shahine.com/omar/

Last night we announced the world what my organization has been working on for the past year. It’s really exciting to see all the press in the past 24 hours.

So now that we’ve announced to the world here is what I’ve been working on (with my team) over the past year:

• Windows Live People - A unified contact list to help manage all your contacts across all of Windows Live
• Web Messenger integrated into Hotmail + People
• What’s new integrated into Hotmail (when you send an email)
• Unified Contact Picker and Auto complete controls for Windows Live
• Friends List control that you see on the Profile page and the corresponding page when you click “View more” to browse your Friends’ Network
• A whole bunch of cross team backend stuff to make this all work

LiveSide, as usual, has a great overview of Windows Live People. Go read it so I don’t have to write about it .

“Overall we really like the changes that have been made with the contact management, with the execution of the improvements being good too. Its simple, but effective.”

The NYTimes also has a great write up with a title that caught my eye! Microsoft Beats Yahoo and Google to Social Inbox 2.0

“Exactly one year ago, I wrote about the race between Yahoo and Google to turn their e-mail and instant message systems into something closer to social networks. Both companies figured it was futile to take on Facebook and MySpace directly. So they rushed to develop new ways for their users to trade news, photos and so on with the people already in their address books and buddy lists.

The winner of that race is…Microsoft.”

And for those of you who pay attention to how Microsoft is organized and led, here is the money quote.

Microsoft takes a lot of heat, much of it deserved, for its plodding nature and overly complex software. Since the services haven’t been introduced yet, I can’t tell how well these new Windows Live features work. But the fact that the company is the first to actually introduce social networking features to its e-mail is a sign of Microsoft’s discipline, or maybe the lack of resolve at Google and Yahoo. Or both.

Two words. Steven Sinofsky. Windows 7 and Windows Live will be just a piece of his legacy.

And on a personal note, I have to say that this past year working on Windows Live has been the most rewarding and fulfilling experience in my almost 10 years at Microsoft. I worked with a world class team to stitch together disparate services and bring some real value to our customers. I view Wave 3 as the beginning and Wave 1 and 2 as foundational releases for Windows Live. What we plan to do has me even more excited.

I’ve also learned a tremendous amount from our leadership team and my peers. Special thanks goes to them for creating an amazing organization that I’m proud to work in.

A long time ago, when I started tinkering with coding in C#, I got to know Adam Sheppard. Adam was working on MSN Spaces at the time and was interested in finding a blogging solution he could use for an internal blog he was going to start. I got him set up with dasBlog and that’s when I learned about the Shep Report. The Shep Report was an internal newsletter that Adam wrote and sent around to a DL he created. I was pretty amazed with the membership of this DL (it has some pretty senior folks at Microsoft). So of course I subscribed.

The Shep Report was always packed with interesting things happening in social media and other web trends. I really looked forward to it even though it had a sporadic publication schedule.

Well Adam eventually left the MSN Spaces team to go on and become one of the founding members of Microsoft Live Labs and specifically Photosynth. I got to hang out with Adam at two different ETech conferences and I always enjoyed talking to him about technology and Microsoft.

Adam left Microsoft a few months ago, and started a new R&D lab in Seattle called 8ninths (which refers to the unexposed, hidden percentage of an iceberg). Clever name.

Anyway, I’m writing this because they started to put out a bi-monthly newsletter, which is very similar to the good old Shep Report I looked forward to receiving at Microsoft (it’s now called "Deep Dive”). They just sent out their second issue and as usual it’s a great read (they cover Qik, the Obama Campaign, MTV, Angels & Demons and more).

Click here to subscribe.

I have to say, I have never been so impressed with a piece of technology than the $449 Netbook I purchased last week. It is replacing a Fujitsu P7120 that I purchased in 2006 for $1,900.

How is this even possible? I have no idea, but I had to write about this.

