MySpace Joins OpenID Coalition 272
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
Problem (Score:5, Interesting)
A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.
Anonymous SSO? (Score:3, Interesting)
Re:Problem (Score:3, Interesting)
OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.
Re:Insecure (Score:2, Interesting)
Re:Defeat the purpose? (Score:5, Interesting)
You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).
For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.
Re:Insecure (Score:3, Interesting)
Username Squatters? (Score:2, Interesting)
I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.
We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.
Re:One Password to Rob Them All (Score:3, Interesting)
What we need is the opposite of this scheme.
We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secure itself against attacks over that connection, or just report the momentary password on the screen for its human to read and enter into the challenge.
It's insane that I give my bank PIN to some arbitrary sketchy ATM in some latenight deli when I'm already drunk, need another 6-pack, and won't even remember where (or who) I was when I find out months later that my PIN was used by someone (of the dozen sketchy ATMs I used that year) to rob my account. I want onetime passwords right now, that my phone can remember, attached to the specific counterparties, money quantities and transaction description. So later I've got my own complete, authoritave record.
Not go the other way and give my PIN to every fly by night website, just because they "trust each other" with nothing of their own at stake.
Re:Defeat the purpose? (Score:5, Interesting)
It doesn't. And you aren't.
Implemented properly, OpenID works thusly:
You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".
The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.
The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".
This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.
The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.
Re:Damned MS... (Score:3, Interesting)
And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
You mean like Passport (or Windows Live ID) is a good idea?
At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.
A Major Advantage You're Missing (Score:5, Interesting)
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
Re:Is 1 ID really wise? Single point of failure? (Score:3, Interesting)
> Is having 1 global ID really wise?
Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.
I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.
For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.
You are NOT sharing your password! (Score:1, Interesting)
Re:Anonymous SSO? (Score:4, Interesting)
I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.
For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.
My password might be needed for "level 2" allowing my into my webmail.
A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.
With the current state of affairs though, I think we can but dream...
Re:OpenID? (Score:3, Interesting)
Who cares about a unified username/password "experience".
I think that would be almost everyone who's tired of remembering (or writing down) a hundred different passwords, as well as everyone who's already using the same password everywhere because (see previous).
A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
You.
The people behind OpenID thought of it as a problem to solve and found a solution. Newsflash: If my game (see footer) accepts OpenID as a logon mechanism (and it will, once I get around to coding it), I won't get your actual login data. What I'll get is a way to ask thirdparty.com if you really are dude@thirdparty.com - the actual authentication happens there, not at my site. Since OpenID is distributed, you in reality get less exposure to attackers, because someone cracking me, or Facebook, or Google, will not get any login data for you, not even to the cracked site, unless that site was your provider.
Re:Microsoft Support (Score:2, Interesting)
The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.
Ohh for frack's sake get over the dang Kerberos thing. They put vendor specific information in !!OMG!! vendor specific fields. All of which was documented in RFC4757. However, if Microsoft supported it I would assume they would just become another provider and refuse to accept others credentials like Myspace.
Re:Defeat the purpose? (Score:1, Interesting)
I think you are missing the parents' post. His point was, that whatever site you use as *authentication server* has (by design) a complete history of your browsing habits (well, FAFA OpenID is concerned). This is not mitigated by your ability to choose your own auth server, although it does allow you (and require you) to choose carefully.
Given the general amount of personal information already published on MySpace, I don't think the users of myspace will care about GPs objection, but it is a valid one.
Personally, I'm somewhat impressed with their move, even though it is only half-baked now (no external openID). Imagine the general populace being able to use their myspace account for all Internet transactions: it would really boost (publicize) openID usage.
The Netherlands has been busy implementing their own auth system (DigID) for all government sites. I'm hoping that one day OpenID support will be added to that system. I won't hold my breath though.
Re:Defeat the purpose? (Score:3, Interesting)
It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.
Who is going to see that OpenID will "bring them more business"? It's something that so far as I can tell nobody wants.
-Matt
Re:Defeat the purpose? (Score:3, Interesting)
Especially with the "Seems like this is just..." toss off, your question is rather like asking what the difference is between a bus and a taxi. Yes they both move you places, but they both rely on slightly different ideas.
The existence and utility of one does not nullify either of these properties for the other.
PKI is a wonderful means of doing some things, but it doesn't address some of thing things OpenID does. Conversely, there are definitely places where using PKI would make far more sense than attempting to use OpenID.
In fact, given you can dovetail them nicely by using a PKI setup in your authentication server for OpenID, makes your question rather pointless.
Re:Problem (Score:3, Interesting)
MyOpenID.com has two factor, and has had it for a while now.
But all this "single point of failure" stuff is crap, isn't it? Most people (probably not /. readers) have the same damn password for everything. If one of their accounts is cracked - how is that safer than OpenID? In fact, OpenID would probably be a lot safer if it was two factor in that scenario.
In short, OpenID is about the real world, which makes a refreshing change from the years and years of stupid "security" systems that end up forcing people to put passwords on sticky notes on their monitors.
Re:A single point of failure. (Score:2, Interesting)
Now if we hack Email we can get EVERYONES account to EVERY email address.
Email makes life easier for hackers.