OpenID - Big Adopters, Big Future?
I originally heard about OpenID around 6-8 months ago or so and immediately went to myopenid.com to secure my domain. After signing up and being anxious to try out the new "single-sign on process" I perused the list of sites that use the OpenID standard. The process was interesting. It's not as cut and dry as one would hope, but it isn't bad. The issue is that some sites still require additional profile information that may not be included in your OpenID account. Additionally, it is strange to me that your "username" is a URL as opposed to an email address, which are also globally unique.
The experience was less than exciting and I didn't see a huge benefit of it at the time in the manner that it was implemented.
Since then, I have come a cross a few sites that I actually use that have added OpenID integration. Only one of those have I actually linked my OpenID account: Plaxo. As for the others, I just didn't care enough to do so.
As of recent, I have noticed a few large big adopters to the OpenID standard, namely, Yahoo!. With a large brand name like Yahoo! supporting the OpenID standard, I can see the benefit of other sites using it as a means of providing users account access to their sites. Yahoo! enabled all 248 million registered users with OpenID accounts; that is a huge user base! Curious, I used Plaxo as a test case for logging in with my Yahoo! OpenID. The process is great, simply click the "Sign-in with Yahoo! ID" button and it redirects you to a Yahoo! OpenID page informing you the website that is attempting to access your account and some other details. From there, you simply click "Let me In" which will prompt Yahoo! to send Plaxo your unique OpenID URL. This is the step that is better than using a service like myopenid.com. With Yahoo! being an OpenID provider, you simply use your Yahoo! Id when accessing OpenID services and Yahoo! will deal with the actual sending of the unique OpenID URL to the requesting service. Now that my Yahoo! OpenID account is associated, anytime I go back to Plaxo, I click sign in with Yahoo! ID, it does a quick redirect, as mentioned above, to Yahoo! and then I click "Let Me In" and I am immediately logged in (provided that I am already logged in with Yahoo!, you get directed to a Yahoo! login page if you are not already logged in). The benefit here, is that the only username and password you need to remember, is your Yahoo! one. That's it.
Another thing that should encourage developers to look into this and give OpenID a try, is the amount of resources to help in implementation and use:
- Yahoo! OpenID
- A Recipe for OpenID-Enabling Your Site
- Yahoo! Gallery of OpenID sites
- OpenID for non-SuperUsers
- OpenID Code Libraries
- Popular OpenID provider (you don't need this if you go the Yahoo! route)
Overall, now that I have seen where the OpenID standard is today and with some large adopters like Yahoo! and Plaxo on-board, I think I will take another look at this attempt to unify the web and provide people with the ultimate single sign-on method. Standards like this are very difficult to get into the mainstream. I was weary of OpenID taking off with it's initial push, but today when I saw how Yahoo! did it, I felt much better about OpenIDs continuing success. Even so, if an average user is prompted on a registration screen to either register with the site or use their "OpenID account", they will probably use the site's registration for lack of knowledge of the benefits of OpenID. One way that developer's can push this revolution in a more specific direction is to only allow access via an OpenID account. Assume users are stupid and only give them one option to sign-in to your site.
I would love to hear your comments, opinions, and constructive criticism on this topic. I think it is very relevant today and is the right time to introduce such a standard. Also, if you have other resources to share, please do so in the comments or send me a message.
My concern is (tell me if it's unfounded?) if a user doesn't have a strong password or they share it (or their OpenID URL) with a friend, doesn't that compromise all of their web accounts that are linked in with OpenID?
Does the OpenID forum check what security measures are taken by authenticating sites? e.g. storing passwords fully encrypted or just the hash of the password? If passwords are stored in a db as plain text then any member of staff with db access can steal it. That would affect every site linked in, not just theirs.
If you run a secure site containing very personal or valuable information you're not likely to link your site up to OpenID for fear of allowing your customers to compromise their own account. Maybe I'm over reacting because I haven't digested the inner workings of OpenID.
I wasn't hinting for you to do a diagram. :-) Would be cool though. Thanks.
+1 on OpenID having a bright future, as an avid user of the intertubes I am looking forward to good times ahead.
I like OpenID because I can pick a provider who is in the business of securing my data (as opposed to social networking, blogging, file sharing, etc.) and control access to that data from one place.
@Gary et. al. - I believe that most people's email account is already a central point of failure as many sites use a member's email address to reset passwords and other account details. Not that OpenID by itself is more secure than a standard email l/p, it is up to the OpenID provider to add security measures to protect you.
There is a great OpenID provider comparison up here:
http://spreadopenid.org/provider-comparison/
I work for Vidoop, we run an OpenID provider at http://myvidoop.com which does not require passwords.
Instead of entering a password our members are shown an image grid which displays images from pre-selected secret image categories. Each image has a letter, the letters form a one-time random access code. Its pretty neat technology and worth a look, though I may be biased :)
We do other things to secure your account including custom account notifications, an activity log, computer activation, browser plug-ins, etc.
If anyone has any OpenID or Vidoop related question please let me know. More info is at http://www.vidoop.com
Cheers,
Kevin
*securely storing non-OpenID logins
*storing passwords to various OpenID providers (myopenid, claimed, etc.)
*automatic login to websites (no more typing)
I’m happy to see OpenID starting to catch on but until it does, we still need to store our non-OpenID passwords:
http://tinyurl.com/259owq
Louise
We (Vidoop) actually offer a Password safe plugin that ties in to your myVidoop OpenID account. The plugin is easy to install and allows a member to save and manage all of their standard logins/passwords from within their myVidoop account. If interested we have a video explaining more about the plugin: http://tinyurl.com/2y888w
I can't believe the really short username I requested was available. I must be the first user to sign up! ;-)
Ultimately security is only as good as the security of the stored password. For example if myvidoop stores passwords as a list of category IDs in clear text and a work placement student or employee who's been given a bribe has access to the db they can find out any users' categories.
I couldn't find a statement on the website to suggest that this data is either encrypted or hashed (hashed preferably). Once an account on the OpenID provider is compromised so too are all the other websites linked in for that user. Sorry to sound skeptical. I like the clever use of advertising on the picture/pwd page. Nice.
If you're using someone else's computer then it's impossible to log in with myvidoop if you can't access to your email there and then. (Some corporate firewalls block web mail and forbid the use of plugins) I'm in the UK so the mobile phone activation code doesn't work for us.
In addition, I was reading yesterday how all the big players want to become OpenID service providers, but not very many will allow you to login to their site using an OpenID. Hmm.
I checked with our developers and we store all the categories as a hash. I will see about getting this added to the FAQ.
@Kyle - You are right we need to see more big players actually becoming relying parties (accepting OpenID logins). I can understand their reluctance, as they perceive accepting OpenID accounts as losing some kind of control over the user. E.g. Why would Google want to let you use your yahoo account to login to their services?
As the technology progresses, and executives are better educated on what OpenID is, and what it can do for a member's experience on their site, we will see more of the big players take the complete plunge and become RP's.
Until someone finds a security hold in OpenID it looks set to grow. :-) But I can't see it being used on sites where security is really important. While Vidoop's security level is good, users could register their OpenID with sites that allow or impliment inferior security, and that's something outside of the control of sites that want to support OpenID.