion invariably involves dealing with a crowd beyond the Twittering, FriendFeeding, WordPressing geeks who actually understand the concept behind data portability.

And that's not made any easier by the fact that OpenID calls itself "an open, decentralized, free framework for user-centric digital identity." Try bringing that up in the boardroom of a non-tech company looking to ride the social-networking wave. Then tell them that the most buzzed-about social network on the planet will power your site's social features. The decision will probably fall in the Facebook camp, unfortunately for the open-standards crowd and its admirable dedication to all things balanced and democratic.

"Nobody should own this. Nobody's planning on making any money from this," Fitzpatrick has said about OpenID. "The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community."

But your average company is probably going to care more about profit margins than OpenID's decentralized ideal, and the possibility of having its user activity broadcast across Facebook members' news feeds is tantalizing. Especially during tough financial times, strategy will likely trump idealism.

That said, there are some good signs for OpenID. It has a ton of support in the tech world, and if Facebook Connect's impending expansion goes awry for any reason--think Beacon--it could open up a whole new set of doors for OpenID. What it (and other open Web standards) needs either way is some image repair.

"Facebook is trying to replace all log-ins with their own, and control the creation, distribution, and application of the social graph using their proprietary platform," Chris Saad, whose DataPortability Workgroup has put its support behind OpenID and other open Web standards, wrote in a blog post. "The most scary part of this, is that while Facebook is quietly and methodically building out this vision with massive partners, the standards community is busy squabbling about naming the open alternative."

OpenID and its brethren could use a good, simplified marketing pitch, not to mention some announcements and partnerships that are more prominent than an extension for a niche Web browser. They need to use the resources that the likes of MySpace and Yahoo can provide to get more deals going and start making headlines outside of ReadWriteWeb and TechCrunch.

And most importantly, in a recession, "it's good for the Web, so it's good for everyone" just isn't concrete enough. One last tip for OpenID: Start talking business benefits.

On Wednesday Google formally announced its support as a provider for the OpenID 2.0 protocol, offering some site owners a way to let users log-in and register for new accounts using existing Google account information. More importantly, Google will be letting these same users manage all their linked account information in one central location.

This new log-in offering is not available to all site owners just yet. Google has set up a sign-up form where developers can apply with their URL and OpenID identification to get access. Plaxo and Zoho are two of the first sites to already have the new system in place, with Zoho having offered a similar option since mid-April.

As many have already noted this isn't OpenID proper. Microsoft's usage of OpenID, announced on Tuesday at PDC, will let users simply drop in their special OpenID URL as their identifier, forsaking the need for a Google account. Google's foray into this is strictly as a provider, adding extra value for those who register for a Google account, while keeping users with OpenIDs from other providers out.

Google's OpenID implementation doesn't just give sites your OpenID identifier, instead it acts as a bit of a middleman, authorizing you through it before it hands it over.

(Credit: Google Inc.)

OpenID enthusiasts shouldn't fret though. Just because Google isn't opening up its own sites to OpenID log-ins from others doesn't mean it's not around the corner. Google's Eric Sachs notes that the company is working to try and combine OpenID and identity management service OAuth, which means there's still work to be done on the personal information front. Google is unlikely to jump into being a service provider for OpenID until this is squared away.

Related: Five old-fashioned Web concepts that need to die

1Password lets you add and manage all sorts of Web log-ins in one place.

(Credit: CNET Networks)

iPhone and iPod Touch users have a fantastic new solution for keeping track of log-in credentials from site to site. It's called 1Password, and like the name suggests, you only need to remember one password to access and use your log-ins across hundreds and thousands of sites.

Like RoboForm (download) and other desktop password solutions, 1Password lets you save these log-ins under the protection of a single master password. Unfortunately, due to the limitations of Apple's SDK, you can't run 1Password while you're randomly browsing in Safari, meaning you won't be able to enjoy the ease of autofill. 1Password's workaround is to have you plug in your log-in information and the URL of where that log-in screen is located. From the application, you can simply click on the site you want to go to and it will plug all of that information into the correct fields when it opens in an in-app browser.

The application is already off to a great start, but there are some quirks that need fixing (and will be getting soon). The most glaring omission is the lack of an on-screen keyboard, meaning if there's something like a captcha or another form to fill in later on, you're out of luck. You're also unable to delete saved log-ins, so any log-in you no longer need must be repurposed instead.

Otherwise, there's a lot of power for advanced users. Once you're browsing any site, if you have to log in again for something, you can simply hit the "lock" key, which will plug in your username and password yet again. The same can be done for forms if you're willing to make a preset for that--something just fantastic when you need to enter billing information without killing your thumbs.

Mac users who want to carry over passwords from their browser can also take advantage of cross-platform sync, which will port over log-ins from their desktop to their phone and vice versa with the $35 desktop version.

[via Macrumors]

If the OpenID Foundation were a liquor cabinet, it just got stocked with some Grey Goose, Rhum Clement, and Gran Patron.

The foundation, which is pushing for a universal Internet login standard, announced on Thursday that representatives from Google, Microsoft, Yahoo, IBM, and VeriSign have become its first corporate board members. They join existing board members Scott Kveton (Vidoop), David Recordon (Six Apart), Dick Hardt (Sxip Identity), Martin Atkins (independent), Artur Bergman (Wikia), Johannes Ernst (NetMesh), Drummond Reed (Parity Communications), and executive director Bill Washburn.

Several major technology companies, including Yahoo, had already voiced support for the standard.

OpenID started as a grassroots initiative to handle an increasingly complex Internet rife with user accounts, logins, and passwords galore, and some skeptics thought that it couldn't possibly earn the approval of tech's biggest players. But its creators have gone on to build serious Web credibility, which has undoubtedly helped the standard move from an experimental geek project toward industrywide adoption.

Founder Brad Fitzpatrick, who developed the standard in 2005 while working at Six Apart, is now an engineer at Google and has been a key component of its OpenSocial developer initiative.

"Google shares the OpenID Foundation's vision of a Web that's easy to use and built on open standards available to everyone," Fitzpatrick said in a statement from the OpenID Foundation. "OpenID was always intended to be a decentralized sign-on system, so it's fantastic (for Google) to join a foundation committed to keeping it free and unencumbered by proprietary extensions."

The representatives from the OpenID Foundation's new corporate board members are Dewitt Clinton (Google), Tony Nadalin (IBM), Michael B. Jones (Microsoft), Gary Krall (VeriSign), and Shreyas Doshi (Yahoo).

In one of the most significant moves yet in the growing push toward service interoperability on the Web, tech giant Yahoo announced Thursday that it is supporting the OpenID 2.0 standard for a universal Internet log-in.

No matter what your views of Yahoo's current stability may be, this is undoubtedly a big victory for OpenID. Not so long ago, the protocol was considered a dot-com/futurist pipe dream. OpenID was created by Web 2.0 guru Brad Fitzpatrick, who founded LiveJournal and was brought on board at Google last year as one of the most prominent players in its OpenSocial developer initiative.

OpenID is designed to facilitate single log-ins for multiple unaffiliated Web sites. Gradually, large sites like AOL and Plaxo have begun supporting the standard, but it remains a tool for the Web's early-adopter set rather than the online community at large.

But recently, fueled by debate over social-networking interoperability, universal standards have been one of the most buzzed-about subjects in Web 2.0.

Yahoo, which counts its registered users at 248 million worldwide, says that supporting OpenID will mean that OpenID-compatible accounts are available to a total of 368 million Web users. When Yahoo's support of OpenID goes live, starting with a public beta launch on January 30, this will mean that a Yahoo ID can be consolidated into an OpenID account that will be valid at all partner sites.

On the flip side, sites that accept OpenID will have the option of displaying a "Sign in with your Yahoo ID" button.

As more major Web players start to sign onto OpenID--and more casual Internet users start using the standard--there will inevitably be security concerns raised. Since OpenID has no central repository for identity management, users can choose which sites they trust with their OpenIDs. But that doesn't mean they're going to always make the right decisions. Sometime in the not-so-distant future, an incident or two will likely surface that will call into question just what universal standards mean for privacy and personal security on the Web.

This is an area to watch.

There are so many useful apps that run on the Web, one could be lulled into thinking that it's possible to get by without traditional software. Certainly we can get by on the Web alone, and do e-mail, write documents, chat, videoconference, listen to music, play games, and so forth, all without leaving the browser.

The problem is that every time you go to a new site or service, you need to log in to it. There are hacks to make this easier (I use Roboform to manage passwords), but we shouldn't need to have a different login for every service. It's a pain in the neck.

There is some chance that OpenID could clear things up. It's a clever solution that's based on the premise that if you log in to a known secure service, that site can authenticate you to other services. But I fear OpenID is too conceptually different from the standard signon-with-password concept for consumers to grasp.

Here's what I'd like to see: The Google login used to authenticate other services. We've already got a suite of apps that we can access from one Google ID. Wouldn't it be useful if Google offered authentication as a service to other Web 2.0 sites?

This isn't an original idea. Microsoft has been trying to create the universal login for years. And actually, I would not be surprised to see this sooner from Amazon, which already has a full suite of Web services that developers can tap into; if the login service used Amazon.com IDs, it'd be very useful.

This is one of the great things about Facebook: Once you're logged in, for the most part you don't need to create a new user identify when you add new apps to your profile. The rest of the Web should be so easy.

I'm a sucker for password tools. Since signing on with Webware late last year, I've since amassed a collection of site log-ins the size of a pulp romance novel, and despite my youthful brain, remembering all of them is clearly impossible. A solution I've been using for some months is Roboform, which is a small piece of software that will let you keep your user names and passwords safely tucked away, combined with a browser plug-in that will automatically log you in to each site. This morning I've been playing around with a new feature from PassPack (review), which does the same thing sans software.

It's called 1-Click Auto Login, and as the name suggests, it will log you in to any site using the passwords you're stored in PassPack's password manager. All you have to do is enable the feature on your PassPack account, and drag a simple bookmarklet up to your browser's toolbar, or favorites folder. From then on, if you're visiting a site that's been added to your list of passwords, clicking the "PassPack It!" bookmarklet will autofill your log-in credentials. If you've got the one-click option enabled (it's off by default), it will go the next step and log you in automatically.

If you've got your login information setup, clicking the bookmarklet will automatically log you in to a site.

(Credit: CNET Networks)

On the security side, since the bookmarklet pulls up your log-in credentials, and can be added to multiple browsers on multiple machines, you can deactivate it remotely and without having to from machine to machine. Likewise, you can reactivate all instances at once if you feel like locking things up when away from your machine.

There is one big snag when comparing this feature to Roboform. PassPack doesn't handle multiple log-ins for the same site with grace. When visiting a site with multiple accounts, PassPack will defer to the newer log-in for that site. Roboform, on the other hand, pops up to give you a small list of log-ins you can pick and choose from. I find this feature especially helpful when accessing one of my Google accounts, as I've got three I use in heavy rotation.

Clipperz, a competing online password management system, has a similar feature called "Direct Login" that closely emulates this multi-log-in list functionality. You can pick your login credentials from a sidebar which is summoned using a bookmarklet, and you're good to go. The service offers nearly the same feature set you get from PassPack, although Passpack has a few I find particularly helpful such as tagging and an offline mode that lets you access your passwords and make changes without an internet connection. There's a really great comparison chart put together by PassPack's CEO, that showcases some of the differences and similarities. If you're on the fence about which service fits your needs, it's a good read.

Which ever tool you choose, I'd highly recommend using one of these services to save and access your casual site log-ins if you've got more than a dozen. They're extremely helpful when it comes to accessing sites you signed up for months ago. As for financial services (banks, credit cards, and so on) and e-mail accounts with sensitive information, you're better off using your noggin.

(Credit: Devicescape)

Devicescape is a free Wi-Fi helper service that was announced at the Demo 07 conference this past week. It's designed to take the struggle out of connecting to various commercial Wi-Fi hot spots while on the go. After downloading the low profile Devicescape application to your PC, Windows Mobile smart phone, or Wi-Fi-enabled handset, you can instantly connect without having to manage log-ins or remember passwords.

The Devicescape client works with a number of Wi-Fi services, most notably T-Mobile's HotSpot service, which can be found in over 8,000 locations (mostly Starbucks). Devicescape is at work on interoperability with Wayport, the Wi-Fi service you find at McDonalds, Hertz, and hotels like Hilton and Marriott.

Devicescape is an ideal service for road warriors and prepared travelers. Managing several different hot spots (airport, hotel, coffee shop) can be a pain, which is why automating the log-in process is a great idea. It's also a nice prospect to pair Devicescape with a VoIP handset since managing log-ins on a 12-digit keypad can be a struggle. There is one catch to using Devicescape: You have to know which services you're planning to use and the log-ins for each, which is why it's a service aimed at the prepared among us.