Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MySpace Joins OpenID Coalition

timothy posted more than 6 years ago | from the inflection-point-perhaps dept.

Social Networks 272

the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."

Sorry! There are no comments related to the filter you selected.

fuck (-1, Flamebait)

Adolf Hitroll (562418) | more than 6 years ago | (#24304197)

every myspacer I know is a lifeless idiot.

sock puppets (1)

Zero_Independent (664974) | more than 6 years ago | (#24304231)

But then how can I have multiple accounts for sock puppetry?

Obligatory (0)

Anonymous Coward | more than 6 years ago | (#24304245)

OMG!!

Anonymous SSO? (2, Interesting)

cayenne8 (626475) | more than 6 years ago | (#24304387)

So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.

Re:Anonymous SSO? (5, Informative)

thrillseeker (518224) | more than 6 years ago | (#24304541)

The openid protocol allows you to limit the information given to the system you're logging into to a minimum of "authenticated" - that is, no additional; information such as a (verified) email address is passed, though one is still required for an openid account establishment. It's up to the requesting system whether that minimal information is sufficient. Of course, your IP address can still be captured unless you use an anonymizing proxy.

Re:Anonymous SSO? (3, Interesting)

0xygen (595606) | more than 6 years ago | (#24304981)

I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.

For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.

My password might be needed for "level 2" allowing my into my webmail.

A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.

With the current state of affairs though, I think we can but dream...

Re:Anonymous SSO? (-1, Flamebait)

Tiber (613512) | more than 6 years ago | (#24305333)

Hopefully. For a closeted homosexual such as yourself I will open a ticket in our Ministry of Bugs.

Defeat the purpose? (5, Insightful)

kgwilliam (998911) | more than 6 years ago | (#24304253)

"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?

Re:Defeat the purpose? (0)

Anonymous Coward | more than 6 years ago | (#24304347)

did you miss the word "initially"?

Re:Defeat the purpose? (5, Insightful)

CastrTroy (595695) | more than 6 years ago | (#24304421)

What I don't get about OpenID is that it seems to give my OpenID provider access to every site I log onto. As much trouble as it is having to manage hundreds of logins, I don't think the proper solution is to proxy all my logins to some third party.

Re:Defeat the purpose? (5, Interesting)

maxume (22995) | more than 6 years ago | (#24304507)

You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

Re:Defeat the purpose? (0)

Anonymous Coward | more than 6 years ago | (#24304675)

Additionally you can have multiple OpenIDs by multiple providers. The technology just solves the problem of per-site registration and authentication. It provides the "mechanism" and you can choose your own "policy".

Re:Defeat the purpose? (0)

Anonymous Coward | more than 6 years ago | (#24305379)

Another nice thing is that you can use your own domain name and delegate to other OpenID providers. So if you decide your OpenID provider sucks, you can change very easily without changing your id URL.

I initially thought about running my own OpenID server until I found out about the delegation feature.

Re:Defeat the purpose? (5, Interesting)

Chyeld (713439) | more than 6 years ago | (#24304871)

It doesn't. And you aren't.

Implemented properly, OpenID works thusly:

You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

Re:Defeat the purpose? (1)

spottedkangaroo (451692) | more than 6 years ago | (#24304877)

authentication vs authorization...

Normally you'd only use openid for authentication (who are you) and there would be an additional password mechanism for authorization (do I have the right to be here).

Both could be combined with other methods, or you could create your own openid provider ...

You can also combine delegate your website to a provider of choice, and if they start sucking you can change to another provider without changing your credentials at the sites you frequent.

Re:Defeat the purpose? (5, Insightful)

Wolfger (96957) | more than 6 years ago | (#24304491)

Absolutely. This is why OpenID is going nowhere fast. Everybody wants to be a provider, but virtually nobody wants to accept OpenID credentials from other sites. LJ does, and to my surprise Identi.ca has since day one, but most "OpenID sites" are providers only. It's sad, and makes baby Stallman cry.

Re:Defeat the purpose? (2, Informative)

sam0737 (648914) | more than 6 years ago | (#24305025)

At least you can use OpenID to comment a blog on Blogger.
Setting up a WordPress with OpenID enabled is also very easy, by installing a plugin.

It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.

Web Monoculture (0)

Anonymous Coward | more than 6 years ago | (#24304853)

Developments like this are pretty shocking, especially when you see that the same people proclaiming this as a glorious triumph are the same people who attack Microsoft Windows for creating some kind of magical "operating system monoculture" (let us, as usual, purposely ignore the fact that client/server computing negates that).

IMO, this kind of authentication monoculture is more dangerous than just about anything else I've heard. If someone hacks my email (for example), they don't get carte blanche to either open accounts elsewhere or check all my other accounts. But OpenID will change all that.

So people don't care that it's insecure... just so long as it's an open and standards-based lack of security.

Re:Web Monoculture (1)

Chyeld (713439) | more than 6 years ago | (#24305113)

You either need to look up the definiation of monoculture or actually educate yourself on the underpinnings of OpenID. You obviously misunderstand one or the other.

Monoculture means everyone depends on the exact same thing. OpenID is not only the exact opposite, providing control over how you are authenticated to you, but it provides an almost immediate method of mitigating an attack. Someone take over your authentication server? Use a different one.

Re:Defeat the purpose? (0)

Anonymous Coward | more than 6 years ago | (#24304879)

"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere"

Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ.

No, not at all. It means you can use your MySpace ID as that single-sign on.

You don't need to create an OpenID for MySpace - your existing MySpace login is automatically an OpenID. The point is you can now use your MySpace ID to log in elsewhere. You don't need to create a different OpenID for site XYZ.

Re:Defeat the purpose? (3, Informative)

ohtani (154270) | more than 6 years ago | (#24304905)

You completely misunderstood the article and the concept of OpenID.

The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.

OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication for (e.g., MySpace) allows you to login to other sites which support OpenID as a method of authentication. So if I had a user account on MySpace named ohtani, I would login to another site as www.myspace.com/ohtani. I am then redirected to the MySpace website to login if I am not already logged in, and asked to accept that MySpace can pass on the credentials to the site I'm logging in to. That link is then established and the OpenID supporting site marks me as authenticated as the MySpace user.

This is where it gets tricky for places like MySpace: Say I used Yahoo! as an OpenID provider. Or even my own website (which currently does indeed allow me to login with OpenID elsewhere). MySpace can't exactly have a user like me login to their service as my website and edit my profile. They have to have some form of a mechanism of creating the user at that point if that OpenID name has never been seen. But the user name used (the OpenID URI) is, well, odd for MySpace. So they'd probably ask one to choose a MySpace user name that would map to it. From there, MySpace would allow one to login to that account any time that OpenID is used for authentication. At least that's PROBABLY what will happen. Not all sites work like this. For example, LiveJournal (created by the very people who helped make OpenID) lets one login with an OpenID, but an account with that OpenID is then created with limited functionality. Friends and comments are allowed, but no posting to your own journal.

OpenID support doesn't require you to "create" an OpenID to use it. Your existing user ID on an OpenID provider IS your OpenID. Any site that becomes an OpenID provider is simply allowing you to use an OpenID name they specify to you (often in the form of username.domain.tld or domain.tld/username) to log in elsewhere. You do nothing but just use it elsewhere. There are popular sites supporting OpenID. There's also plug-ins for blogging software to support being an OpenID provider or consumer.

On a different note, with OpenID becoming more and more popular, this will mean that we DO have to be careful and come up with a mechanism for anti-spam via OpenID, especially in cases where the system is more automated like LiveJournal's. Or else a spammer could simply have one domain and with that domain an infinite number of users able to login by simply changing the OpenID slightly (e.g.: a.example.com, b.example.com, c.example.com, aa.example.com, etc)

Microsoft Support (2)

techiemikey (1126169) | more than 6 years ago | (#24304255)

"now if only Microsoft would support it"
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.

Re:Microsoft Support (1)

Langfat (953252) | more than 6 years ago | (#24304369)

I agree. I doubt Microsoft would choose to use anything with 'Open' in the title. I'm serious, there are ideological considerations (too similar to 'Open Source').

Also it seems to me that Microsoft would always choose a Microsoft owned and operated initiative than one put forth by others. Doesn't Microsoft already have something called a Passport or Windows Live ID or something? I'm sure they would prefer the world use that over OpenID...

Re:Microsoft Support (4, Insightful)

gbjbaanb (229885) | more than 6 years ago | (#24304787)

They do, Passpoor or maybe its Windows Livid, or something like that I think its called :-)

The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.

Re:Microsoft Support (1)

Prefader (1072814) | more than 6 years ago | (#24304845)

I doubt Microsoft would choose to use anything with 'Open' in the title.

Sure they would. [openxmldeveloper.org]

Re:Microsoft Support (1)

Amouth (879122) | more than 6 years ago | (#24305369)

MS has already tried this - and they put alot of money intto it too.. it isthe PassPort system.

MS still uses it for their stuff - but when they first started it - the idea was that your passport login would be accepted everywhere..

that didn't happen - and it wasn't going to happen.

it is what we call a "nice to have" but not a requirement to function - nor is it solving a issue which prevents things from happening.

yes the passport system didn't have the same focus on limiting info passed between sites - but either way .. it still isn't going to work in this case.. cause for sitest to accept an openid logon they are going to want more info than .. this person is authed

Re:Microsoft Support (1)

SimonGhent (57578) | more than 6 years ago | (#24305671)

MS still uses it for their stuff - but when they first started it - the idea was that your passport login would be accepted everywhere..

that didn't happen - and it wasn't going to happen.

I could be wrong, but I thought that you could log into at least Amazon with a MS PassPort. I did have one when I was an MSDN subscriber and haven't used it in years, so this could have changed. Or I could have imagined it...

Re:Microsoft Support (2, Insightful)

Renderer of Evil (604742) | more than 6 years ago | (#24304825)

hey, at least Slashdot supports OpenID oh wait...

Re:Microsoft Support (0)

Anonymous Coward | more than 6 years ago | (#24304843)

Blah Blah Blah... (5, Insightful)

anom (809433) | more than 6 years ago | (#24304263)

Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.

Mixed up Facebook and Myspace in TFS (4, Insightful)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24304297)

Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use

No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.

Jesus fucking Christ, is proof-reading really that hard?

Re:Mixed up Facebook and Myspace in TFS (5, Funny)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24304339)

...pointing out that...

Wow, proof-reading really is that hard.

Re:Mixed up Facebook and Myspace in TFS (4, Funny)

jc42 (318812) | more than 6 years ago | (#24305217)

You just got bit by what's being called "Muphry's Law [upenn.edu] . Briefly, it says that any time you write a criticism of someone's spelling or grammar, what you write will inevitably contain a spelling or grammatical error.

The law has had other names, but people seem to like the idea of giving it a name that's a mispelling of the famous Murphy's Law.

(And note my two mispellings in this post. ;-)

Re:Mixed up Facebook and Myspace in TFS (1)

Anonymous Coward | more than 6 years ago | (#24304371)

Agreed. Is slashdot run by a coalition of amateurs?

Re:Mixed up Facebook and Myspace in TFS (0)

Anonymous Coward | more than 6 years ago | (#24305135)

You must be new here.

Problem (4, Interesting)

Rinisari (521266) | more than 6 years ago | (#24304329)

A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

Re:Problem (2, Interesting)

Ngarrang (1023425) | more than 6 years ago | (#24304413)

OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.

Re:Problem (2)

0xygen (595606) | more than 6 years ago | (#24304913)

I was thinking it would be nice to have a two-factor OpenID authentication provider, which might alleviate this, but only to a limited extent.
I gather Verisign already do this if you use them as your provider(!) with a SecurID-ish token.

I am my own OpenID provider, which scarily means that if my web hosting gets hacked, irrespective of what authentcation I use, the hacker can impersonate me. So as you say, it does make a very tempting target with a single point of failure.

Re:Problem (3, Insightful)

TheRedSeven (1234758) | more than 6 years ago | (#24304419)

An obvious concern related to the parent--as more and more transactions happen over the internet, do I want a single password for all of them?

Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).

For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.

Re:Problem (5, Informative)

Anonymous Coward | more than 6 years ago | (#24304683)

So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.

Re:Problem (3, Insightful)

Jellybob (597204) | more than 6 years ago | (#24304933)

I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.

Facebook or Myspace? (1, Redundant)

MrEricSir (398214) | more than 6 years ago | (#24304335)

"Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use"

The article doesn't mention Facebook. Is the poster sneaking in a snide remark about the similarities between the two sites?

Re:Facebook or Myspace? (1)

MadKeithV (102058) | more than 6 years ago | (#24305385)

Maybe someone should start a rip-off site called MyFace.com or SpaceBook.com ;-).

Insecure (1)

unity100 (970058) | more than 6 years ago | (#24304337)

losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.

Re:Insecure (2, Interesting)

Scotteh (885130) | more than 6 years ago | (#24304447)

If an ID could be created to authenticate on all these sites, then losing the security of that ID could be fixed easily by canceling it and creating a new one. It's the same thing with credit cards. You could have multiple copies of the same card and if you lose one, you call in and get them all canceled.

Re:Insecure (1)

unity100 (970058) | more than 6 years ago | (#24305099)

losing does not mean 'losing instantly and immediately canceling'.

by the time you cancel (and if you can, actually manage to cancel) your details in all those sites would have gone out into the wild already. its not a credit card. a credit card and its debts are still under bank's control regardless of its lost or not. your personal details are not as such.

Re:Insecure (2, Interesting)

thrillseeker (518224) | more than 6 years ago | (#24304753)

That's why you use a very secure password with an openid provider with a good reputation - which would probably not be Myspace or the like, but a dedicated openid provider that has been around a while. Some providers allow the used of a signed certificate to facilitate the login - that is you can choose a.really.long.and.damn.near.unguessable.password.that.is.so.long.that.it.is.a.pain.to.type.but.which.you.can.remember.except.when.youre.drunk, and then you use a certificate established between your trusted machine at home and the openid provider, which bypassed the password handshake by exchanging the certificate data automatically.

