It’s Me, and Here’s My Proof: Why Identity and Authentication Must Remain Distinct
http://technet.microsoft.com/en-us/library/cc512578.aspx

public / private data with logging on

Overview of the security principles identity, authentication and authorization.

Security

Ver clear description of the problem. Identity - "who are you?" - public assertion - locally unique. Authentication - "how can you prove it?" - secret response - non-unique. So biometrics are identity, not authentication.

login tutorial

php做简单登陆系统

สอนทำระบบล็อกอิน

User Accounts

Getting OpenID Into the Browser - O'Reilly Radar - http://radar.oreilly.com/2008/12/getting-openid-into-the-browse.html

Peer Review für "Jedermann"

We intend for the peer-review web to do for scientific publishing what the world wide web has done for media publishing. As it becomes increasingly practical to evaluate researchers based on the reviews of their peers, the need for centralized big-name journals begins to diminish. The power is returned to those most qualified to give meaningful reviews: the peers.

GPeerReview attempts to makes it easy for authors to seek post-publication endorsements of their works. We provide the following tools: * A command-line tool to digitally sign endorsements (done and available). * A web-based version of the signing tool (about 70% done). * Client tools for analyzing endorsement graphs to establish credibility (in planning stages). * Additional tools to facilitate the running of endorsement organizations (in the brain-storming stages). * Tools for analyzing citation graphs (in the brain-storming stages).

Neat gem that uses Twitter as the login authentication for your app. Interesting idea and makes it one less thing to worry about when building a secured app.

TwitterAuth is a Rails plugin that provides a full external authentication stack for Rails applications utilizing Twitter.

pattern of authentication that allows users to connect their Twitter account with third-party services in as little is one click. It utilizes OAuth and although the flow is very similar, the authorization URL and workflow differs slightly as described below.

Use your twitter account as an openID account to sign-in

tutorials

A-E

UTF8Encoding

Professional crypto people don’t even get this stuff right. But if you have to encrypt something, you might as well use something that has already been tested.

Matasano Chargen

I didn't realize the automatic boolean attributes part.

how to use mixins in Rails, with loads of useful stuff about testing at the end

Shoulda examples

Most social networks have API tools that allow almost any website to authenticate users through their system. In today's tutorial, we will learn how to use

Authenticating Users With Facebook Connect and Google Friend Connect - Nettuts+

authlogic

>認証済みアカウントとは？ アカウントが本人のものかという混乱を避けるため、Twitterは「認証済みアカウント」の実験（ベータ版テスト）を始めます。われわれは、日頃からなりすましや、本人かどうかという混乱に悩まされる人たちの信頼性を確立するよう働きかけています。Verifiedのついたアカウントは本物です！ どういう意味？ この仕組みがあれば、われわれが知っているプロフィールのどれが「本物」で信頼できるかを、簡単に見極めることができます。これは、われわれがその人や存在と連絡を取り合い、プロフィールが確認されたものであることを表し、認証されたことを意味します。（これは、実際に誰がTwitterに書き込みをしているかを認証するものではありません） これはまた、「認証済みアカウント」マークがないプロフィールが偽物であるというわけでもありません。Twitter上の大多数のアカウントはなりすましではありませんし、われわれはなりすましを100％チェックできるわけでもありません。今後は、誤ったアイデンティティーやなりすましがあった場合に対処するため、一部のプロフィールを認証するにすぎないのです。 もし、まだ認証されていないアカウントが本物か迷っている場合は、その当人の公式ウェブサイトを確認し、その人のTwitterプロフィールにリンクが貼られているかを見てみることができます。（たびたびになりますが、リンクがないからといってなりすましということではありません） 誰のアカウントに「認証済みアカウント」マークが表示されるの？ われわれは、なりすましやアイデンティティーの混乱等の問題を抱える著名な方のプロフィールから認証を始めます。（例えば、著名なアーティスト、アスリート、俳優、政府関係者や公共機関等です。）将来はもっと沢山のプロフィールを認証する予定ですが、まずは費用と時間の関係で、一部のアカウントのみから始めます。何ヶ月かを経てテストが進歩してきたら、もっと沢山のプロフィールにまで範囲を広げてこのテストを行なっていけるでしょう。 なりすましなどの問題に困ってます。自分のアカウントを認証できるの？ すべてのプロフィールを認証することはできませんが、もしあなたのアカウントが日常的になりすましなどの問題がある場合は解決に向けてお手伝いします。 …

With this feature, you can easily see which accounts we know are 'real' and authentic. That means we've been in contact with the person or entity the account is representing and verified that it is approved. (This does not mean we have verified who, exactly, is writing the tweets.)

"To prevent identity confusion, Twitter is experimenting (beta testing) with a 'Verified Account' feature. We're working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a [check mark indicating they are] Verified are the real thing!"

"With this feature, you can easily see which accounts we know are 'real' and authentic. That means we've been in contact with the person or entity the account is representing and verified that it is approved. (This does not mean we have verified who, exactly, is writing the tweets.)"

