Areas of Expertise

  • Business Process Automation
  • App Development

Industries

  • Life Science
  • Non-Profits

Technology Used

Challenge

SpeakFriend Python OpenIDSimons Foundation is a private foundation based in New York City that funds research in mathematics and the basic sciences.

When it came to Six Feet Up, Simons Foundation was looking to replace their old authentication server with a more modern implementation. Six Feet Up architected and implemented SpeakFriend, an OpenID solution based off of the Python Web framework Pyramid that features a robust and user-friendly interface, advanced security, and increased speed.

Simons Foundation's old OpenID system was a Java application customized in a way which made it incompatible with the upstream code base. As a result, the system had diverged further and further away from the code base, and put the Foundation at risk for security vulnerabilities. The system also had redundant code, as well as a clunky interface.

Implementation Details

A Pyramid-based OpenID solution

Six Feet Up architected and implemented an OpenID solution based off of the Python Web framework Pyramid, using solid open-source tools such as PostgreSQL, Twitter Bootstrap and PassLib.

Six Feet Up's Open ID solution helps defeat brute force attacks by artificially increasing the time it takes to authenticate users and passwords.

The new system also boasts a brand new UI aimed at providing both admin and end-users with a faster, more intuitive and more modern experience. For instance, admin users can manage users and user access more easily with the new implementation.

OpenID Home Screen - SpeakFriend

Usability and Features

The OpenID solution allows users to:

  • Use a search bar that uses full-text search (previously had to search specific fields) to look up information
  • Disable users right from the user list (vs. from the profile page)
  • Prompt password reset from the user list
  • Review stats on last login, account creation, etc.
  • Review and manage the domains included in the OpenID implementation via a Domain management interface
  • Use various reporting tools and send the data to Excel
  • Leverage an admin control panel to create variables (e.g. who can receive email sent to the "contact us" form, set the maximum number of login attempts before access is disabled, set how long is the password reset link is valid for, etc.)

In addition end-users now can:

  • Enjoy the same password strength security as in Dropbox, thanks to a widget that measures the entropy of the characters in the password and rates it in a toolbar in real-time
  • Get redirected to the main Plone site immediately after registering an account.
  • Get their previously-stored password hashes automatically updated to current best practices thanks to "PassLib"
  • Check a "remember me" box on the sign in page

"Working with Six Feet Up has been a pleasure. They replaced our OpenID system with a modern implementation and seamlessly integrated it with our other websites. This allowed us to improve the security of the application with little to no impact on the users and provided us with a solid foundation for us to build on in the future." - Chris Fleisch, Programmer/Analyst at Simons Foundation

Performance

From a performance standpoint, the new OpenID implementation offers record stats, with performance log under 20 milliseconds. The only view that takes longer than this is the actual login form, which is by design. The login form takes longer to hash users' passwords to mitigate automated brute-force attacks.

OpenID Domain Management - SpeakFriend

Security

Security was also greatly improved in this new OpenID implementation: when new accounts are created, admins get automatically notified by email. And when users makes changes to their profiles, they also receive an automated confirmation email which can be highly customized.

OpenID Users - SpeakFriend

Results

To summarize, Six Feet Up's modern implementation of OpenID using Pyramid is focused on security and simplicity. Its robustness relies on a well-maintained library that has been well tested, and the redesign of the UI makes it a very intuitive tool for both end-users and admins.

The solution is in use in production, supporting federated login to four independent websites.

Are you ready to start your next project?

Let's Talk