FB V MS (0, Redundant)

Amorymeltzer (1213818) | more than 6 years ago | (#24304357)

That should read "MySpace's 100 million users" not Facebooks.

Facebook is vastly smaller than Myspace, and isn't the point of the story.

Re:FB V MS (0)

Anonymous Coward | more than 6 years ago | (#24304515)

http://www.facebook.com/press/info.php?statistics [facebook.com]

Vastly? Facebook has 80 million active users.

The summary is wrong, but let's not compound the issue with more incorrect information.

Sounds Scary (0)

Anonymous Coward | more than 6 years ago | (#24304377)

Sounds scary, I like having different identities for various sites. I am sure if people tried hard enough they could figure out my other aliases, but it wouldn't be easy.

Damned MS... (2, Insightful)

db32 (862117) | more than 6 years ago | (#24304389)

I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.

Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.

Re:Damned MS... (1)

sam0737 (648914) | more than 6 years ago | (#24304713)

If you are so skeptical, you can make a OpenID provider by yourself.
Just buy a domain and host it somewhere (or your home), and then put whatever authentication process you want (from auto authenticate to two-factor + bio + OTP).

This is the power of OpenID! It liberates the ID! The domain owner control the actual authenication way, OpenID just care about how this ticket is transferred between the provider and the client.

If you don't trust any provider, you just make up your own, there is a lot of php script out there to implement a simple password based authenication, it's just that easy.

As a bonus, your OpenID will be identified as you@your-cool-domain.com

Re:Damned MS... (2, Insightful)

CastrTroy (595695) | more than 6 years ago | (#24305503)

Yes, because everyone in the world should go ahead and create their own domain name, pay for a hosting service (or host their own servers), just so they don't have to remember multiple passwords. Sorry, I'll just stick with PasswordSafe for now.

Re:Damned MS... (0)

Anonymous Coward | more than 6 years ago | (#24304829)

Um. That's not how it works.

You log in to site A. This is the site you made an account with.

You go to site B that your friend has an account at.

You take the URL to your page there (like say, http://slashdot.org/~db32 ) and put it in the OpenID specific field. You are then redirected to site A to confirm this is you (remember you're still logged in there?) and after that, you have a lil' account there that only holds a link to your page on site A.

With said account, you can be added to friends and add friends.

Anyone could post your URL but they won't be able to use it without the login and ID to site A.

Re:Damned MS... (2, Interesting)

gbjbaanb (229885) | more than 6 years ago | (#24304901)

And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

You mean like Passport (or Windows Live ID) is a good idea?

At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.

Re:Damned MS... (0)

Anonymous Coward | more than 6 years ago | (#24304995)

Nice post, but you left out getting sued by the RIAA/MPAA over that jingle/video you automatically got from visiting some website and getting arrested by the FBI over that jpg when you hit the "not safe for work" advertising on that link you got from Google research while trying to find some parts for xyz. Universal web ID will result in far too many sites that ask your system for "your papers please". With it universally accepted, most Joe and Jane Sixpacks will click the little "I don't want to be bothered" box on their Windows' option and have their computers answer every such request. db32 is very correct.

Re:Damned MS... (0, Troll)

Colonel Korn (1258968) | more than 6 years ago | (#24305027)

Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid.

The only purpose of the OpenID system is to help advertisers and the like track you more accurately. This was never meant to help users. As such, it's not the kind of thing that most Slashdot users will be ignorant enough to use, but it's our job to make sure all of our less informed acquaintances know not to sign up for this Big Brother tracking.

Re:Damned MS... (1)

Tragedy4u (690579) | more than 6 years ago | (#24305039)

I agree that unified authentication systems for multiple site such is this is idiotic. But you have to wonder, how many "average non techie users" already use the same username and password for multiple sites already? The average non-technical person likely isn't savy enough to know to use different credentials for multiple sites, it can look even worse when most sites use a person's email addy as the login in the first place.

Re:Damned MS... (1)

Pvt_Ryan (1102363) | more than 6 years ago | (#24305043)

I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons. Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security. With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.

QFTT....

Thats All I have to say!

Re:Damned MS... (0)

Anonymous Coward | more than 6 years ago | (#24305111)

Not to mention this could be a boon for advertisers: I imagine that lots of people here have "throw-away" email accounts to enter into sites that will (probably) sent you spam. That means that the spammer database could be 25% or more larger than the actual number of warm bodies they represent.