To prevent identity confusion. Test-Version.

To prevent identity confusion, Twitter is experimenting (beta testing) with a 'Verified Account' feature. We're working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis.

adding site sign-in using twitter

Interesting differentiations between OpenID and OAuth ... neither of which I have played with that much. But twitter has recently implemented an OAuth solution.

From Hueniverse

Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system.

TL;DR version: Here is an app to allow logging in via twitter, facebook, openid, yahoo, google, which should work transparently with Django authentication system. (@login_required, User and other infrastructure work as expected.) Demo and Code.Longer version follow:

Even though the gradual engagement meme has been around for a while, and everyone just hates signup forms, they just seem to keep popping up like a bad habit.

Ok.

Tips for eliminating the signup process - other ways to discourage spam bots, and track users without passwords.

Even though the gradual engagement meme has been around for a while, and everyone just hates signup forms, they just seem to keep popping up like a bad habit. My site, Newsforwhatyoudo.com was one of the guilty parties. We saw users coming back to the site repeatedly, but not signing up. The percentage that looked at the signup form and then bolted was uncomfortably high. It was time to kill the signup form. This blog post documents how we implemented gradual engagement using Ruby on Rails and restful authentication.

give Google Account users the option to sign in to websites with their Google credentials and without having to sign up for a new account at those sites

rd data formats such as Portable Contacts and OpenSocial REST APIs."

This looks great. Object Oriented PHP 5, MySQL, easy to set up and customize. This should be a good solution for a quick project that needs user login functionality.

Chroma-Hash is a sexy, secure visualization of password field input

Kind of pointless but cool

awesome password confirmation tool using color

<elderec> a sexy, secure visualization of password field input - http://foxxtrot.github.com/Chroma-Hash/

clever signup/login ui

For one of my side projects, Leafy Chat, we have just added the concept of user accounts. This includes the need for registration and log in (as well as log out and forgot password and so on). Leafy Chat only requires an email address and a password for both registration and log in, so it would be great to have some clever way to have both forms on the homepage.

Designing login/signup for a web server

Very smart. Stealing this idea for a current project

Interesting thoughts, but I don't like the end result. People have been trained over the years on how to do login/signup. Putting them both on the same page seems like the right idea, but there's something wrong with this implementation--it looks different from most forms.

http://www.youtube.com/watch?v=DHhHgwQ0xKU

share

"So after probably far too much research, I've come up with the following single register/log in form for Leafy Chat. Log in Sign up The form updates via JavaScript when the user selects a radio button. For the log in form, notice that the submit button says "Log in" and there is a link to retrieve a forgotten password. For the sign up form, the label for the password field prompts the user to "Choose a password" and "Sign up!" while also accepting the terms of service. I like this design because a user can either log in or sign up directly from the homepage and the radio buttons stand out and make the options clear to the user. I love that the page dynamically updates to provide relevant help for the chosen form. Also, the user can easily correct any errors without re-entering their email/password. What do you think?

This is the way the web should work. Facebook - pleas join this!

Google, Yahoo! and MySpace support for OpenID

a simple best practices article on handling passwords and authentication. There’s nothing particularly new here, but it’s always worthwhile revisiting the basics.

And that's how a decentralized community solved a security threat in an open identity spec, quickly. One company (Twitter) took a risk at implementing a new technology advocated by an employee of another company (Yahoo's Hammer-Lahav), then an engineer at yet another company found the beginning of the security hole, then news of the whole problem was sent out to contacts on a Wiki, an email list was formed, companies donated their employees' valuable time to aid in the effort, everyone more or less kept their mouths shut (including the unfairly criticized Twitter) and then everyone worked together to find a solution just in time. I think that's a pretty cool story.

RT @jayrosen_nyu: I understood about 40% of this, but wow, what a story. How OAuth Security Battle Was Won, Open Web Style http://tr.im/jICt [from http://twitter.com/CircleReader/statuses/1617435709]

At some point in conversation Hammer-Lahav realized that the problem went far beyond the Twitter implementation. The OAuth protocol had an inherent vulnerability; big companies like Google, Netflix and Yahoo had implemented OAuth and scores of tiny startups had too... OAuth has support, but it doesn't have a centralized authority ready to deal with problems like this. Over the next week a story unfolded as the community moved to deal with the security issue. It's a dramatic story.

The jQuery OpenID Plugin is a free plugin to add easy login support for the most popular OpenID RP's such as Google, Yahoo, AOL, and more. The inspiration for this plugin is based on openid-selector, openid-realselector, and ID Selector. This selector is different because it does not hide the markup details in javascript. Therefore, you can easily add new providers or rearrange the existing ones without digging into the javascript. The login form will still work for normal OpenID logins if javascript is disabled (see screenshot). jQueryOpenIdPlugin The plugin defaults to the first provider in the list which in the above case is a normal OpenID login box. There are two other types of providers, direct providers and username providers. A direct provider does not require any input and will automatically direct you to the provider login page. A user provider assists in building your OpenID URL. For example, Google and Yahoo are direct providers and AOL is a username provider tha

jQuery OpenID Plug-in

when it comes to login pages where our most sensitive data are being held. Hence, there is a need to better understand how well your login page has been implemented to be considered as really secure. In this article, you will get a list of PHP secure login tips and tricks that will definitely help you decide on your secure rating of your login page.

