Secure Email, Web and Form Solutions     +1 800.441.6612

Contact  ·  Blog  ·  OpenID

Partners  ·  SecureSend

LuxSciLuxSci
 Secure Email,
Web and Form Solutions 		Call: 800-441-6612
Int'l: +1 814-870-9250
sales@luxsci.com
support@luxsci.com

Use Your LuxSci Account as an OpenID for Single Sign-on to Many Web Sites

Share Post:
More...

openid-largeLuxSci has allowed use of OpenIDs provided by third parties for access to user accounts since December.  Proper use of OpenIDs can make logging into sites such as LuxSci both faster and more secure.

Now, LuxSci is also an OpenID Provider. This means that you can create an OpenID based on your existing LuxSci account that can be used as a single sign on to any other web site that supports OpenID.

What does a LuxSci OpenID Look Like?

For security reasons, users need to explicitly create an OpenID identity in their account (under their “My Profile > OpenIDs” page); an OpenID is not automatically active just because you have an account!

A LuxSci OpenID has the form:

http://luxsci.com/openid/NNNN/personal_code

where “NNNN” is a unique and fixed number associated with each user and “personal_code” is something that you, the user, choose when creating your OpenID.  For example, hypothetical user “John Smith”, who happens to have an ID number of “100000″, could have an OpenID of “http://luxsci.com/openid/100000/john”, or “http://luxsci.com/openid/100000/icecream”, etc.

The resulting identity is pretty easy to remember and to type in.  The use of a “personal code” is there to make your OpenID harder to guess for people who do not know it.  A small, but important, security consideration.

How is an OpenID Used?

This is how and OpenID would work:

  1. You first create your OpenID under your LuxSci “My Profile > OpenIDs” page.  You only ever have to do this one time.
  2. You go to a third party web site that you have an account on already and which supports OpenID logins (for example, LuxSci’s affiliate portal could be such a site).
  3. You login to that site using your normal user name and password
  4. You go to some “OpenID” area that they have, probably in the same place that they allow you to edit your other profile data.
  5. You “Add an OpenID”
    1. Enter your new LuxSci OpenID
    2. At the secure LuxSci OpenID “Sign On” page, enter your LuxSci WebMail password
  6. If you entered your password correctly, your LuxSci OpenID is then associated with your account at this new web site!

Next time that you want to login to the web site, instead of using your user name and password for that site,  you would:

  1. Look for the OpenID icon (openid) or an OpenID Login link and click on it
  2. Enter your LuxSci OpenID (if it is not already pre-filled)
  3. Click on “Sign on” or “Login” or whatever similar button they use
  4. Enter your LuxSci password at the LuxSci OpenID Sign On page.
  5. You are then logged in … without ever needing to use or remember the user name and password for that third party site!

You can make use of your LuxSci OpenID even easier by clicking on “Stay Signed On” in the LuxSci OpenID Sign On page.  This creates a cookie in your web browser that:

  • Is valid for only 2 hours
  • Goes away if you close all windows of your browser
  • Automatically “signs you on” anytime you do an OpenID login using the same LuxSci OpenID in the next 2 hours.

I.e., since you have successfully logged in once, you can choose to stay logged in so that you can use your OpenID with any number of sites (from the same web browser and computer you are at) as much as you like over the next 2 hours without ever needing to enter your LuxSci password again.

Of course, this ease of use comes with some slight security risk — i.e. if someone else could use the same computer and browser as you while you are still logged in.  That is why you have to explicitly enable “staying signed on” every time you use it.

How Secure is a LuxSci OpenID?

A LuxSci OpenID is as secure as your LuxSci account.  If you have a strong password and always login securely, then your LuxSci account and thus your LuxSci OpenID are very secure.  Because many people use LuxSci for high security email and web services, they are used to having strong passwords and encryption everywhere.  This makes use of the same account for their OpenIDs natural.

  • No one (except LuxSci support) can determine  what your LuxSci OpenID is unless they can login as you or you tell them.
  • No record is kept of what web sites you are using your OpenID with.  So, even if someone knows you OpenID and password, this will not be useful to them unless they also know what web site(s) you are using it with.  There is no report visible to end users, administrators, or even to LuxSci support staff that shows what you are doing with your OpenID.
  • No one can create another LuxSci OpenID that is the same as one that you “used to use”.
  • You can change your LuxSci password any time that you like.
  • OpenID authentication with LuxSci takes place securely over SSL (https).

The security down side is that anyone who knows your OpenID and your WebMail password can login as you to any other web sites that you are using OpenID with!  Not reporting or tracking what these sites are is really just “security through obscurity” … it is better than publishing them, but doesn’t stop them from being discovered. In particular, if other people (such as your account administrator or boss) are allowed to login to your personal LuxSci account, that means that they probably know your password (unless they are using OpenIDs to do it) , they can see what your OpenID is in your Profile.  They can the nstart guessing what web sites you have been using with your OpenID … and may figure some out!  Use of OpenIDs in accounts where you are not the only person who has access to it is a security risk (this applies to any web site offering OpenIDs — not just LuxSci), and we do not recommend it.  If you are in this situation, or if you require a stronger form of verification for your OpenIDs (such as two factor authentication, biometrics, etc.), we recommend that you use an independent OpenID provider such as myOpenID.com, Verisign’s Personal Identity Portal, or TrustBearer.

For more on OpenID security and related issues, see Responding to criticisms about OpenID: convenience, security and personal agency.

What About Reporting and Auditing?

LuxSci provides detailed reporting to end users about the use of their LuxSci OpenIDs (as well as of logins as them to WebMail, SMTP, POP, IMAP, etc.).  Users can see a report covering the past 60 days of:

  • When their LuxSci OpenID was used for authentication to any web site
  • What date and time that occurred
  • What the IP address of the user was who was trying to perform this login
  • If the OpenID sign on was successful or not

Only end users are permitted to see this report — their account administrators are not.  Note that the web site that the OpenID is being used for is not in the report.  Users with security and privacy concerns about their LuxSci account and LuxSci OpenID can always check their WebMail and OpenID login history reports to see if anyone other than themselves has been trying to access their accounts.

Similar Posts:

Share:
More...

Tags: , , , , , , , , , , ,

This entry was posted on Saturday, January 31st, 2009 at 10:10 pm and is filed under New Feature Announcements. You can leave a response, or trackback from your own site.

Leave a Comment

You must be logged in to post a comment.
Security Certifications TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant