MyOpenID Security Features Released

Things have been busy here at the JanRain World Headquarters but I’m excited to share some new features that we’ve recently launched.

Our latest release has re-organized some of the ways that dialogs are presented. Most notably, we’ve broken out the security features into their own pane to help lower confusion for users and make it easier to navigate managing your MyOpenID account. We have two new features (and one update) to talk about:

  • Secure bookmarklet: Under the “Security” settings panel you’ll find a link that says “special MyOpenID login” that is a bookmarklet that you can drag (yes, in your browser) to your bookmark toolbar. Once there, you can use that link (especially in conjunction with the Safe SignIn feature) to quickly navigate to the correct login screen where you can be safe in entering your credentials.
  • Frame busting code: I was at Yahoo! a couple of weeks ago giving a TechTalk (note: this isn’t an endorsement by Yahoo! of OpenID, they have people come in and talk about all kinds of technologies that they may/may not ever deploy) and Rasmus asked “do you have frame busting code on MyOpenID?” The answer then was ‘no’, today it is ‘yes’. There is an attack that will allow sites to capture your keystrokes (say from your password entry) in a hidden IFRAME. We now have the code in place to prevent this attack. Thanks Rasmus.
  • Safe SignIn updated: We also updated the Safe SignIn feature to allow you to continue the specific action you’re working on. With Safe SignIn enabled you’re asked to manually navigate to MyOpenID to login with your username and password if being redirected from an OpenID enabled site. With the secure bookmarklet from above you can open a new tab, click that bookmark, enter your credentials and then return to the previous tab to continue the login action you’re working on. The goal is to help make sure that you’re not entering your password into a site that might be trying to phish your credentials.

We also were notified of a security vulnerability that affected users of the Safari web-browser that was brought to your attention by Gareth Heyes. This was patched last week. Thanks for the heads-up Gareth!

The biggest concern we have with OpenID today is that of phishing. We’ll be releasing some new functionality in the coming weeks that should hopefully address that problem once and for all. Keep an eye out here for more information! In the mean time, thanks for helping make MyOpenID the premier OpenID provider.

~Scott Kveton