Over the past year or so a new class of PC was born, and coined Netbook. Early on, these laptops were generally powered by Linux, had 4GB or 8GB SSD drives and ran extremely slow with tiny keyboards and 8 inch screens. Nothing for me to get excited about. In a former life, these things were called Ultra Mobile PC (UMPC) and they were super slow (like the Samsung Q1 and Q1 Ultra). My first experience with these things turned me off. They also cost about $800, or $1300 for a high end OQO.

However, in the past few months, something remarkable has happened. The technology got better, they started shipping with Windows XP, and they also started shipping with the Intel Atom processor and prices are UNDER $500, in some cases UNDER $400.

It’s pretty significant that these machines are now shipping with Windows XP. Why? Cause the return rate on the Linux Netbooks is 4x the Windows laptops as mentioned by the MSI Director of U.S. Sales (the maker of the MSI Wind) in this interview by laptopmag.com.

We have done a lot of studies on the return rates and haven’t really talked about it much until now. Our internal research has shown that the return of netbooks is higher than regular notebooks, but the main cause of that is Linux. People would love to pay $299 or $399 but they don’t know what they get until they open the box. They start playing around with Linux and start realizing that it’s not what they are used to. They don’t want to spend time to learn it so they bring it back to the store. The return rate is at least four times higher for Linux netbooks than Windows XP netbooks.

What’s even better about these new class of Netbooks is that they are perfectly capable of running Vista with Aero Glass as notebook review recently wrote about.

While Windows Vista gets a lot of bad press these days, it isn't always the worst operating system choice for notebooks. In our quick testing of Windows Vista on the MSI Wind, not only did it give us a nice bump in performance, but we also gained battery life. For a compact subnotebook you really can't ask for more, especially on the battery life front. For now I think Vista is here to stay on our MSI Wind (well before we have to send it back).

My wife has been using our aging Fujitsu P7120 for the past year and it’s been showing it’s age. For one thing the battery only lasts 20 minutes and it’s extremely slow and it can’t run Vista well. What better way to fix a problem like this than to whip out the credit card and spend some money?

I did a bunch of research and getting a Netbook seemed perfect. We are going to be traveling for 3 weeks this December and need a small and light laptop as an accessory for my Digital SLR and my iPhone. Oh, we also need a web browser to check email and such. I don’t plan to bring my work laptop with me since I won’t be doing any work, and at 5 pounds it’s a bit heavy. So a 3 pound laptop that costs $449? not a tough decision.

So I narrowed my selection down to:

• MSI Wind
• Asus Eee PC 1000H (80GB HD, 160GB HD)
• Lenovo IdeaPad S10

I crossed the Lenovo off the list because it ships with 512MB of Ram and a 3-cell battery (and no option to order a 6-cell battery yet). The MSI Wind with the 6 cell battery is near impossible to find, and finally, Amazon started selling the Asus Eee PC 1000H for $449, a good $40 cheaper than anyone else at the time… and I do love Amazon. [note: it appears Amazon is out of stock of the 1000H 60GB drive for $449, wait for it to come back in stock].

Each of these laptops have similar specs.

• 10 inch 1024 x 600 screen
• 80 GB SATA hard drive
• Intel Atom 1.6 Ghz processor
• 512MB – 1 GB of RAM
• WebCam
• Bluetooth (Lenovo S10 does not)
• WiFi (Asus has 802.11n while the others are b/g)
• Ethernet 10/100

Furthermore, they all have smaller keyboards. Of the bunch, the Asus has the larger keyboard at about 92% of full, while the Lenovo’s is much smaller at about 86%.

Also, I wanted as much battery I could get, so 6-cell was a requirement.

The Asus was the heaviest of the bunch (3.1 pounds) but when you factor travel weight, the difference becomes tiny as the Asus has an extremely tiny and light power brick. It’s the smallest power brick I’ve seen for a laptop.

The real story to this Netbook though is the Intel Atom processor. Now I love Intel as much as the next geek, but this processor is stunning. Coupled with the Intel GMA 950 graphics chip it can run Vista using Aero Glass without any problems.

