Zero Passwords with Client Certificates

One of the most appealing features of OpenID is being able to consolidate your login authentication around a single OpenID server. This means that instead of creating and remembering a new password for every new site you want to visit, you can use a single (strong!) password at an OpenID provider like myopenid.com, and use your login there as your credentials for any OpenID-enabled site you want to visit.

That’s the benefit of “Single Sign-On” (SSO) — login once, roam anywhere. Not only does this reduce the burden of creating and remembering a different passwords (you don’t use the same password at different sites, right?) down to dealing with a single password, it keeps all the other sites out of the loop regarding your password. They never have access to your password.

That’s a powerful enhancement to the web experience for many users, being able to collapse dozens of passwords down to just one. Now, with the introduction of JanRain’s client certificate feature at myopenid.com, users who want to can choose the “zero password” option for managing their login.

The client certificate feature of myopenid.com utilizes the built-in key-generation and X509 certificate provisioning functions of your browser. When you choose this option for logging in to myopenid.com, you present the client certificate in lieu of your password, and this certificate, which is stored in the browser, makes logging in a breeze. I’ve been using it for a while now, and while I’m quite happy with the basic improvements of SSO and just managing a single password, the client certificate makes logging in to myopenid so quick and easy that I’m able to adopt a stricter, stronger login policy (make me log in to my openid.com every time I authenticate to an external website, for example) without it becoming a headache.

Getting Set Up

Here’s how to get up and going with client certificates at myopenid.com.

1. Navigate to the “Certificate Settings” page in the “Account Settings” menu at myopenid.com for your account.

2. Enter a handy name for the new certificate, and click the “Create Certificate” Button. This will launch the certificate generation process, which will take 5-10 seconds on a conventional machine.

3. That’s it. You should now see your new certificate listed — you’re ready to go. In order to use your certificate, you’ll need to sign out of your existing session. When you come back to login, you will have a link available on the login screen that says “Sign in with an SSL certificate”.

This link will take you the sign-in page for use with client certificates.

Security Issues

There’s an important disclaimer on the “Certificate Settings” page of myopenid.com:

Note: You should not install a client certificate on a machine that you do not control or that you share with others. Your certificate is like your username and password: protect it!

That’s worth thinking about before you decide to use client certificates. When you are away from your machine, your password goes with you (or at least that’s how it’s supposed to work); anyone trying anything fishy on your machine should not be trivially able to pose as you when supplying credentials to myopenid.com or any other service. However, my experience with friends and family suggests that it’s quite common to use the “auto-fill password” features of the browser, which presents a similar problem to client certificates: someone who gets hold of your machine can effectively be you, since your browser will automatically fill in your stored credentials at login time.

There isn’t a right or wrong answer here. There’s always a trade-off between risk and convenience; the important part is making sure people are able to make an informed decision about the inevitable trade-offs. Using client certificates provides an improvement in convenience, but does bring with it the risks of having someone easily be you in the online sense if they have access to your computer. As long as the benefits and risks are clearly in view, users are empowered to choose according to their own priorities and constraints.

~Michael Graves