I misspell my name about 10 different ways to see who sells it to spammers, and refer most of them to my yahoo account. Amazing how it really fills up a few weeks after "registering" on a new site.

If any SSO gets really big, then getting away from the spammers gets that much harder.

...or, I could probably just create a spam-web OpenID account....the poor fake bastard would be much sought after by Viagra wholesalers from Kenya...

Re:Damned MS... (1)

imunai (1331451) | more than 6 years ago | (#24305319)

The thing with OpenID is that you decide how secure it will be.

Why you stick to username+password combination? Open ID may be so much more secure than that. You can make it as much secure and convenient as you like. e.g.:
- Carry a physical token with you that will generate one time passwords.
- A list of one time passwords you print for yourself every so often.
- A question that would pop up on your cell phone, "do you allow" every time and have no passwords :)

In the end you have to trust somebody. If you don't and keep all your money under your bed, be your own OpenID provider, like me ;)

Yay another Passport (2, Funny)

MrCawfee (13910) | more than 6 years ago | (#24304395)

I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.

Re:Yay another Passport (1)

hellwig (1325869) | more than 6 years ago | (#24305631)

What failure? eBay partnered up with MS Passport, and look where they (eBay) are now. Granted, eBay now uses it's own login system instead of MS Passport, but really, that shouldn't be a mark against MS. Everytime I reinstall Windows XP it asks if I want to link my login to a Microsoft Passport ID. I mean, if your system has the support of Windows, how can it fail? Granted, most of MS's own sites these days use a Windows Live! ID, which is not the same ID as the old MS Passport system, and granted, I never linked my Windows XP account to my Passport account, so I don't even know what good that did, but the fact that it's not used anymore can't be seen as a failure. Was Betamax a failure just cause everyone used Alpha? Was the Nintendo Virtual-Boy a failure just cause no one bought any of them?

In all seriousness, this isn't really a problem for MySpace. Since they are only a provider, all they have to do is provide a mechanism for other sites to authenticate against. They aren't actually investing a whole lot in the system, and they probably won't be asking other websites to start using their system anyway. They can look like they support open-ness simply by implementing the system half-way (by providing, but not accepting). I doubt MySpace will ever accept an OpenID, but they can hand them out for free so what does it hurt?

DO NOT WANT (0, Flamebait)

snarfies (115214) | more than 6 years ago | (#24304407)

I refused to sign up for MS Passport, and I refuse to sign up for OpenID. I don't WANT my logins shared across multiple websites. There are some websites/services I just plain old don't trust with some or all elements of my real information. And if only ONE of those websites is compromised, my login is now compromised across the board, and I can have impersonators using my login with websites/services I've never had any involvement or perhaps even knowledge of.

I've been thinking of nuking my Myspace account for some time, as I don't actually USE it for anything, sounds like this might be a good time to go ahead with that.

Re:DO NOT WANT (1)

edavid (1045092) | more than 6 years ago | (#24304539)

It does not need for any site to be compromised. Once it is technically possible to track, it will be done, either because the site wants or because some big lobby (RIAA, MPAA or any other) imposes it. So I also refuse to share my IDs between sites. I always use specific per site email address, and I do not want to loose this.

Re:DO NOT WANT (2, Insightful)

intx13 (808988) | more than 6 years ago | (#24304965)

Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security as email, there are providers that use certificates and fancy-schmancy secure communication, and there are providers that use hardware to verify who you are - you pick the level of security you want when you pick a provider.

And of course, if you really do want a seperate identity for each and every site for which you register, you're free to register multiple OpenID identities.

Basically, OpenID replaces an email address as a central identity. It provides all of the "ease" of using email addresses, but also provides a wealth of possible security improvements and, of course, single sign-on capabilities.

Re:DO NOT WANT (4, Insightful)

Serious Callers Only (1022605) | more than 6 years ago | (#24305137)

And if only ONE of those websites is compromised, my login is now compromised across the board,

Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.

You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.

Re:DO NOT WANT (1, Informative)

Anonymous Coward | more than 6 years ago | (#24305213)

There are some websites/services I just plain old don't trust with some or all elements of my real information.

So don't. Part of OpenID is that you can see exactly what information the relying site wants, and decide whether or not to give it to the site. Some providers also let you create and use multiple profiles to choose from too, so you can choose exactly what address or whatever they see (if any). There's no loss of control for the user here.

And if only ONE of those websites is compromised, my login is now compromised across the board, and I can have impersonators using my login with websites/services I've never had any involvement or perhaps even knowledge of.

No, that's not how it works. The sites you log into aren't involved with your authentication process, so they can't give up your credentials no matter how badly they get owned. They could give up whatever personal information you chose to let your provider give them, but that's no different than the way it is now.