For comparison, most dual core laptop processors use about 35W of power. Desktop processors use quite a bit more like 65W. The Intel Atom chip uses 2.5W of power. Here is a graph to demonstrate just how profound this is.

For a laptop that I plan to use to backup my photos, surf the web, and write some documents, or blog posts, this seems like a reasonable tradeoff .

In my experience so far, this thing is plenty fast, and in fact it smokes my Fujitsu P7120 which shipped with the original Pentium Centrino chip (which really got the ball rolling on some high performance low power laptops). It has all around better specs than something that shipped less than 3 years ago and for 1/4 the cost. The only real bummer of this laptop is that the screen resolution is less (1024 x 600 vs 1280 x 768), but everything else is faster and better. I expect it’s only a matter of time before we see higher resolution screens for the same price.

If you’re like me, and interested in the gory details about the Intel Atom chip, you can read the excellent article by Anand Lai Shimpi.

And for the low low price of about $32 you can upgrade your memory to 2GB. Simple throw away the 1GB chip in the Asus and replace with a single 2GB 200 soDIMM PC2-5300 memory.

And if you think this is exciting, next up from Asus, a MacBook Air thin netbook.

I’m really humbled by the fact that you can get a decent laptop for under $500. My guess is that these things are going to sell like hotcakes, especially among parents with school aged children.

Once in a lifetime event I guess.

One thing I do a lot of on my iPhone is catch up on my RSS feeds. Doing so in Safari leaves a lot to be desired since Safari has a habit of crashing.

The iPhone is fundamentally an awesome device for reading blog posts and news. I can quickly scan through my unread items and read, process, share and star them… from the comfort of my bed or when waiting in line for lunch.

For the past few months I’ve been using an application called Byline from Phantom Phish. Byline is a fantastic RSS reader for Google Reader. It’s simple to use and it just got better. The latest 2.0 release adds many new features, but none more important to me than an integrated browsing experience so that I never have to leave the app to read blog posts and linked articles (which is pretty common).

You can also share, star and add notes when sharing.

To make things even better, it’s being offered right now for $4. I paid $10 for it so if you use Google Reader and have an iPhone I think it’s $4 well spent.

One of my pet peeves with Bootcamp, Apple’s software for letting you run Windows on a Mac, is that the default keymapping for Apple keyboards swaps the Alt and Windows keys.

This totally messed with my shortcuts.

I tried using one of my favorite scripting tools, AutoHotKey, to remap the keys but this ended up being flakey. I also didn’t like the idea of relying on a running application to do the swapping.

I ran into a program called SharpKeys that remaps the keys at the OS level. It’s a remarkable little program. You can configure how you want your keys remmaped and then it writes those changes to the registry. This ensures that all users of the computer have remapped keys and that the remapped keys work on non-user space like the Logon prompt.

To remap Alt to Windows you need to:

1. Get SharpKeys (download)
2. Create a mapping for Left Alt –> Left Windows
3. Create a mapping for Left Windows –> Left Alt
4. Logoff

Enjoy!

In traditional Microsoft parlance I’m “super excited” that we’ve started to ship a pretty significant update to the Hotmail service. The stuff I’ve been working on for the better part of a year is now rolling out to our site. It will take a few weeks to make it to all our users, but some folks will see the new bits today.

You can read about some of the new features on the Live Wire blog.

I should also point out that there are some features that will take a bit longer to roll out to all our users.

I plan to talk a bit more about what my team (People/Contacts) does and the features we’re shipping this year.

Here is a newsflash… the security of the majority of your online accounts is only as good as the security of your email address. As many of you know, Sarah Palin’s Yahoo account was recently compromised by taking advantage of public information to answer her secret question and take control of her account. You are at the mercy of the strength of the Password Reset Mechanism. Password Reset today is flawed.

Rule #1: Never ever ever enter your email address and username into any webpage on the Internet except that of your email provider. You are placing yourself at significant risk if you do so (there are some exceptions to this rule of course, like if your email provider is also an OpenID provider or supports delegated authentication).

Rule #2: The answer to your Secret Question should be a random string of gibberish. “Who is your best friend”? The answer should be: d8239d#5d. This way no one can guess it.

I learned the hard way just how vulnerable I was when I lost access to my Hotmail account. I cannot begin to describe what this felt like. It might feel like losing the keys to your house, arriving at home, finding a burglar in your house and getting a busy signal when calling 911.

Jeff Atwood wrote about this exact problem a few months ago:

1. Number one with a bullet: your email account is a de-facto master password for your online identity. Most -- if not all -- of your online accounts are secured through your email. Remember all those "forgot password" and "forgot account" links? Guess where they ultimately resolve to? If someone controls your email account, they have nearly unlimited access to every online identity you own across every website you visit.
2. If you're anything like me, your email is a treasure trove of highly sensitive financial and personal information. Consider all the email notifications you get in today's highly interconnected web world. It's like a one-stop-shop for comprehensive and systematic identity theft. How do I know Yelp isn't going to dip into other areas of my email?
3. Even if I trust Yelp absolutely, how do I know they're not going to store my email password, perhaps insecurely, in a place some disgruntled programmer or hacker can eventually get to it? Giving out your password puts the recipient in the highly unfortunate position of having to secure your password. Give that email password out enough, and you're now vulnerable in dozens of places spread across the face of the web. The odds start to look pretty dire.

You should re-read these words a few times and internalize just what they mean. #3 is exactly why you should generate a unique password for every single website you visit. You should manage this complexity using a tool such as RoboForm, PassPack, Verisign PIP, Keepass or LastPass.

I don’t know 95% of my passwords.

Almost every single account you have will have something called a Password Reset feature. You see, none of us can remember all the passwords we use for our different sites. Heaven forbid we actually try and use unique passwords and then forget a password. How do you get access?

Well in the case of many banks and such that store highly sensitive information, you have to get on the horn and talk to a human proving that you are who you are. Usually this is done by sharing something with them that only you know and that they can verify. Things like:

• The Credit Card Verification (CCV) code on your credit card
• Your “secret answer” to a question (most use Mother’s Maiden name)

And in some cases, they will physically mail you a new password to your registered address.

But what about the sites that don’t think they have highly sensitive information, or don’t want to incur the cost of such a human labor intensive process? Well they will do one of the following:

1. Email your actual password to your email address on file
2. Email you a new random password
3. Email you a new random password that you must change on login

Now lemme clue you into a little secret.

If the website you are using does either #1 or #2 then FAIL. That website is storing your password in the clear, or in the case of #2 transmitting it in the clear and not requiring you to change it. The only acceptable mechanism for resetting any password via email is #3, to Email you a new random password that you must change on login.

Since you have absolutely no idea how your passwords are being stored with the website (are they hashed, encrypted, in a cage at the data center) you should assume the worst. Some of the BigCos obviously understand the risk of storing such sensitive information and will do all the right things:

• Credentials are stored using a one way hash
• Machines that store such information are in a caged server environment
• Credentials never pass around in the clear, such as over HTTP or any unsecured protocol.

If you have access to an email account that has more protection than a webmail provider (like a work or university email address) I highly recommend you use that email address for your password reset. It’s likely that your business is an order of magnitude more secure if they manage their own email services.

Finally, for all the reasons I mention above, don’t EVER give your email username and password out to anyone or any website unless that website clearly belongs to your email provider. NEVER.

Beware of social networking websites that ask for your username and password to “import your contacts”, aka your Social Graph.

At long last, we have shipped To Dos. It’s been a long time since I worked on Windows Live Calendar and we were talking about building To Dos. The best part about To Dos is that they work with Shared Calendars. In other words, if you and your spouse have a “Family Calendar” you can now create and manage a shared task list… something Google Calendar still doesn’t have.

With the new release of Windows Live Calendar and the new Beta releases of the Windows Live Suite there is a ton of great end to end Calendar functionality.

1. Outlook Connector to sync all your Windows Live Calendars to Outlook, including your Birthday Calendar for all your Contacts.
2. Windows Live Mail now with Calendar Sync will also sync all your Windows Live Calendars
3. Shared Calendars that you can create, share and manage with other Windows Live Users
4. Calendar Subscriptions to public internet calendars that you can subscribe and sync to all the products above.

And of course now To Dos. Dare should be happy about this. He’ll need it when the baby comes .

I’ll also add that the new UI of Windows Live Calendar is awesome. Here is a picture of what To Dos look like when you have 2 calendars. You can see I have my personal calendar and my Family Calendar. You can create tasks in either calendar and they will show up depending on who you share with.

The other day I received a phone call from my wife on our Home Number.

On most other phones it would say:

Call from Omar Shahine (Home)

Cool, you mean I’m calling myself?

It’s always been a pet peeve of mine that this happened. I mean this is a pretty common scenario right?

Well this doesn't happen on the iPhone. If you have two contacts with the same phone number (pretty common for people that live together, like my parents, my wife, my sister and her husband) the iPhone displays a screen like this:

I have to say, this is great. I’d also note that they are smart enough to realize since we have the same last name, it just says “Lora or Omar Shahine”.

A few months ago the folks on the Photo Gallery team sent me a pointer to the new Publish SDK in Windows Live Photo Gallery. A few hours later I had put together a crude Plugin for uploading to SmugMug.

As some of you might know, long ago I created an application called Send to SmugMug. This was a very simple program that let you select photos in the Windows Shell and upload to SmugMug. Since then I have added many features, but I personally like to use Windows Live Photo Gallery to manage all my photos and videos. Switching back and forth from application to shell got annoying.

So I was ecstatic to write a plugin. Now I can just publish directly from Photo Gallery.

You can download the Publish to SmugMug Plugin and try for yourself. It requires the new beta of Photo Gallery.

The new beta has a ton of nifty features by the way. The User Experience is redesigned to make it easier to tag, view and edit metadata. The people tagging feature is super, and you can tag using contacts from your Windows Live Address Book. For most of you that means your Messenger or Hotmail contacts.

The plugin is very simple. You select a bunch of photos in the Photo Gallery and select Publish on SmugMug from the Publish Menu. You will see this dialog:

Select an existing Gallery or create a new Gallery and click Publish.

Anyway, it’s an awesome upgrade and I hope you enjoy the new Plugin I wrote.

For a long time I’ve searched the web looking for a great application launcher for Windows. Mac users have QuickSilver, the holy grail of application launchers. In fact I’ve never used QuickSilver, I always read about its awesomeness.

First there was SlickRun and I used it for many years. In fact I loved SlickRun (and still do). However, it’s not a general purpose launcher and will not index your hard drive for applications, folders and whatnot. It will let you define some great keywords though.

Then there was Launchy. A great launcher but it lacked the ability to create Keywords like SlickRun. The UX was slick though.

I’ve tried SkyLight (from the makers of AppRocket), a beautiful application, but dog slow. I mean painfully slow (it would take a few seconds before it would allow me to type a command. SkyLight is a WPF app and to be honest, I’ve found that all the WPF apps I’ve tried have similar performance problems (Witty and bTT).

Executor

At long last, Executor added support to index any folder you specify on your computer, allowing me to replace both Launchy and SlickRun. I tried Executor last year but the inability to customize it with your own search paths was limiting since I store little utilities in my roaming portable apps folder.

Executor has a lot of functionality. It took me a while to set up the UX and behavior the way I wanted. Here is a screen shot of what you’d see if you typed “ad” into Executor:

As you can see, I use the large 2 line icon view, which is helpful if you use Executor to index your Documents folder for Folders and you have more than 1 with the same name:

And of course you can use it as a general file system browser… much better than Start –> Run.

With Vista we all get a nice solution to the Start Menu Mess, as Jeff Atwood describes in his post Typing Trumps Pointing. While this is a great solution for my parents, I personally need the power of defining custom keywords and search paths (like my Portable Apps directory).

