MySpace Joins OpenID Coalition

the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."

Defeat the purpose?

[kgwilliam (998911)]

"Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?

Re:Defeat the purpose?

[CastrTroy (595695)]

What I don't get about OpenID is that it seems to give my OpenID provider access to every site I log onto. As much trouble as it is having to manage hundreds of logins, I don't think the proper solution is to proxy all my logins to some third party.

Re:Defeat the purpose?

[maxume (22995)]

You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

Re:Defeat the purpose?

[Chyeld (713439)]

It doesn't. And you aren't.

Implemented properly, OpenID works thusly:

You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

Re:Defeat the purpose?

[Chyeld (713439)]

Actually no.

You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com

You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.

I suggest glancing over the specs for authentication:Version 2 [openid.net] or Version 1 [openid.net] for clarity.

Re:

[Chyeld (713439)]

Especially with the "Seems like this is just..." toss off, your question is rather like asking what the difference is between a bus and a taxi. Yes they both move you places, but they both rely on slightly different ideas.

The existence and utility of one does not nullify either of these properties for the other.

PKI is a wonderful means of doing some things, but it doesn't address some of thing things OpenID does. Conversely, there are definitely places where using PKI would make far more sense than attempti

Re:Defeat the purpose?

[Wolfger (96957)]

Absolutely. This is why OpenID is going nowhere fast. Everybody wants to be a provider, but virtually nobody wants to accept OpenID credentials from other sites. LJ does, and to my surprise Identi.ca has since day one, but most "OpenID sites" are providers only. It's sad, and makes baby Stallman cry.

Re:

[caffeinemessiah (918089)]

It's sad, and makes baby Stallman cry.

For anyone who's actually SEEN stallman, this is the funniest quote ever. For those who haven't, here [softpanorama.org]

Re:

[mccabem (44513)]

It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.

Who is going to see that OpenID will "bring them more business"? It's something that so far as I can tell nobody wants.

-Matt

Re:

[ohtani (154270)]

You completely misunderstood the article and the concept of OpenID.

The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.

OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication fo

Re:Web Monoculture

[Sancho (17056)]

It's just a little different from that. Let's look at a couple of scenarios.

Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.

Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.

Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."

Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.

Microsoft Support

[techiemikey (1126169)]

"now if only Microsoft would support it"
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.

Re:Microsoft Support

[gbjbaanb (229885)]

They do, Passpoor or maybe its Windows Livid, or something like that I think its called :-)

The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.

Blah Blah Blah...

[anom (809433)]

Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.

Mixed up Facebook and Myspace in TFS

[LighterShadeOfBlack (1011407)]

Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use

No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.

Jesus fucking Christ, is proof-reading really that hard?

Re:Mixed up Facebook and Myspace in TFS

[LighterShadeOfBlack (1011407)]

...pointing out that...

Wow, proof-reading really is that hard.

Re:Mixed up Facebook and Myspace in TFS

[jc42 (318812)]

You just got bit by what's being called "Muphry's Law [upenn.edu]. Briefly, it says that any time you write a criticism of someone's spelling or grammar, what you write will inevitably contain a spelling or grammatical error.

The law has had other names, but people seem to like the idea of giving it a name that's a mispelling of the famous Murphy's Law.

(And note my two mispellings in this post. ;-)

Problem

[Rinisari (521266)]

A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

Re:

[Ngarrang (1023425)]

OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.

Re:

[0xygen (595606)]

I was thinking it would be nice to have a two-factor OpenID authentication provider, which might alleviate this, but only to a limited extent.
I gather Verisign already do this if you use them as your provider(!) with a SecurID-ish token.

I am my own OpenID provider, which scarily means that if my web hosting gets hacked, irrespective of what authentcation I use, the hacker can impersonate me. So as you say, it does make a very tempting target with a single point of failure.

Re:

[gilgongo (57446)]

MyOpenID.com has two factor, and has had it for a while now.

But all this "single point of failure" stuff is crap, isn't it? Most people (probably not /. readers) have the same damn password for everything. If one of their accounts is cracked - how is that safer than OpenID? In fact, OpenID would probably be a lot safer if it was two factor in that scenario.

In short, OpenID is about the real world, which makes a refreshing change from the years and years of stupid "security" systems that end up forcing peopl

Re:Problem

[TheRedSeven (1234758)]

An obvious concern related to the parent--as more and more transactions happen over the internet, do I want a single password for all of them?

Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).

For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.

Re:Problem

[by Anonymous Coward]

So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.

Re:Problem

[Jellybob (597204)]

I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.

Insecure

[unity100 (970058)]

losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.

