Domain: myopenid.com
Stories and comments across the archive that link to myopenid.com.
Comments · 11
-
Re:Wait, what?
Central, 2 factor authentication. Keyword OpenID
Google has it.
OpenID endpoint : https://www.google.com/accounts/o8/id
2 factor : http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.htmlmyOpenID has it : https://www.myopenid.com/about_callverifid/
Verisign has it : http://systembash.com/content/using-the-paypal-verisign-security-key-with-openid-for-two-factor-authentication/
WiKID provides software to set up your own 2 factor OpenID : http://wikid.com/
It's also not that hard to make your own OpenID server (LOTS of good libs around for most languages), and there are already various open apps for 2 factor auth for f.ex phones (like http://motp.sourceforge.net/ )
And, even without 2 factor auth, OpenID is still generally more secure than passwords. Stealing the DB on a random website that use openid for auth, or even having root, won't give the attacker much to work with. No passwords. No info that allow him to use the openid account on other web sites.
So, start looking closer at OpenID today
:) -
Re:Password authentication is dumb
Compare that with the problems of PKI:
... certificates are only really useful if you've done some form of vetting to confirm that I am who I said I am....Knowledge of a password likewise says nothing about who you actually are. For the purpose of replacing passwords, all you need is proof that you have the certificate associated with the account. There is no need to prove your real-world identity.
If myOpenID can painlessly use browser-generated personal authentication certificates in place of passwords, so can other sites.
-
Re:We have it. It's called the World Wide Web.
The answer is that Google's OpenID implementation is totally jacked up. There's really nothing wrong with OpenID itself, Google just puts more emphasis on making people click the "Sign in with Google" button and couldn't care about following the protocol.
I recommend myOpenID as an OpenID provider. They'll give you a valid URL. OpenID URLs should be in the form of username.example.com or example.com/username
-
Re:Well
The URL is magic, mine is http://coryking.myopenid.com/, and you are a poopyhead.
Second, if I did compromise your account at myopenid, I could use it to log into OpenID enabled websites you never visited in your life and say nasty things about your mother. You'd know it from within MyOpenID, but the damage would have been done.
-
Re:Well
And again, it (the URL) is not magic. As proof, my open id url is http://carlanderson.myopenid.com/ Try to use it to login anywhere and watch what happens. You still have to have my username AND password to do anything with it. (hint, my username isn't carlanderson.)
-
Re:OpenID
Also, many OpenID providers like MyOpenID let you generate a browser-side SSL certificate and forbid password logins entirely on your account. At that point, you can't be tricked into entering your password because you simply don't have a password.
-
Re:You are NOT sharing your password!
Also it should be noted that you don't have to use passwords to authenticate with your provider. MyOpenID supports certificate based authentication, and have just started offering CallVarifID(TM), which will phone you when you sign in.
Regards
elFarto -
Re:CACert
except that you only need to tell people that this site really corresponds with this certificate.
Sure, it won't stop phishers running "ebuy.com" as they can then get a valid certificate (I'm sure they can anyway), but it will prevent the certificate not being owned by the same people who own the site.
There are ways to make sure the cert = the site when you request one, I did it recently with my myopenid id - check out their ssl options, they make you add a cname to your dns that they verify - if you can alter your dns, you own the site.
So, considering the hoops I had to jump through to get my certificate last time I applied (ie none at all besides having a credit card), this would be *more* secure than my current root-CA certified one.
-
Wikipedia entry and Identity providers
The wikipedia entry is quite informative. With OpenID, unlike XNS.org (for those who remember), you need an 'identity provider': A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services), and here's the official list of identity providers. And while we're at it, the list of services that support OpenID.
-
Re:Overly complicated
Cortana: Check out this link:
http://www.openidenabled.com/openid/use-your-own-u rl-as-an-openid
It allows you to use LiveJournal, the PIP or MyOpenID and your own domain.
If you want to run your own library, there is a PHP server out there:
http://www.openidenabled.com/openid/php-standalone -openid-server -
OpenID authentication
There's nothing preventing your OpenID server from using a SSL or TLS certificate in just the way you say your bank does. Zooomr's partner OpenID service MyOpenID does in fact just that.
We do highly discourage use of "a window with no location bar" for the reasons you mention. You and I will probably remember that when using the service, but it is a difficult user eduction issue, granted. It would help a lot if things like Petname Tool take off.