Executor has a lot of features, so I’d recommend you check out this page which lists some of the cool things you can do.

It appears that the iPhone 2.0.2 update came with two nice Exchange bug fixes. These two bugs were probably the worst that I would encounter.

Prior to 2.0.2 if either you or some one else canceled an event that was in a series of recurring events, that event would NOT get deleted from the iPhone.

This meant that the Calendar on my iPhone was not the same as my Exchange calendar.

Now, the iPhone supports exceptions to recurring events from Exchange AND you can delete an instance of a recurring event on the phone.

• (Fixed in 2.0.2) Cannot delete a single occurrence of a repeating appointment/meeting. Only option is to delete entire series.
• (Fixed in 2.0.2) Negative exceptions to recurring events are not handled (if an instance of a recurring event is deleted, it still appears)

I will continue to update my wiki as I see issues resolved.

Hot on the heels of my post on Two-Factor Authentication, it appears that Wells Fargo is getting into the Cloud Storage business.

Their product, Wells Fargo vSafe, is part of your Online Banking account. It is a for pay service with the following pricing:

• 1GB - $4.95 a month
• 3GB - $9.95 a month
• 6GB – $19.95 a month

Additionally, they are offering customers the option to sign into their vSafe accounts using what they call Advanced Access, aka Two-Factor Authentication using either:

• RSA SecurID tokens (similar to VeriSign VIP Credentials)
• One Time Passwords sent to your phone via SMS or Voice

vSafe has some nice features like:

• Your Wells Fargo statements can get automatically archived in vSafe
• Backup of your data
• Geo-Redundancy

The only downside to this is that I cannot use my VeriSign VIP Token with WellsFargo since RSA SecurID and VeriSign do not interop. Personally I don’t want two dongles. Meanwhile the VeriSign VIP Token seems more widely supported (PayPal, eBay etc).

I think this is great news, and I fully expect that security will start to play a larger role in the coming years as companies start to compete based on their security offerings.

I’ve always been skeptical of the usability of two-factor authentication. Specifically, Microsoft employs a form of Two-Factor authentication using a Smart Card. To get access to our corporate resources from outside our network you are required to enter your username + password and enter your Smart Card (which is our Badge) into a Smart Card Reader entering your PIN number. The Smart Card contains a certificate that is used to identify you to Microsoft (in addition to your username and password).

The problem with this is that each computer that you want to use to connect to corporate assets requires a Smart Card reader. Kind of a pain. Especially since laptops don’t have PCMCIA readers any more (replaced by Express Card).

When thinking about using two-factor authentication for securing non work assets, I just assumed this would be a hassle.

VeriSign Two-Factor Authentication

I knew that a while back PayPal started to offer a PayPal Security Key that you could use as an extra layer of security when signing into PayPal or eBay. This seems like a good idea after all, because PayPal is linked to my bank account and Credit Card, and eBay has one of my post important identities: my “seller reputation” is tied to it. An extra layer of security to sign into those sites seems like a good idea, but at what cost?

When I found out that VeriSign PIP (an OpenID provider among other things) started to offer extra security using a Security Token (and was compatible with the PayPal Security Key) I decided to give it a shot. After all, the entry price was $5. You can see the PayPal Security key below:

In addition to the PayPal Security Key, VeriSign offers two additional solutions:

1. VIP Security Card – a credit card sized Token
2. USB Memory Key from SanDisk – a traditional USB Key with special software.

Both solutions cost more than $5 so I started with the PayPal key. I’m not interested in #2 since I view it as more of a hassle to have to insert something into a computer.

I received my PayPal key the other day and immediately fell in love with it. It’s small, and easy to use and easily found a place on my key chain. For $5 it’s a steal.

However, I was wondering what the VIP Security Card was like.

Luckily I’ve been chatting with the folks at VeriSign over the past few days and they were kind enough to send me a VIP Security Card to play around with.

