With Blogger announcing beta support for OpenID, the idea of federation sure is catching up. In addition, active support with CardSpace would apparently increase the adoption. However, till the time this technology becomes mainstream, people are still going to be bogged down with the problem of multiple passwords.
Just recently, the draft of OpenID 2.0 has graduated to the final stages, and many providers would be implementing the specifications. The service providers however would still take time to catch up. This article is an extension of my previous work on signon manager, trying tdyo formally describe the idea of extending the firefox password manager to become portable and secure. Currently, all passwords are stored in the local stored, encrypted by a master password if required. Hence, when a user hits the web on another system, and if he cannot remember the passwords, he cannot really login to the sites.
To start with, the user would have to setup the password manager by specifying the OpenID server, and authenticating with it.
In case of the extended Firefox password manager, when the user click the "Remember Password", the extension would make a call to a remote OpenID server, and store the username/password that are sent over a secure connection. Now, the user visits the service provider, and types in the credentials for the first time. On hitting the "Remember password" button in the dialog that pops up, a remote request is made to the OpenID server to store the credentials that are sent over a secure channel. As there is no explicit way to tell the OpenID to "store" user attributes, this has to be achieved by screen scraping.
Subsequently when the user visits the site, the password manager would get the credentials from the remote site (if the user is authenticated to that site for the session). If the user is not authenticated, an authentication page of the OpenId IDP is shown. This transaction would flow using the attribute exchange protocol in OpenID 2.0.
Though I am not planning to work on the extension manager in the near future, I am definitely trying to integrate this with the SignON Manager that I had been working on for some time now. Given that case, the user would be a step close to single sign on as he will not be require to hit th e Login Button. More like a faked-single-sign-on !! :)