Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins
mart
apparentlymart

Client Certificates: It's easy, man!

MyOpenID.com recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but I always assumed that it'd never work due to it being complicated and difficult for users to understand. PKI is too complicated for users to understand, right? Why else would almost every site in existance still use passwords as the primary authentication mechanism?

With some scepticism I tried out the client certificate feature on MyOpenID.com. I logged in, went to my account settings, clicked on the “Add a Certificate” button and immediately my browser (Opera) took over and asked me to choose a password to protect my client certificates. I entered one. It then asked me to confirm that I wanted to install the cert. I clicked “Install”. Then it was done. Surely that can't be all there is to it?

So I logged out and went back to the login screen. I elected to log in using a client cert. Opera asked for that password I entered earlier, and then I was logged in. Magic!

Of course, MyOpenID.com still needs to keep around the username/password support because I may need to log in when I'm not on a computer with a client cert installed. On computers I control, however, I know that I should not enter my username/password at MyOpenID.com ever again.

This is one of the great things about OpenID: MyOpenID.com can innovate, and suddenly I benefit from what they develop across every OpenID-enabled site. The hard work can be done in one place and have benefits across the web. I expect that this is just the beginning of the innovation we'll see in the future as OpenID becomes more widespread and OpenID Providers begin to compete with one another on features such as this.

Tags: myopenid, openid, phishing, tls
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments