

OpenID: Now more powerful and easier to use - adamhowell
http://openid.net/2009/09/25/more-powerful-and-easier-to-use/

======
mahmud
Please upvote to give the standards more exposure.

Yahoo, Google and MySpace are supporting the spanking new OpenID OAuth
Extension protocol. I have this on my plate at this exact moment, I am not
sure how long it will take them to support this, but for now, I found Yahoo's
Contacts API to be the easiest, and Facebook's Registration/SSO to be the
hardest.

This is what my todo list looks like:

1) Visit all these websites: <http://knowem.com/>

2) See which ones have authentication API

3) Implement them.

4) ???

~~~
dcurtis
Are you sure you want OpenID to get more exposure? It already failed once due
to hideously poor execution and terrible usability problems. Attaching oauth
doesn't seem to solve any of the big problems. It just masks them behind a
protocol that works decently on it's own.

The OpenID promise sounds good in a geeky, technical sense, but judging from
their past work, I do not trust the OpenID group to build anything remotely
viable.

~~~
jmillikin
OpenID hasn't failed at all -- I've been noticing more and more sites allowing
sign-ins using it, and even a few (primarily for tech audiences) which are
OpenID-only.

Of course, there are a few sites which claim OpenID support but implement it
poorly (such as news.yc), but that's not a reflection on the protocol.

~~~
dcurtis
I do not consider getting a tiny subset of the tech audience using OpenID a
case for it being a success. In fact, it did that years ago and has gone
nowhere since.

~~~
jmillikin
OpenID 2, which was the first version intended to be broadly useful outside of
LiveJournal, was published less than two years ago. In that time, OpenID has
gained support from every major identity provider and most major consumers.
Anybody who uses LiveJournal, Wordpress, StackOverflow, or thousands of other
sites can use OpenID instead of a traditional login.

~~~
Andys
Reality check: "most" major consumers is going too far

------
old-gregg
I know very little about OpenID and, lacking knowledge, I've been avoiding it
as a user.

I've tried reading up on it but the sites/tutorials I looked at were
excessively vague, wordy and I got an impression that I don't want to use
OpenID for myself. HN audience, however, seems quite favourable to the
standard though, so I'm willing to accept that my initial reaction was a wrong
one.

Can you recommend a good reading on the current state of OpenID, with emphasis
on security please?

Thanks.

~~~
ludwig
As a user, I typically love encountering sites that are OpenID enabled
(stackoverflow, gitorious, ...) since then I can use my livejournal account to
login. This way I don't have to manage yet another username/random-password
pair.

~~~
chrischen
For many of these sites they might as well not have you login at all and allow
you to do whatever they let you do with OpenID, since after logging in they
only get a unique identifier (not even an email address, am I correct?).

~~~
ludwig
I see where you're getting at, but I think it's more of an issue of keeping
your digital identity intact rather than fragmented over multiple accounts. I
can authenticate at a single place, and that server can vouch for me on other
sites ("Yeah, he's good to go. He logged in with me. It's him and not some
other user."). With some sites you could get away with no login (see 4chan
where everyone is anonymous), but for discussion sites that rely on reputation
(stackoverflow, reddit, hackernews, etc.) that's not really ideal.

Security-wise, you have the added advantage of not having to manage multiple
passwords. You could use a single password for all your sites, but then your
password exposure would be too high, since a breach in any of those N websites
could potentially capture that one password of yours. With OpenID, those sites
wouldn't even be getting my password.

~~~
chrischen
But then a breach in your OpenID account would mean access to every other site
right?

However I do agree it would make it a little more secure than using one
password at every site. However for smaller sites that I care less about, I
generally use a special password anyways, and it seems it's really smaller,
less ambitious sites are the ones that will adopt OpenID anyways. I don't
think Yahoo, Google, or Facebook will start taking OpenID logins any time soon
right?

~~~
robotadam
A breach in your OpenID account is the same security risk as a breach in your
email account, if the sites do account recovery via email.

------
luigi
Once WebFinger is widely supported (that is, using an email address as an
OpenID instead of a URL), the OpenStack will be ready for the masses.

~~~
jmillikin
Using an email address for your OpenID is already possible, assuming your
provider supports it. I haven't seen any great rush to support email OpenIDs,
though, so it could be that most email providers just don't care.

------
jongraehl
Has anyone seen a site claiming to use OpenID but actually phishing with a
redirect to a similar-looking URL (e.g. typo-domains of google/yahoo/etc.) to
grab your password?

I always check the URL before entering my credentials, but there's always the
risk of similar looking glyphs at a different code point (is Unicode allowed
in domain names yet?), or just typo-blindness.

------
simonw
This feels to me like OpenID finally coming of age - the OpenID+OAuth hybrid
protocol means you can one-click sign in to a site and simultaneously grant it
access to an OAuth protected resource such as your address book. From what
I've heard it usability tests extremely well too.

~~~
avibryant
We've been using it for trendly.com and yes, it seems very usable. I didn't
know about the popup option, though, I'll have to try that.

------
wvenable
I'm sorry, I still don't see the advantage of OpenID. Can anyone explain why
it's any more convenient than username/password? I still haven't bothered to
sign up for StackOverflow because the signup seemed far more complicated than
it is for just about any other Web 2.0 site.

~~~
jrockway
Complicated?

When I signed up for StackOverflow, I typed in "<http://jrock.us/> as my
OpenID, and was finished. No password, no email, no "click this link to
confirm your email", etc. If SO gets hacked, they have no useful information
of mine. If my OpenID provider gets hacked, I remove a few lines of HTML from
my index.html page, and can use a different provider. There is only a tiny
window where my accounts can be compromised. Either until I take down the
redirect, or the provider itself is taken down.

(Compare this to the Perlmonks debacle, where my plaintext password is now
known to the world, and I had to change the password on every website I've
ever used. That is what I consider "complicated".)

~~~
wvenable
I wouldn't know where to begin to set that up -- there's the complicated part.
Honestly, this should all be built into the browser -- all this web-service
stuff is entirely the wrong approach.

------
aw3c2
I do not use OpenID for privacy reasons. All accounts are using different
names and I don't sites to know that "this person A" and "that person B" are
in fact the same. It's no one's business.

~~~
simonw
If you're worried about sites conspiring behind your back to join your
identities together, I take it you use a different e-mail address on every
site you sign in to as well?

------
Kaizyn
OpenID needs to hurry up and die so efforts will not continue to be wasted
either pushing for OpenID or trying to support it. That way, work can begin in
earnest on the next standard protocol that will replace it.

