Poojan (Wagh) Blog

Requests for comment

Verisign Labs’ Personal Identity Portal (PIP) / OpenID

with one comment

2008-10-01 Update
I’ve been informed by Verisign that you can only have one FOB attached to your PIP account. This is no big deal for me, since my FOB is on my keychain and you can always have a one-time password emailed or SMS’ed to you as a backup.


Personal Identity Portal (PIP) is an OpenID provider. This means that you:

  1. Register an account with PIP. You’ll get a URL (i.e. example.pip.verisignalbs.com); that is your OpenID URL.
  2. Go to other web sites–called OpenID clients–for example, My Yahoo, most blogs, identi.ca, army.twit.tv, etc. Instead of registering a username and password, tell them to consult your OpenID URL. Instead of giving them a username:password combination, you just tell them your OpenID URL (example.pip.verisignlabs.com).
  3. The web site then consults with PIP to see if you are authenticated. This authentication is done in a very secure manner, using cryptography, so that no one can impersonate you. To do this, you are temporarily transferred to PIP’s web site.
  4. You select what information (name, location, DOB) that PIP should share with the OpenID client.
  5. You are now logged into the OpenID client and can go about your business. The whole time, you only had to remember one password: your PIP password.

OK: big deal. So, I don’t have to remember more than one password. Here’s the cool part: PIP can be set up so that you get a neat FOB (a keychain doohiky). Here’s a picture of mine:

Verisign PIP FOB provided by Paypal

When I hit they grey button, I get a John Nash-like one-time code (only I’m pretty sure I’m not imagining it). This way, no one can log into my account unless they have my key FOB. I can have only one key FOB, and they come in different form factors (including a credit-card size one that fits in your wallet). You have the option of buying them from Paypal for $5 or the cooler looking ones (credit-card size and waterproof FOB) from Verisign for $30-$40.

If you don’t like carrying it around, you can also have PIP SMS or email you a one-time password.

Here’s another cool feature: PIP also has a little javascript bookmarklet that will save passwords for other sites that don’t support OpenID (linkedin, facebook, etc). Now, I don’t use this capability because I have a pretty good solution already (KeePass), but I might someday.

A list of web sites that support OpenID is at http://openid.net/where/.

Finally, a runner-up that I’d use is Yubikey. However, being an OpenID provider isn’t their main thing right now (although they do provide it sort of as a demo/utility), and I already bought the PIP/Paypal FOB. Alternative providers (including one that works with Yubikey) are at http://openid.net/get/.

Steve Gibson and Leo LaPorte’s SecurityNow podcasts have in-depth discussions of all these technologies.

Written by PoojanWagh

September 21st, 2008 at 11:23 pm

Posted in Web

Tagged with , ,

One Response to 'Verisign Labs’ Personal Identity Portal (PIP) / OpenID'

Subscribe to comments with RSS or TrackBack to 'Verisign Labs’ Personal Identity Portal (PIP) / OpenID'.

  1. Fantastic. This blog rocks!

    Forex

    16 Mar 10 at 4:07 am

Leave a Reply