The password that calls you: CallVerifID

On Monday, JanRain, which makes the clever multi-service OpenID login box, OpenID Selector, is expected to announce a security improvement for its own MyOpenID service. The new system, CallVerifID, uses your mobile phone to perform an extra security measure before it will authenticate you on its service. It works like this: When you want to authenticate a site using MyOpenID, first you sign on as usual, with your user ID and password. Then the service calls your phone at the number you've given it. All you have to do is pick up the phone and press # to confirm. If you don't, sign-on fails.

The addition of the phone as a new security factor means that even if someone steals your password, they won't be able to get into your OpenID-protected accounts unless they also have access to your phone. Furthermore, if you get an authentication call from MyOpenID that you're not expecting, it serves as an immediate warning that your password has been compromised.

Of course, if you have turned on phone authentication and you forget your phone (or are in an area with no mobile service), and you want to get into a protected account, you're up a creek. And you will definitely want to use your mobile with this service, since you can have only one number per account--it won't call multiple numbers (like home and work).

The system doesn't identify the site that kicked off the authentication request, which is also a bit of an oversight.

The CallVerifID service is optional. If you're a MyOpenID user but don't want this level of security, you don't have to use it at all. However, I recommend it. One of the scary things about OpenID is that if someone gets access to your account through your password, they immediately get access not just to all the accounts that you access via OpenID, but a roadmap to each of them as well, via your OpenID authenticator site's dashboard. This system, while incompletely implemented, gives OpenID a big security boost, at only a small penalty in convenience.