Forgot your password?
typodupeerror
Social Networks The Internet IT

MySpace Joins OpenID Coalition 272

Posted by timothy
from the inflection-point-perhaps dept.
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
This discussion has been archived. No new comments can be posted.

MySpace Joins OpenID Coalition

Comments Filter:
  • by kgwilliam (998911) on Wednesday July 23, 2008 @10:39AM (#24304253)
    "Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?
    • by CastrTroy (595695) on Wednesday July 23, 2008 @10:48AM (#24304421) Homepage
      What I don't get about OpenID is that it seems to give my OpenID provider access to every site I log onto. As much trouble as it is having to manage hundreds of logins, I don't think the proper solution is to proxy all my logins to some third party.
      • by maxume (22995) on Wednesday July 23, 2008 @10:54AM (#24304507)

        You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

        For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

      • by Chyeld (713439) <chyeld&gmail,com> on Wednesday July 23, 2008 @11:14AM (#24304871)

        It doesn't. And you aren't.

        Implemented properly, OpenID works thusly:

        You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

        The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

        The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

        This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

        The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

      • authentication vs authorization...

        Normally you'd only use openid for authentication (who are you) and there would be an additional password mechanism for authorization (do I have the right to be here).

        Both could be combined with other methods, or you could create your own openid provider ...

        You can also combine delegate your website to a provider of choice, and if they start sucking you can change to another provider without changing your credentials at the sites you frequent.

      • So don't use a third party.
    • by Wolfger (96957) <[wolfger] [at] [gmail.com]> on Wednesday July 23, 2008 @10:53AM (#24304491) Homepage
      Absolutely. This is why OpenID is going nowhere fast. Everybody wants to be a provider, but virtually nobody wants to accept OpenID credentials from other sites. LJ does, and to my surprise Identi.ca has since day one, but most "OpenID sites" are providers only. It's sad, and makes baby Stallman cry.
      • Re: (Score:2, Informative)

        by sam0737 (648914)

        At least you can use OpenID to comment a blog on Blogger.
        Setting up a WordPress with OpenID enabled is also very easy, by installing a plugin.

        It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.

        • Re: (Score:3, Interesting)

          by mccabem (44513)

          It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.

          Who is going to see that OpenID will "bring them more business"? It's something that so far as I can tell nobody wants.

          -Matt

      • Re: (Score:3, Informative)

        It's sad, and makes baby Stallman cry.

        For anyone who's actually SEEN stallman, this is the funniest quote ever. For those who haven't, here [softpanorama.org]

    • Re: (Score:3, Informative)

      by ohtani (154270)

      You completely misunderstood the article and the concept of OpenID.

      The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.

      OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication fo

    • People always complain about internet hackers and cyberstalking, and cyberbullying, but Myspace was invented to assist the stalkers, bullies and hackers.

      OpenID makes life even easier for hackers by centalizing the sensitive information even further. Now when you want to find your blackmail material, you can just search one ID and find all of it.

  • "now if only Microsoft would support it"
    I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
    • Re: (Score:2, Insightful)

      hey, at least Slashdot supports OpenID oh wait...
  • Blah Blah Blah... (Score:5, Insightful)

    by anom (809433) on Wednesday July 23, 2008 @10:40AM (#24304263)
    Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.
    • by Danathar (267989)

      Yup..I agree. I looked into OpenID about a month back to see how it had progressed.

      Question 1 was...which openId provider do I choose that I already had an account on.

      Then after that was settled, I quickly realized that there were NO SITES THAT I USED THAT WOULD ACCEPT OPENID AUTHENTICATION!

      Yea sure, they have a list of dinky sites that niche groups use, but for the most part (like 99.9%) it's worthless.

  • by LighterShadeOfBlack (1011407) on Wednesday July 23, 2008 @10:42AM (#24304297) Homepage

    Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use

    No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.

    Jesus fucking Christ, is proof-reading really that hard?

  • Problem (Score:5, Interesting)

    by Rinisari (521266) on Wednesday July 23, 2008 @10:44AM (#24304329) Homepage Journal

    A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

    • Re: (Score:3, Interesting)

      by Ngarrang (1023425)

      OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.

      • by 0xygen (595606)

        I was thinking it would be nice to have a two-factor OpenID authentication provider, which might alleviate this, but only to a limited extent.
        I gather Verisign already do this if you use them as your provider(!) with a SecurID-ish token.

        I am my own OpenID provider, which scarily means that if my web hosting gets hacked, irrespective of what authentcation I use, the hacker can impersonate me. So as you say, it does make a very tempting target with a single point of failure.

        • Re: (Score:3, Interesting)

          by gilgongo (57446)

          MyOpenID.com has two factor, and has had it for a while now.

          But all this "single point of failure" stuff is crap, isn't it? Most people (probably not /. readers) have the same damn password for everything. If one of their accounts is cracked - how is that safer than OpenID? In fact, OpenID would probably be a lot safer if it was two factor in that scenario.

          In short, OpenID is about the real world, which makes a refreshing change from the years and years of stupid "security" systems that end up forcing peopl

    • Re:Problem (Score:4, Insightful)

      by TheRedSeven (1234758) on Wednesday July 23, 2008 @10:48AM (#24304419) Homepage
      An obvious concern related to the parent--as more and more transactions happen over the internet, do I want a single password for all of them?

      Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).

      For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.
      • Re:Problem (Score:5, Informative)

        by Anonymous Coward on Wednesday July 23, 2008 @11:05AM (#24304683)
        So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.
        • Re:Problem (Score:4, Insightful)

          by Jellybob (597204) on Wednesday July 23, 2008 @11:17AM (#24304933) Journal

          I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.

        • by Chyeld (713439)

          And in addition, don't do business with companies that have access to your 'valuable' information that don't get the difference between authentication and authorization.

          OpenID is great for saying "I'm JimBob of JimBoblandia" and in reality, that's all most logins are used for.

          But for places that are actually using it for access control, then you should be including a seperate layer to authorize the user in addition to authenticating them. If your bank lets you just walk into the nearest branch and close you

  • losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.
    • Re: (Score:2, Interesting)

      by Scotteh (885130)
      If an ID could be created to authenticate on all these sites, then losing the security of that ID could be fixed easily by canceling it and creating a new one. It's the same thing with credit cards. You could have multiple copies of the same card and if you lose one, you call in and get them all canceled.
      • by unity100 (970058)
        losing does not mean 'losing instantly and immediately canceling'.

        by the time you cancel (and if you can, actually manage to cancel) your details in all those sites would have gone out into the wild already. its not a credit card. a credit card and its debts are still under bank's control regardless of its lost or not. your personal details are not as such.
    • Re: (Score:3, Interesting)

      by thrillseeker (518224)
      That's why you use a very secure password with an openid provider with a good reputation - which would probably not be Myspace or the like, but a dedicated openid provider that has been around a while. Some providers allow the used of a signed certificate to facilitate the login - that is you can choose a.really.long.and.damn.near.unguessable.password.that.is.so.long.that.it.is.a.pain.to.type.but.which.you.can.remember.except.when.youre.drunk, and then you use a certificate established between your trusted
  • Damned MS... (Score:2, Insightful)

    by db32 (862117)
    I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.

    Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to
    • Re: (Score:3, Interesting)

      by gbjbaanb (229885)

      And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

      You mean like Passport (or Windows Live ID) is a good idea?

      At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.

    • by spinkham (56603)

      SSO centralizes the risk, then you can decide how much to invest in that risk.
      This is how the US military CAC system works, with smartcards issued to all personal and SSO for many services. Not all services are SSO enabled mind you, but their security needs are higher then most.
      For OpenID, I use Verisign's PIP service with Firefox plugin to combat spoofing and hardware token for 2 factor auth, and I'm quite comfortable with the security. Unfortunately there's not too many places to use it, as everyone want

    • Re: (Score:3, Insightful)

      by gilgongo (57446)

      "How in the freaking hell is a single sign on going to make it better?"

      OpenID recognises two things:

      1. The fact that the vast majority of people use (or try to use) the same password for every system they have. For the systems they can't use their preferred password for, they write the password on a sticky note, and put it on their monitor.

      2. The fact that most people have a handful of important accounts (banking, mainly), and then a long tail of fairly trivial stuff. Somebody might cause you a lot of embar

  • I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.