Re:

[Scotteh (885130)]

If an ID could be created to authenticate on all these sites, then losing the security of that ID could be fixed easily by canceling it and creating a new one. It's the same thing with credit cards. You could have multiple copies of the same card and if you lose one, you call in and get them all canceled.

Re:

[thrillseeker (518224)]

That's why you use a very secure password with an openid provider with a good reputation - which would probably not be Myspace or the like, but a dedicated openid provider that has been around a while. Some providers allow the used of a signed certificate to facilitate the login - that is you can choose a.really.long.and.damn.near.unguessable.password.that.is.so.long.that.it.is.a.pain.to.type.but.which.you.can.remember.except.when.youre.drunk, and then you use a certificate established between your trusted

Damned MS...

[db32 (862117)]

I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.

Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to

Re:

[gbjbaanb (229885)]

And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

You mean like Passport (or Windows Live ID) is a good idea?

At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.

Re:

[gilgongo (57446)]

"How in the freaking hell is a single sign on going to make it better?"

OpenID recognises two things:

1. The fact that the vast majority of people use (or try to use) the same password for every system they have. For the systems they can't use their preferred password for, they write the password on a sticky note, and put it on their monitor.

2. The fact that most people have a handful of important accounts (banking, mainly), and then a long tail of fairly trivial stuff. Somebody might cause you a lot of embar

Re:

[CastrTroy (595695)]

Yes, because everyone in the world should go ahead and create their own domain name, pay for a hosting service (or host their own servers), just so they don't have to remember multiple passwords. Sorry, I'll just stick with PasswordSafe for now.

Yay another Passport

[MrCawfee (13910)]

I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.

Is 1 ID really wise? Single point of failure?

[SpecialAgentXXX (623692)]

Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.

Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.

Re:

[Lincolnshire Poacher (1205798)]

> Is having 1 global ID really wise?

Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.

I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.

For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wi

And if it gets stolen?

[ukyoCE (106879)]

The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.

So maybe it's still an improvement, but it should be considered as a very serious concern.

single point of identity theft?

[FunkyELF (609131)]

Great...have one ID for everything, then they'll just have to steal it once.
Although, most idiots today use the same username and password for everything anyway.

A Major Advantage You're Missing

[floateyedumpi (187299)]

All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

Ok, the summary and article stinks

[GrumblyStuff (870046)]

GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.

You do NOT give OpenID all your passwords and logins.

It's not turning all those accounts over to a third-party and them giving you a single login and password.

It's using ONE account at MANY other sites in a limited form.

Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.

This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.

THAT'S IT.

I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)

Public keys ?

[smoker2 (750216)]

Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.

Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.

Anonymous SSO?

[cayenne8 (626475)]

So now the big question for me. Can you create this single sign on account as an anonymous account? It would make things nice, but, I'd still not want to be identified in meatspace with this id....kind of like most accounts I have on the internet.

Re:Anonymous SSO?

[thrillseeker (518224)]

The openid protocol allows you to limit the information given to the system you're logging into to a minimum of "authenticated" - that is, no additional; information such as a (verified) email address is passed, though one is still required for an openid account establishment. It's up to the requesting system whether that minimal information is sufficient. Of course, your IP address can still be captured unless you use an anonymizing proxy.

Re:Anonymous SSO?

[0xygen (595606)]

I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.

For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.

My password might be needed for "level 2" allowing my into my webmail.

A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.

With the current state of affairs though, I think we can but dream...

Re:

[Aero Leviathan (698882)]

Nothing about the OpenID spec requires an e-mail address, or even a password: http://www.jkg.in/openid/ [www.jkg.in]

Re:OpenID?

[cathector (972646)]

> Who cares about a unified username/password "experience".

fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.

Re:OpenID?

[phoenix.bam! (642635)]

I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.

Re:

[Tom (822)]

Who cares about a unified username/password "experience".

I think that would be almost everyone who's tired of remembering (or writing down) a hundred different passwords, as well as everyone who's already using the same password everywhere because (see previous).

A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?

You.

The people behind OpenID thought of it as a problem to solve and found a solution. Newsflash: If my game (see footer) accepts OpenID as a logon mechanism (and it will, once I get around to coding it), I won't get your actual login data. What I'll get is a way to ask thirdparty.com if you really are du

Re:

[Doc Ruby (173196)]

What we need is the opposite of this scheme.

We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secur

Re:One Password to Rob Them All

[Jellybob (597204)]

Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.

Maybe you should try reading the spec then, since that's exactly what it's designed to do.

The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:

1) If you don't already have a session open, you login, and then go to 2.

2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).

This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.

If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.

Re:

[intx13 (808988)]

Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security a

Re:DO NOT WANT

[Serious Callers Only (1022605)]

And if only ONE of those websites is compromised, my login is now compromised across the board,

Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.

You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.