OpenID? (1, Insightful)

Wowsers (1151731) | more than 6 years ago | (#24304433)

Who cares about a unified username/password "experience". A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?

I thought they would learn from that experience when you could have a set of car keys from a Ford in the UK (in the 1970's IIRC), and it would open all the other Ford cars. At least that's how my parents car was stolen. Now do the equivalent with an online profile.. madness.

Re:OpenID? (3, Insightful)

cathector (972646) | more than 6 years ago | (#24304619)

> Who cares about a unified username/password "experience".

fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.

Re:OpenID? (1)

gbjbaanb (229885) | more than 6 years ago | (#24305001)

nothing stops you from getting several openid accounts - one for all your social networking sites (so if one gets hacked, so do the others - its still not that much of a big deal once you're older than 12).

For my bank, I don't use openID. For my email, I might be persuaded to use 1 openID for several email accounts. For crappy websites/forums that need a login but are really not that important, I'd like to use a single openID account for them all.

This would be a lot better than using the same username and password combo on all sites, as some people do.

Re:OpenID? (5, Informative)

phoenix.bam! (642635) | more than 6 years ago | (#24305069)

I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.

Re:OpenID? (2, Interesting)

Tom (822) | more than 6 years ago | (#24305129)

Who cares about a unified username/password "experience".

I think that would be almost everyone who's tired of remembering (or writing down) a hundred different passwords, as well as everyone who's already using the same password everywhere because (see previous).

A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?

You.

The people behind OpenID thought of it as a problem to solve and found a solution. Newsflash: If my game (see footer) accepts OpenID as a logon mechanism (and it will, once I get around to coding it), I won't get your actual login data. What I'll get is a way to ask thirdparty.com if you really are dude@thirdparty.com - the actual authentication happens there, not at my site. Since OpenID is distributed, you in reality get less exposure to attackers, because someone cracking me, or Facebook, or Google, will not get any login data for you, not even to the cracked site, unless that site was your provider.

The simple, basic problem - which OpenID solves (0)

Anonymous Coward | more than 6 years ago | (#24305401)

What most governments and other "big brother" ideas confuse (willingly or not) is PHYSICAL and ELECTRONIC identity (or, if you prefer, a "representation" of you like your account number, credit card number, SSN (US), NHS (UK), SOFI (NL) etc, which is also why it is taking so long to get a digital signature into law (Spain's done it, and IMHO the system is only just about OK) - most laws start from the physical person.

Taking someone's physical identity is not that easy (sampling DNA and prints still requires physical presence which represents both risk and a lack of scalability) and not as profitable as cloning an electronic identity. The "items" that make you "you" (biometrics, knowledge et al) should stay with you so they have to be presented every time any of your electronic identities is used. This is what I like about OpenID - YOU control what accompanies every logon, and you can define multiple identities to make it easier. Most authentication mechanisms are only concerned with assuring that the person who undersigned the contract (i.e. at a bank) is the same person that gains access and authorises transactions, it really doesn't go further than that.

So, ONE person, MULTIPLE identities (which should be kept separate, so breaking one doesn't expose your entire life), and associated with each of those identities are again multiple rights and obligations (with a weird bend where a company is defined as one logical identity on which behalf a number of identities can acquire and exercise rights, but I digress).

However, instead of having one token for each bank account, government access, travel card and OpenID access you can now get it all in this gadget [economist.com] ..

Re:OpenID? (1)

imunai (1331451) | more than 6 years ago | (#24305481)

The thing with OpenID is that you decide how secure it will be.

Why stick to username+password combination? Open ID may be so much more secure than that. You can make it as much secure and convenient as you like. e.g.:
- Carry a physical token with you that will generate one time passwords for example.
- A list of one time passwords you print for yourself every so often.
- A question that would pop up on your cell phone, "do you allow" every time and have no passwords :)

Is 1 ID really wise? Single point of failure? (3, Insightful)

SpecialAgentXXX (623692) | more than 6 years ago | (#24304451)

Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.

Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.

Re:Is 1 ID really wise? Single point of failure? (2, Interesting)

Lincolnshire Poacher (1205798) | more than 6 years ago | (#24304931)

> Is having 1 global ID really wise?

Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.

I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.

For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.

Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.

Re:Is 1 ID really wise? Single point of failure? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24305233)

The thing is, most people don't have different usernames and passwords for each site. A ton of people use the same password for MySpace, Gmail, Amazon, work, school, their bank, etc. At least with OpenID most of these sites would not get to see your password.

It could be a single point of failure, but maybe that's not a bad thing when talking about protecting secrets like passwords?

Re:Is 1 ID really wise? Single point of failure? (1)

StatusWoe (972534) | more than 6 years ago | (#24305381)

How about using a tiered OpenID system Where you can have multiple levels of accounts?