  • by SpecialAgentXXX (623692) on Wednesday July 23, 2008 @10:50AM (#24304451)
    Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.

    Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
    • Re: (Score:3, Interesting)

      > Is having 1 global ID really wise?

      Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.

      I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.

      For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wi

      • For a Web world, compartmentalisation of sign-on is vital.

        Only up to a point.

        I have 128 logins that I keep. I know that because don't remember any of them, I have a file full of them. When I use Yet Another Website, I'm really tired of making Yet Another Login.

        If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.

        If you think that using openId from Site A to log into site B gives site B ways to continue having dealing with you a

        • > I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?

          I looked-over the list on openiddirectory.com; 634 participating sites. That's greater than zero, admittedly. Just about.

          The story of SSO in e-commerce is brief and inglorious. ebay dropped Passport support in January 2005; Amazon never got onboard; Google established its own intra-domain federation; Yahoo announced Ope

  • The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

    Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.

    So maybe it's still an improvement, but it should be considered as a very serious concern.

    • The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

      But at least OpenID puts the matter into your hands (if you so desire). If you recycle usernames and passwords (as many people do) then a compromise of any site (and these sites are beyond your control; a third party merely needs to make a mistake, and that happens all the time) and your credentials are compromised and can be used to take your identity on other sites.

      With OpenID, if you run your own provider,

  • Great...have one ID for everything, then they'll just have to steal it once.
    Although, most idiots today use the same username and password for everything anyway.
  • Username Squatters? (Score:2, Interesting)

    by HockeyPuck (141947)

    I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.

    We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.

  • by getuid() (1305889)

    ...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.

    Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.

    Even if you don't have your real name anywhere: y

  • by floateyedumpi (187299) on Wednesday July 23, 2008 @11:17AM (#24304923)

    All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

    With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

  • single point of failure!!

    I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.

    To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.

  • by GrumblyStuff (870046) on Wednesday July 23, 2008 @11:40AM (#24305347)

    GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.

    You do NOT give OpenID all your passwords and logins.

    It's not turning all those accounts over to a third-party and them giving you a single login and password.

    It's using ONE account at MANY other sites in a limited form.

    Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.

    This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.

    THAT'S IT.

    I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.

    OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

    Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

    I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)

    • by brunascle (994197) *

      OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

      Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

      That's not entirely true. It might've been the goal of OpenID to eliminate the need to have different accounts on different sites, but in reality it only eliminates the need to remember different usernames and passwords. Relying parties could still require you to fill out a form to sign up the first time you log in with your OpenID. There's a chance you'll need to choose a username, and maybe even a password. The only difference is you wont have to remember them.

      • Relying parties could still require you to fill out a form to sign up the first time you log in with your OpenID. There's a chance you'll need to choose a username, and maybe even a password.

        Then there'd be no difference between OpenID and just signing up and checking that box that says "Remember this password" in which case, HEY, they just made themselves entirely redundant. That or at least such a nuisance people will settle with posting anomynously or simply making an account there.

        In either case, I fai

  • With all the talk of running one's own OpenID provider, why not run it on your own machine behind a DynDNS [dyndns.org] or similar provider and use PAM to authenticate against /etc/shadow?
  • Public keys ? (Score:3, Insightful)

    by smoker2 (750216) on Wednesday July 23, 2008 @12:06PM (#24305823) Homepage Journal
    Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
    Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
    Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
    Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
    Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.

    Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
  • Now I only have one username and password to hack and your world is mine

  • a group that seeks to allow users to create a single account/password set to be used on a number of services.

    This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.

    • OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).

      • OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).

        There are already better tools that work with all sites for remembering passwords. Firefox is but one example. It can remember logins and passwords for any site and protect the password list using strong encryption. To use OpenID with any confidence, one must trust an OpenID provider. You can ru

  • According to this [efluxmedia.com] article, Microsoft claims 400 Million Passport/Windows Live users worldwide. How is it that OpenID is becoming the defacto standard again?
  • One thing that really needs to happen is for forums to accept OpenID. Given that there a small number of software packages seem to run the majority of forums out there, it seems like this sort of change could happen quickly... but to my knowledge, hasn't so far.

If you think the system is working, ask someone who's waiting for a prompt.

Working...