Pinterest Stumbleupon Whatsapp
Ads by Google

OpenID What is OpenID? According to OpenID.net: OpenID is a free and easy way to use a single digital identity across the Internet. With one OpenID you can login to all your favorite websites and forget about online paperwork! Wow, that sure sounds great.

OpenID is a great idea. One place to login! Imagine not having to remember your username and password for the multitude of sites that you need to login to. Once you have signed up with an OpenID provider, like one of the ones below, you will then just need to enter your OpenID URL into a supporting site’s login page; and if you have not already authenticated with your OpenID provider you will be asked to login, and if you already are authenticated you will be logged into the site.

OpenID also assists with transferring information like Name, Location, Profile Icons and so on to the site. This helps in that you don’t need to retype this information as much as you used to for each individual site you signed up on.

The main drawback to OpenID is that if your username and password are stolen or phished, then all of your registered sites then become targets. While some OpenID providers try to alleviate this (by using image verification or two-factor authentication), the majority do not.

The following is a list of suggested OpenID Providers, along with a quick summary and the pros and cons of each:

MyOpenID

Ads by Google

myopenidlogo.gif MyOpenID is run by a company named JanRain, who was an early adopter and promoter of OpenID services. A leader in the industry but also a small company. Look for them to be acquired in the future.

Pros: A widely used provider. Allows you to set up a customized OpenID URL, such as openid.yourdomain.com. Major supporter of the OpenID Standard.
Cons: The company is not “big”, so they have an unproven track record.

Google Accounts

Google-OpenIDThink you don’t have an OpenID? Google recently joined the multitude of OpenID providers out there by offering OpenIDs to all Google Accounts. So, if you have a Gmail address, you already have an OpenID! Visit their account page, sign in and get your OpenID URL for signing up with OpenID compatible sites.

Pros: Many people already have Google Account access, Google is a stable company with a track record of security.
Cons: Google knows all.

ClaimID

ClaimID Logo ClaimID is an OpenID provider which has more than just OpenID. You can “claim” URLs that are yours, and save them to a profile page. Afterwards, you can use your ClaimID URL (which also serves as your OpenID URL) to log into OpenID sites. ClaimID differs from other providers in that they give you a “profile” page that you can send other people to. You can also import images from Flickr, links from Del.icio.us, and more.

Pros: One of the more consumer-friendly OpenID providers, a profile page is included.
Cons: The site seems to be still in the beta stages. An unproven track record.

Verisign Labs PIP

paypalsecurity.jpg Verisign Labs Personal Identity Provider is the OpenID service from the well-known security firm. Their service is ‘plain’, which is a good thing in my opinion. Also, unique to Verisign PIP is the availability of using two-factor authentication with your openID login, further securing access to your websites. For more information on setting this up, see my post on integrating two-factor authentication. They also provide a free Firefox addon which will automatically fill in your OpenID url on websites; and gives a visual representation if your OpenID login is currently valid.

Pros: Only two-factor provider I found, well known security company. Free OpenID Firefox addon.
Cons: OpenID URL is hard to remember.

For a full listing of OpenID providers see: http://openid.net/get-an-openid/

In summary, you use OpenID to consolidate your logins. Currently, the main drawback is that not many sites accept OpenID as a valid login. Some major ones, Blogger, WordPress, and more [see full list here] are coming online. Look to see a slow adoption at first, then a ‘tipping’ point where many sites will follow. From indications I’ve seen, it will not be long before we see major OpenID adoption among blogs, news sites, and more. On the tail end, and after the technology is proven, we may see banks and other “high security” sites accept OpenID.

  1. Jason C
    May 1, 2008 at 10:46 pm

    I used to be concerned about remembering all of my different logins and passwords (I am the type of person that can't keep the same username anywhere, I don't know why but it's definately an annoying trait), but I went ahead and installed the Password Hasher extension for Firefox on all of my computers. That way it just boils down to remembering what your hash password is and it generates your password successfully for each site based upon it's tag and encryption settings.

    Now logging into websites and services online is a lot less of a headache. I would really be hesitant to throw all of my logins on the net and just trust that they're in good hands.

  2. Justin Shattuck
    April 24, 2008 at 2:15 pm

    Scott I beat you! And I dont even work for Vidoop, brahahah! However, I know Koes and Clay (the owners son) hehe so I plug ya guys when I can.. Not to mention; holy crappers it's a great service!

  3. Terrell Russell
    April 23, 2008 at 12:05 am

    Thanks Dave (and Scott),

    We *are* planning to deploy the ImageShield and it *will* improve the security of our already-industry-standard SSL logins.

    More here:
    http://blog.claimid.com/2008/04/claimid-enhances-security-with-confident-technologies-recognitionauth/

    Terrell

  4. Scott Kveton
    April 22, 2008 at 12:17 pm

    I'm going to shamelessly plug our OpenID provider myVidoop.com as a secure option. We use a unique way of logging in that leverages the ability of users to recall better than can remember. This, combined with a second factor activation of your browser via email, SMS or voice give users the ability to have corporate grade authentication without the hassle of carrying tokens or having to remember long, obscure passwords.

    It should be noted that claimID is also going to be deploying the ImageShield as an optional way of authenticating as well:

    http://www.earthtimes.org/articles/show/confident-technologies-secures-leading-openid-providers,359949.shtml

  5. Fred
    April 22, 2008 at 7:32 am

    Thank you for your review of ClaimID. While we certainly appreciate the publicity, I'd like to dispute your "con". ClaimID has been in continuous operation since early 2006, providing OpenID's to tens of thousands of users. We're not in beta - we're a production service, and we take this commitment very seriously. I would argue that we've got a great track record: sure, we're not a huge company like Verisign or Google, but we're doing a great job. Thanks, Fred, co-founder ClaimID.com

    • Dave
      April 22, 2008 at 8:35 am

      Hi Fred,

      Thanks for taking the time to respond to my article. I applaud your innovation and your dedication to OpenID; I have a ClaimID account myself (http://claimid.com/ddrager) and I do recommend it to others. However, when businesses look at companies to work with and to invest a significant amount of time/capital into integration with their products - they like to see that they won't be going out of business anytime soon. In internet time - early 2006 to now is a great length of time, however some organizations would still consider this company 'new'. It's to no detriment of your own - all companies are considered new at some point.

      So far, you do have a great track record (I like the microID verification you've added since I've signed on) but like I had said, business look for establishment of several years (5 years) to make significant investments.

      Keep up the great work!

      As a side note - any idea if you will be getting addition security measures on your login pages? As I had said that is my greatest detractor with OpenID. Please e-mail me if you'd like to discuss further - dave (at@) makeuseof.com.

      • Fred
        April 24, 2008 at 7:37 am

        Dave -

        Thanks for explaining - I definitely understand where you're coming from, and I agree. Again, thanks for including us - I appreciate it!

        _Fred

  6. Justin Shattuck
    April 22, 2008 at 9:20 am

    Don't forget about a myvidoop.com and Vidoop.com. They have some killer stuff going on in relation to OpenID.

  7. Transcontinental
    April 22, 2008 at 3:46 am

    In my opinion, the very concept of a single digital identity across the Internet is the antithesis of security. As Dave points it, "The main drawback to OpenID is that if your username and password are stolen or phished, then all of your registered sites then become targets." ; whether it be OpenID or any other "Universal Web Identity". Obvious. So obvious one may wonder how the concept even exists.

    Like in a submarine, security requires compartments. Who would take the chance to sink?

    • Peter
      April 22, 2008 at 8:20 am

      This has been my same concern with OpenID since I learned about it. The concept is effectively the same as using the same logon and password for every site. Which is a very poor security choice.

    • Dave
      April 22, 2008 at 8:43 am

      I totally agree. But there is a (growing) problem with the multitudes of logins/passwords that a single person is required to remember on the internet today.

      Sure, in a perfect world - a user has different passwords for every site that they use.

      But how is this possible? Right now, if you use a secure, randomized, lengthy password, the only way to do this is to a) write it on a piece of paper (BAD!) b) store it in an encrypted file (which requires a password to open up). These are really the only two options.

      I would rather see a single sign on which has an ultra-secure logon (That is why I use Verisign's PIP with two-factor authentication) than someone who uses the same username/password, which is usually guessable for a typical user.

      Then the security is down to your OpenID provider. This "trust" and security issue is something that has yet to be addressed, in my opinion.

      Some security luminaries believe that the totally compartmentalized nature of current username/password schemes is enough to keep the general security of the internet without a single point of failure. I don't believe that it has really been proven at this point, specifically for the typical internet user who uses the same password for everything.

      Please let me know your thoughts or if you think this is totally off base.

      • Peter
        April 22, 2008 at 11:42 am

        I guess part of it depends on what type of attack you think is going to happen. If someone gets into the database for my bank, then having the same password for my eBay account might not be a problem since the attack was targeting the bank. If someone is targeting ME in particular and learns my bank password, then having the same password for all my other accounts suddenly is a really big problem.

        I use your second option. I have a KeePass file with different randomly generated passwords for all my accounts. The password to open the file is relatively insecure, but the file itself is always under my control. There are some passwords that are extremely complex and I don't even know what they are. I just copy and paste them from KeePass. Granted, I need to have access to the KeePass file to logon to those accounts, but I am willing to make that tradeoff.

        OpenID might be acceptable for low-value accounts like blog comments and such, but I can't see it becoming accepted for high value accounts unless it is used as part of a two-factor authentication system (like the Verisign system).

      • Mackenzie
        April 22, 2008 at 3:42 pm

        Well, at least this way there's just one server holding your user/pass. The usual method involves keeping your user/pass stored on many servers. If any of them are broken into, your stuff's gone. At least your info's in less places.

        • Peter
          April 30, 2008 at 8:25 pm

          Yes, but if one is broken into only that account is compromised. If my OpenID provider's servers are hacked, then ALL my OpenID accounts are compromised.

  8. Mackenzie
    April 21, 2008 at 10:42 pm

    I've been using myopenid.com for about a year now, I think. There are many other ways to get an OpenID, though. I believe AOL has made all AIM SN's into OpenIDs. Yahoo as well. Launchpad.net (Ubuntu's bugtracker/source code holder/whatever else) is also an OpenID provider, but you get really ugly OpenIDs. They thankfully let you sort of alias your site's URL as your OpenID, though, so you can have a pretty one that promotes your site. MyOpenID offers this as an option as well.

Leave a Reply

Your email address will not be published. Required fields are marked *