Google’s Dirk Balfanz wrote in a Google+ post last night:

Looks like people have found the page for an experiment we’ve been running for phone-based authentication.

I’ll label that experimental page appropriately when I get a chance so people don’t start depending on an unsupported feature…

So there you have it. They’re working on something “even better”. We’ll just have to stay tuned to find out what that is.

Of course, Google already has its two-step verification.

Google says that "a much larger number of people" complete the email verification process when OpenID is used. 

"Some websites use the OpenID standard so that users don’t even need to type a password to sign in," says Tzvika Barenholz of Google’s Internet Identity Team. "While Google does not yet support the usage of OpenID for replacing passwords on its own sites, we are involved in the OpenID community’s efforts to research how to best implement that type of support."

When a Yahoo users signs up, they will see the following page, and when they click the verification button, they will get the page under that from Yahoo. 

"Other websites that need to verify a user’s email address can also implement this technique using Yahoo!’s OpenID API," says Barenholz. "In addition, it can be used to verify the addresses of Gmail and Google Apps users because those email systems expose the necessary APIs for OpenID. For example, Plaxo is one of the many websites that takes advantage of this feature of Gmail and Yahoo! Mail."

Google is currently only offering the OpenID feature for Yahoo users, but it intends to expand support to other services.

"The move to OAuth will mean increased security and a better experience. Applications won’t store your username and password, and if you change your password, applications will continue to work," says Twitter’s Carolyn Penner says, "With OAuth, you still individually approve each application before using it, and you can revoke access at any time."

"In order for Twitter applications to access your account, developers have been able to choose one of two authentication methods: Basic Authentication or OAuth," says Penner. "Both require your permission, but there is an important difference. With Basic Auth, you provide your username and password for the app to access Twitter, and the application has to store and send this information over the Internet each time you use the app. With OAuth, this isn’t the case. Instead, you approve an application to access Twitter, and the application doesn’t store your password."

A lot of Twitter users are already using apps that use OAuth. Echofon, TweetDeck, Twitterrific, Seesmic, and Twitter for Android, iPhone, and Blackberry already use it.

Twitter users can go to the "Connections" section under settings and see what all apps they’ve authorized and to revoke access if necessary. If you’re not using the latest versions of any apps, they may stop working because of the change.

"Using the IP address you provide to us, our automated system can determine your broad geographic location. If you log in using a remote IP address, our system will flag it for you," explains Google product manager Yariv Adan on the company’s Public Policy blog. "So if you normally log into your account from your home in California and then a few hours later your account is logged in from France, you’ll get a notice like the one above at the top of your Dashboard page – alerting you to the change and providing links for more details."

"When you get this notice and if you think your account has been compromised, you can then change your password directly from the ‘more details’ pop-up window," adds Adan. Users can click "dismiss" if they know the log-in was legitimate.

Google has also added a link at the bottom of the Dashboard page that lets users easily report an issue.

The first one we’ll consider a natural anomaly of human behavior. After all, some people like to be punished. As for the other one, for 15 years or so, we’ve been satisfied with—well, tolerant of—the remote possibility we’re being duped, if not constantly, then significantly more often than in real life.

Anonymity online might as well be enshrined alongside the First Amendment: Congress shall make no law…abridging the freedom of speech, or of the press…or the right to be an anonymous jerk online.

Well, sometimes the anonymity is for protection, so it’s kind of important, and efforts to squash anonymity are doomed to fail. On the flipside of that, though, are impersonators. Which of these Twitter profiles is actually the official John McCain one? How do you know, at a glance, if this is John Mellencamp’s official MySpace page, or one a fan has set up? At least Fake Steve Jobs was up front about the fakeness, but how easy is it to spoof anybody or any organization online?

Currently, the only recourse for companies like Exxon is either a legal one—in Exxon’s case, they only needed an online press source to report the information—or a community of online investigators to call foul. One method is expensive and time consuming, and the other depends on a fluke chance somebody is aware and cares enough that somebody else is a fraud.

So what’s needed is some method for verification, especially when it comes to social media. New social media applications pop up every day: new micro-blogging services, new social networks, new video sites, new blogging platforms, you name it. Along with those free new services will come not just posers and pranksters, but also sploggers and infringers trying to capitalize for whatever motivation suits them.

Recently, our Twellow released a new feature that allows people to associate their other social networking profiles with their Twitter account. And while that’s very cool, and a step in the right direction, there is still, if a fraudster is persistent enough, no way to be absolutely sure a person is who they say they are.

I’ve kicked this idea around that we need some kind of social media authentication method and I thought Twellow would be the perfect base for that. I posed the idea to the boss, and he thinks I should, in true online community form, kick it around cyberspace and get some feedback from the WebProNews community.

So here goes: We should create a one-stop directory of the different online presences a company or person has, which would include website(s), official blog(s), social networking profiles, etc., which becomes the official Internet resource for verifying those sources. How do we do that? We develop a model that is, in part, much like IMDB’s or Wikipedia’s. The other part isn’t quite so, well, free, but perhaps very necessary. 

Stage One, Social Media Authentication Wiki: Harness the power of the wiki to create a profile of profiles for each entity. There are too many companies/online personas to manually try to verify and enter into a system, and too many to maintain. After all, we have other things going on. Crowdsourcing, then, becomes crucial. Using a wiki-model, the community, which includes not just the companies and personas in question, but anyone with an interest in this type of cataloging, could create and maintain a list of known official channels of communication for said companies and personalities. Who would want to? In Exxon’s case, Exxon would, and if they didn’t, fans of Exxon might—or of Courtney Love, for that matter, anybody who doesn’t like posers.

The flip side of that is, of course, a corresponding database of phonies and known furries. Just kidding about the furries. The community could create a place they can point to and say "This blog is legit, but that Twitter profile is not."

One notes right away the wiki model is still not perfect for authentication purposes, especially with a publicly editable profile of profiles, not if you need something absolutely rock solid. Right, and it won’t be perfect based on that, but the community could, just like they’ve done with Wikipedia and IMDB, create a vast and likely accurate database of profiles in a relatively short amount of time.

And that’s when we bring in the business side of this, which is…

Stage Two, Official Profile Lock-In: Once the community has formed its profile of profiles database, the companies and/or personalities involved have a chance to make a final edit and lock it in as the complete list of their official online communication channels. How do we go about authenticating it is the actual company or person seeking to lock in that information? We charge them, of course, a subscription fee. I figure no imposter will pony up actual money to secure their kicks of pretending to be somebody else. For so much a month or year, profiles can be locked in and are no longer community maintained—unless the subscription lapses, and then all bets are off, which becomes motivation itself to renew. Locked-in profiles then can only be edited by those officials in charge of them.   

The only remaining issue is blog comments, and I include this under the paid services part of the proposal because the wiki section would be primetime for abuse in this regard. I was proud of myself the day Sir Tim Berners-Lee told me in the comments section below an article I wasn’t quite grasping his semantic web concept . How do I know it was the TBL? Well, um, he sounded really smart and talked over my head the whole time. The profile of profiles concept could allow Tim, or others to include how they present themselves in blog comments. However, there’s no control for this in the wild, and posting your preferred commentary handle could only be further abused, and perhaps more effectively abused, by imposters. Another possible service presents itself in the form of authenticated comment handles, perhaps a line of code they could purchase or be issued that says, officially, "This is the real me commenting." That might take some technological wizardry to pull off, though.

Okay, readers, how am I doing on this concept? What’s wrong with it? How could it be better? Is it worth a shot or am I kicking dirt out in left field?