All I can say is WOW. This thing is awesome. It’s the exact same size and dimensions of a credit card. I assumed it would be thick because it appears to have some kind of LCD. But actually it’s a form of screen similar to the Amazon Kindle. It consumes no power to display the current code, only to change it. Your security code is only ever valid for 30 seconds and each one is unique (One Time Password).

Personally, I prefer this format better since I can just throw it in my wallet and my wallet is always with me, unlike my keys.

Other Two-Factor Authentication systems

I should point out that two-factor authentication does not have to be limited to physical tokens like the ones mentioned above. There are numerous other mechanisms that other OpenID providers utilize. VeriSign summaries a whole slew of then here.

SSL Certificates

VeriSign and myOpenID both support SSL Client Certificates, but they both implement them differently.

Most people are familiar with server based SSL certificates. These are the things that practically every single ecommerce or financial institution uses to encrypt the information between you and them. It makes is to that the bad guys cannot sniff your traffic and steal your credit card or other personal information. Generally speaking these have been adequate protection for hundreds of billions of dollars in transactions over the years. Since it’s hard for the bad guy to pretend to be the server you are interacting with, they tend to focus on things like Phishing and man in the middle attacks to steel your username and password (and now DNS exploits).

For years we have been trained to look for the “lock” icon when dealing with secure websites.

Over time this has evolved to include more prominent UI features as you can see below in IE 7

and FireFox 3

However little attention has ever been paid to client side SSL certificates. Well they work just like server side certificates except that the authentication is mutual. In other words, not only do you validate that the web site says who they are, but the website is validating who you say you are. This is done because the server and you share a secret, and SSL is a mechanism for verifying that you both know the secret, without exchanging that secret with each other. Sounds complicated? it might, but this is the basis upon which Public Key Infrastructure (PKI) is built.

At the end of the day, what you need to know is that the way this can be a two-factor authentication mechanism is that you install this SSL cert on each computer that you plan to login to the service (in this case the OpenID provider) and after you authenticate to the service using a username and password, the service has an addition layer of authentication via your client SSL certificates. It’s like a “Soft Token” (a software version of a hardware token, like those mentioned above).

VeriSign and myOpenID have two different uses for SSL Client certificates. For VeriSign they work much like a hardware token, meaning you have to posses the client certificate and your username and password to gain access. If you don’t have you client certificate installed you can have a temporary access code sent to your phone via SMS or your email account.

myOpenID uses the SSL as a way for you to login to the site without entering your username and password. So in a way, it’s a replacement for your password credential and works a bit like an Information Card.

Image Authentication

Some services like myVidoop.com (another OpenID provider) use images as a two-factor authentication. After you login you are presented with a series of images from categories that you pre-selected mixed with pictures from random categories. Since only you know the categories you picked, you enter special codes corresponding to those categories. There is no password per se, your selection of the right images from the right categories is your password. Clever.

These images work in conjunction with specialized code they have to “activate” a browser. In other words, you only get to go through the image identification once you’ve confirmed the browser to myVidoop. If you have not you can use SMS or email to temporarily activate your image authentication.

So in this case, your two-factors are 1) provide identity of browser to service and 2) authenticate using images.

I have to admit, I’m still getting my head wrapped around this one. I haven’t yet figured out how they “identify” a browser.

Phone Based Authentication

There are two forms of Phone authentication that I’ve run into. Voice authentication that myOpenID uses and SMS based authentication that a number of services use.

CalVerifID is a service myOpenID runs that allows you to use your plain old telephone to authenticate. When you signin to myOpenID and when you receive the phone call from them, press #. Very simple.

SMS verification is currently supported by VeriSign and myVidoop to allow authentication in the case where your primary two-factor mechanism is not available. This comes in very handy say if I am not near my hardware token or I’m too lazy to go get it from my wallet and my iPhone is right in front of me .

Final Thoughts

As you can see, there are numerous options today for two-factor authentication. You can immediately secure such assets as your PayPal and eBay account with any VeriSign VIP product. Furthermore as OpenID continues to gain in popularity, you’ll have more options for securing your Identity on other services.

I’d say this is progress.