Dr Nic

Zero Sign On – 1 better or Infinitely better than Single Sign On?

This article has no code in it. There are no TODO steps. Nothing to install. Its a picture of the future.

There is no reason to bookmark this article and read it another day. Its nearly all pictures. You can read it now.

This “picture of the future” was actually added to our browsers in the 90s. Netscape and MSIE3.0 both had it.

“It” is Client Certificates, and to me to means “never logging on with username/password NOR OpenID ever again”. Zero Sign On. It must be better than the much-targetted Single Sign On.

Client Certificates

Firefox 2.0:

no-certificates

Or on Safari/KeyChain:

Keychain Access - no certificates

Small problem: no website I’ve ever used has ever offered them, so I never knew they existed. I didn’t know what they did, nor as a web developer that I could create them for users who’d never need to login again.

Clifford Heath showed me the light. On #roro irc channel, we were exploring how “Zero Sign On” might be implemented using ssh-keygen, and browser plugins etc. Clifford mentioned client certificates and then someone else mentioned that MyOpenID already supported them. [someone = Michael Kedzierski]

I already had an myopenid account, so raced over to explore the new world of certificates.

Under “Authentication Settings”:

myopenid-create-certificate

After submit:

myopenid-creating-certificate-dialog

And then:

myopenid-certificate-creation-finished

Then feedback:

SSL Client Certificates

So I thought to test out if “Zero Sign On” actually worked. Normally, after logging out you’d need to submit username/password or if a site supported OpenID (yes myopenid.com is an OpenID provider which is a bit circular but bear with me) you login by entering your OpenID url and pressing Enter. Either way, you’ve got work to do.

Instead, I clicked “Login” link on the home page, and was redirected immediately to:

myopenid-login-uses-alternate-url

myopenid-signin-with-certificate-form

So it was still using cookies so that it could log me in immediately next time without clicking “login”, but either way, there is no username/password nor any other “type something here” login form. Just a “Remember Me” checkbox.

Finally, myopenid.com shows a log of your sign-in attempts:

recent activity

Your sites and the future

As a web developer, you can do one of two things to get some leverage of Client Certificates.

  1. Support OpenID as a login mechanism. Users with myopenid.com accounts (or other openid providers that support client certificates) will benefit from automatic login to their openid page and instant redirection to your site. You’ll also be able to help new users import their profile data to get them started quickly.
  2. Implement Client Certificates yourself. I would have liked to have had a crack at this before posting about Client Certificates and all their sweet loveliness, but I didn’t. My bad. Instead, I found a nice step-by-step (plus comments with updates) on implementing Client Certificates

If you have/do implement Client Certificates in Ruby/Rails world, you’ll get a 1000 Happy Points from me if you open source it/blog about it. Happy Points are redeemable for Happiness in all countries.

Related posts:

  1. Why supporting multiple OpenIDs per User is useful for users… Web apps/services go down for maintenance (expected or erroneously) all...
  2. MagicCGI shows OpenID user count In the last 20 days, 43 people have used...
  3. One year on the InterTubes Dumping thoughts onto the InterTubes, aka blogging, is fun. And...
  4. Sample Rails app: multi-OpenIDs per user Last time, on “Dr Nic loves OpenID”… Dr Nic had...
  5. One App, One User Account and Multiple OpenIDs Summary: Its the future, and its not Facebook. Learn it....

71 Responses to “Zero Sign On – 1 better or Infinitely better than Single Sign On?”

  1. [...] Dr Nic » Zero Sign On – 1 better or Infinitely better than Single Sign On? (tags: openid security authentication certificates ssl firefox browser 2008 administration Apple browsers client ssh tutorial webdev) [...]

  2. [...] anyone interested in Zero Signon, please take a look at Zero Sign On – 1 better or Infinitely better than Single Sign On? by Dr. Nic. It’s an interesting combination of the new (OpenID) and the old (Client [...]

  3. [...] 或Yahoo决定采用)。 Nic Williams, Dr Nic February 22, 2008 [原文链接] [Tags: Google, Yahoo!] [...]

  4. Dr Nic says:

    @DavidK [via] – fixed now, thx for the reminder to get off my arse and fix it.

  5. Dr Nic says:

    Lots of very useful comments @ reddit.

  6. dkubb says:

    I found a few tutorials for Apache, but does anyone have any Nginx tutorials on how to do SSL Client Certificate Authentication?

  7. [...] Single sign-on versus Zero sign-on, incluindo um possível uso incorreto do OpenID; [...]

  8. shaun says:

    This could solve so many issues for me. Handy!

  9. [...] Zero Sign On – 1 better or Infinitely better than Single Sign On? “It” is Client Certificates, and to me to means “never logging on with username/password NOR OpenID ever again”. Zero Sign On. It must be better than the much-targetted Single Sign On. (tags: authentication openid) [...]

  10. labria says:

    Well, I’ve made it =)
    http://blog.startika.com/2008/2/25/ssl-client-certificate-login-pt-3
    It’s still a mess, needs lots of refactoring, but it’s certificate-based logon with rails, and t works =)

  11. Dr Nic says:

    @labria [via] – very nice work indeed!

  12. [...] Dr Nic » Zero Sign On – 1 better or Infinitely better than Single Sign On? – Using client certificates to implement zero sign on. [...]

  13. [...] Der Post von Dr. Nic erklärt das alles sehr schön und man fragt sich ernsthaft warum wir uns im Jahr 2008 immer noch mit der User/Password Kombination rumschlagen wenn es so bequeme Möglichkeiten gibt. Jetzt müsste man das nur noch mit GPG kombinieren können… [...]

  14. [...] [OPENID] Zero Sign On – 1 better or Infinitely better than Single Sign On?, drnicwilliams.com [...]

  15. [...] het zoeken naar informatie liep ik tegen een aantal interessante zaken aan. Dit artikel van Dr Nic beschrijft het gebruik van OpenID in combinatie met cliënt side certificates. Dit artikel [...]

  16. [...] Dr Nic » Zero Sign On – 1 better or Infinitely better than Single Sign On? (tags: openid authentication security certificates ssl firefox browser) [...]

  17. Toplist says:

    I for one will be ignoring any “standards” that M$ tries to implement in IE. I would ignore any similar proposal by Mozilla, Apple or anyone else who suggested such rubbish.
    The standards exist, so do the validators and the compliant html editors. Code your sites to comply, it is up to the browser to render it correctly. The meta hack proposes just the opposite….the developers have to change the way they do things just so this browser will work. No argument will outweigh the fact that IE is still promoting non-compliant garbage code instead of forcing developers to comply. It’s like peeing on the W3C.

  18. gömlek says:

    So a) I can’t log on to my banking, etc. site unless I’m using my browser, and b) anyone who is using my browser can automatically log on to my banking, etc. site? Inconvenient and insecure, gee, I wonder why it hasn’t caught on.

  19. [...] This post was Twitted by schofeld [...]

  20. [...] I was looking up on ways of doing Single Sign On I discovered Dr. Nic’s article about Zero Sign On.  The premise is simple: that users have a digital certificate that they use to authenticate their [...]