Right now I use one set of username/pwds for my banking and sensitive accounts. I'm very careful about what machines I use this info on and who I give it to. A second username/pwd pair for stuff like ./, gmail, last.fm etc... which I use for sites that I frequent and would rather not have someone else access using my name. Finally a third for smaller forums and stuff that I could really care less about.

I would like to be able to tie them together in a way that let me use a higher-tier account to reset the pwd of the lower tier accounts but not vice-versa or across a tier.

It's still an "all your eggs in one basket" approach, but it's a slightly more secure basket.

And if it gets stolen? (1)

ukyoCE (106879) | more than 6 years ago | (#24304509)

The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.

So maybe it's still an improvement, but it should be considered as a very serious concern.

Re:And if it gets stolen? (1)

bk2204 (310841) | more than 6 years ago | (#24305657)

You have to compromise the OpenID server in order to gain access, since all that the consumer gets is a URL. You enter your password (if that's what you're using) only on your provider's website. If you don't trust your provider, you're fucked anyway.

If you're smart, you won't use a password. I run my own OpenID server and it uses my Kerberos credentials (via SPNEGO) to authenticate. No password ever leaves my machine. Someone wanting to compromise my OpenID must gain access to either the KDC or the CGI script.

In general, it's stupid to enter any sort of authentication information on a machine you don't trust. If I need to log in, I use my laptop, not a public terminal.

single point of identity theft? (1)

FunkyELF (609131) | more than 6 years ago | (#24304715)

Great...have one ID for everything, then they'll just have to steal it once.
Although, most idiots today use the same username and password for everything anyway.

One Password to Rob Them All (0)

Doc Ruby (173196) | more than 6 years ago | (#24304741)

This whole idea is the stupidest security idea I've heard in a while, and I hear stupid ones every day.

Why would I trust MySpace with my AOL login? Once there's several other people to blame, any one of whom could have used or leaked my password, what's stopping unethical people at MySpace from using my "MySpace" login to get into my AOL login, and make our clueless police/FBI figure out which of the many possible perpetrators was the real perp?

I don't use the same PIN for all of my banks. Then one of the banks, or some unethical employee, could rob my other bank's account.

The whole point of a password is to keep everyone except you and the specific challenging party from accessing your account with that party. Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.

Why not just open an account with my service. We'll let you register all of your passwords, for websites and your banks, to login to us. Then, you can use any password you happen to remember. And then, I'll go and use all of those passwords to rob you blind.

Re:One Password to Rob Them All (2, Interesting)

Doc Ruby (173196) | more than 6 years ago | (#24304869)

What we need is the opposite of this scheme.

We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secure itself against attacks over that connection, or just report the momentary password on the screen for its human to read and enter into the challenge.

It's insane that I give my bank PIN to some arbitrary sketchy ATM in some latenight deli when I'm already drunk, need another 6-pack, and won't even remember where (or who) I was when I find out months later that my PIN was used by someone (of the dozen sketchy ATMs I used that year) to rob my account. I want onetime passwords right now, that my phone can remember, attached to the specific counterparties, money quantities and transaction description. So later I've got my own complete, authoritave record.

Not go the other way and give my PIN to every fly by night website, just because they "trust each other" with nothing of their own at stake.

Re:One Password to Rob Them All (4, Informative)

Jellybob (597204) | more than 6 years ago | (#24305077)

Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.

Maybe you should try reading the spec then, since that's exactly what it's designed to do.

The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:

1) If you don't already have a session open, you login, and then go to 2.

2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).

This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.

If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.

Re:One Password to Rob Them All (0)

Anonymous Coward | more than 6 years ago | (#24305253)

Why would I trust MySpace with my AOL login? Once there's several other people to blame, any one of whom could have used or leaked my password, what's stopping unethical people at MySpace from using my "MySpace" login to get into my AOL login,

Before you go spouting off about tech, you should make sure you understand it. Your post is full of bullshit objections that have been specifically addressed by OpenID. For example this scenario you describe is impossible with OpenID, since sites being used by you being compromised means nothing if your actual provider is still secure. Personally I wouldn't trust MySpace, but that doesn't say anything about OpenID, just that I wouldn't use MySpace as a provider.

But don't let ignorance get in the way of a good rant.

Username Squatters? (1, Interesting)

HockeyPuck (141947) | more than 6 years ago | (#24304803)

I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.

We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.

Re:Username Squatters? (2, Insightful)

cortesoft (1150075) | more than 6 years ago | (#24304985)

OpenID doesn't work like this. The user names are tied to a site. So your myspace OpenID would be something like http://myspace.com/hockeypuck [myspace.com] . Someone else could have http://othersite.com/hockeypuck [othersite.com]

Kind of a bad idea. (2, Insightful)

getuid() (1305889) | more than 6 years ago | (#24304855)

...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.

Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.

Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...

Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...

Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)

A Major Advantage You're Missing (5, Interesting)

floateyedumpi (187299) | more than 6 years ago | (#24304923)

All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

Re:A Major Advantage You're Missing (0)

Anonymous Coward | more than 6 years ago | (#24305569)

Please mod parent insightful, this is related to the fact that MySpace will use another provider (their own), which leads to decentralization.

You are NOT sharing your password! (2, Interesting)

davidwhitney (738809) | more than 6 years ago | (#24304935)

Whenever OpenId comes up there's always a million comments about handing over passwords and that all it takes is one site you're registered with to be compromised for your identity to be lost. This is not the case as OpenId does not share your actual login information with the third party at all. All the authentication happens at your provider. I fail to see how people consistently overlook this vital piece of information. If you're provider is compromised on the other hand... you're pretty much in the same place as somebody compromising your mailbox. And there's a worrying trend of people just handing that information out anyway.

Re:You are NOT sharing your password! (1)

elFarto the 2nd (709099) | more than 6 years ago | (#24305535)

Also it should be noted that you don't have to use passwords to authenticate with your provider. MyOpenID supports certificate based authentication, and have just started offering CallVarifID(TM) [myopenid.com] , which will phone you when you sign in.

Regards
elFarto

Microsoft? (1)

larry bagina (561269) | more than 6 years ago | (#24304937)

Pot, Kettle, etc. When will slashdot support it? There are plenty of OpenID libraries, so CmdrTaco won't have to stop editing to work on it full time.

yay for... (1)

bsDaemon (87307) | more than 6 years ago | (#24304959)

single point of failure!!

I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.

To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.

Ten Characters - MySpace (1)

myspace-cn (1094627) | more than 6 years ago | (#24305101)

I don't see how this will work on myspace with only ten characters for a password.

This whole openID thing sounds like centralization of passwords and private information, and behind the scenes the linking of user X, Y, Z from site A, B, C.

Roll the damn thing out if you must, but make it clear somewhere EARLY that it's linked to other accounts. It might be better to not register.

But then you all know I had to comment on this with a cool handle like myspace-cn before the Chinese firewall comes after me to put me to death for all my hard core death/black metal myspace accounts.

OpenID is the worst user experience. (1)

cortesoft (1150075) | more than 6 years ago | (#24305231)

My company recently made attempted to implement an OpenID login option for our website. We quickly abandoned the idea because it was simply a horrible user experience. For those of you who are unaware of how openid works here are the steps to sign in with openid: 1) First you have to enter a URL which is your openid login. For example, if yahoo is your openid provider, you would enter http://openid.yahoo.com/cortesoft [yahoo.com] . Right off the bat, you already have to enter a ridiculously long user id. 2) Once you enter the URL, that is passed on to the openid provider. Using the yahoo example, you then have to sign in to yahoo if you aren't already signed in on this computer to prove you are the owner of that openid URL. 3) You are then asked to check a box giving the requesting site permission to use this openid. In yahoo's case it also requires entering a CAPTCHA. This is to ensure that the requesting site isn't merely nefariously requesting an OpenID without the user's permission. 4) Yahoo authenticates to the requesting site that you are logged in, and you are finally signed on. Of course, it is slightly easier on subsequent visits. The authorization process is shorter, but you still have to sign in to your openID provider and enter a URL. Just look at how simple the alternative is: A user simply enters a username and password and BAM they have a new account. They can even choose the same one as they used on other sites if they want the same username and login across multiple sites. Users bounce at any sign of difficulty in the signup process. OpenID is a huge barrier to entry, so we scrapped the id of using it.

Re:OpenID is the worst user experience. (1)

brunascle (994197) | more than 6 years ago | (#24305505)

For example, if yahoo is your openid provider, you would enter http://openid.yahoo.com/cortesoft [yahoo.com] . Right off the bat, you already have to enter a ridiculously long user id.

It's unfortunate that you used Yahoo as an example, because actually with Yahoo you only need to enter yahoo.com. In this case, your actual OpenID isnt given to the relying party until after you authenticate with Yahoo. This isnt very common though, most providers do make you type out your actual OpenID.

Ok, the summary and article stinks (2, Insightful)

GrumblyStuff (870046) | more than 6 years ago | (#24305347)

GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.

You do NOT give OpenID all your passwords and logins.

It's not turning all those accounts over to a third-party and them giving you a single login and password.

It's using ONE account at MANY other sites in a limited form.

Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.

This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.

THAT'S IT.

I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?