Sharing model data via ActiveResource -- good stuff.

The Dam Just Broke: Facebook Opens Up to OpenID - http://ow.ly/83c3 [from http://twitter.com/barbhd34/statuses/1859036448]

RT @rww Facebook Opens Up to OpenID; http://bit.ly/fNmJE (via @tweetmeme) [from http://twitter.com/jcookaz/statuses/1841594646]

RT: @rww: The Dam Just Broke: Facebook Opens Up to OpenID http://bit.ly/I5Pjv [from http://twitter.com/CircleReader/statuses/1840467882]

In a few minutes Facebook will become the biggest example of a social network that allows users to log-in with OpenID credentials granted to them by other companies' websites. Major networks have said for months that their ID could be used as OpenID, but becoming "relying parties" that accepted OpenID from elsewhere was the step everyone was waiting for. The dam has broken.

5/18/09 In a few minutes Facebook will become the biggest example of a social network that allows users to log-in with OpenID credentials granted to them by other companies' websites.

AT A GLANCE: How authentication works in Windows and Linux Using Samba and Winbind Implementation strategies Walking through the Linux-to-Active Directory integrationItem

Article from technet.

パスワード

A variety of random keys that can be used for passwords, encryption keys, etc. - all randomly generated

Here you will find a variety of random keys that can be used for passwords, encryption keys, etc. - all randomly generated, just for you! Simply refresh this page for a completly new set of keys.

Every OAuth provider should encapsulate OAuth authorization inside OpenID. Better UX, lesser redirects http://bit.ly/7qbfPB

OAuth-enabled APIs su

RT @tweetlicius: Your Gmail Account is Now An OpenID - http://tcrn.ch/aAxVXq

You may not know it, but you probably have an OpenID. If you have a Yahoo account, you have an OpenID. If you have a Windows Live account, you will soon have an OpenID. And today, if you have a Google e-mail account, you can also start using your Gmail address as an OpenID. By joining the OpenID movement, Google completes the trifecta and adds all of its Gmail users to the hundreds of millions of Yahoo and Windows Live accounts that can also be used as a single login for any Website that accepts OpenID. While Google is more than happy to become an issuer of OpenIDs, what is not so clear is whether it will accept other OpenIDs for people who want to sign up for Google services.

Google appears to be an OpenID “provider,” not a “relying party.” In other words, you cannot sign into Google with your Yahoo account. But this still helps the OpenID movement as a whole because it gives smaller sites more incentive to join as “relying parties.” Among the first sites to accept Gmail accounts for sign in are Zoho and Plaxo.

In my previous post on this subject I spoke about making a simple call to the Twitter Search API to return some results every 30 seconds using jQuery and ajax.

Authenticating Twitter API calls with PHP & jQuery

Ejemplo de autenticacion de Twitter con PHP

"取得方法はPHPによるもの"

ケータイのユーザーIDを取得する方法まとめ

携帯のID取得方法まとめ

Google Abandons Standards, Forks OpenID http://ow.ly/1NncJ

well they're not Microsoft but well on their way

Connecting Ideas

OpenID

2 lines of HTML code make your domain map to an openid provider... meaning you can type $DOMAIN_NAME into an openid space and not (gmail|yahoo|etc)

OpenID is an open standard for logging onto various web services with a single digital identity. The tool puts your online identity back in your hands&mdash;and as it turns out, OpenID on your own domain is surprisingly easy.

lifehacker.com: Setting up OpenID thru your own domain

Weg met de captcha's met afbeeldingen http://textcaptcha.com/ #accessibility #textcaptcha

"This site provides a web service to generate text-based CAPTCHAs, based on simple logic questions."

Text Captcha is an accessible alternative to standard captcha methods and relies on logic.

Thanking @ginatrapani

OpenID

using Google.

For some reason I was under the mistaken impression that setting up an OpenID on my own domain, ginatrapani.org, would be a big hassle: that I'd have to host my own OpenID server software and that it would take all sorts of installation and maintenance BS to do so. I feel strongly about owning my identity online, mapping it to my nameplate domain, and actively choosing an authorizing party instead of just accepting the sign-in service du jour like Facebook, Twitter, Yahoo, or Google. Still, I never got set up with OpenID on ginatrapani.org because my perceived hassle factor was daunting. Instead, I used idproxy.net for my OpenID and put the domain setup on my "someday I have to do that" list. It meant that my OpenID was ginatrapani.idproxy.net instead of my own domain. Idproxy is a great service and I thank them for getting me started with OpenID; but still, I want my OpenID URL to be a domain name I own and control.

Profiles as an OpenID provider and to Chris for a great discussion of OpenID, OAuth, and verifying identity on the web.

Thanking @ginatrapani

OpenID

using Google.