'Open MS Passport': MyUID Goes Beta

mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."

Problems

[pirodude]

From the TOS:

MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.

All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.

--------------

The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.

Wrong idea?

[Wrexs0ul]

I thought the whole problem with a centralized user system was exactly that it was a centralized user system. Doesn't matter who runs the ID server or how little information is stored on there; as soon as a centralized system exists it's the biggest, baddest target for attack out there with the highest consequences if it's broken into.

Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?

-Matt

Re:Wrong idea?

[LostCluster]

Furthermore, having a common UserID opens the door for sites that have fragments of your personal info to merge the pieces together to get a more complete picture.

Re:Wrong idea?

[mandalayx]

you're right, there are problems. and you have only hit on a few of them.

but realize that there is value for some folks in having a "universal" id system. why do you think that your SSN in the US is used so widely?

again, there are many problems, but there exist benefits too.

Security?

[Ravenscall]

So, if I am reading the code right, it has basically no security whatsoever at this point. Wouldn't you want that in an alpha release?

Totally backwards

[torinth]

Why would I encourage users to aggregate all their personal data with some unknown startup?

The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.

If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.

And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.

No totally

[Wrexs0ul]

Assumedly at this point the dog hasn't learned how to run script kiddie php exploits, otherwise your statement is correct.

It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.

ouch.

-Matt

But, LDAP is standard

[freeduke]

Ok, here comes a new API for login?? What about LDAP, isn't it secure, reliable and efficient? So Why do people have to reinvent the wheel everytime? It would be far more constructive to think about a way to integrate and interface a huge Internet distributed LDAP structure, and have a clear standard to implement the way it works...

Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.

Good SPAM

Good for spamming: http://www.myuid.com/api/usercard.php?uid=1

Where's the security?

Markus Diersbock

Re:Are we sure this is for real?

[NanoGator]

"Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?"

Nobody's asking "what is it?"

Re:Flying solo?

[SpootFinallyRegister]

Declare standards? Looks a little more like a piece of software written without a specification, much less a plan. At this point, after going through the website and glancing at code, I have a hard time rating this at anything above the beginning of an idea. Learning by working on things is good. Punching out code that is supposed to be a standard without writing at least something down about it first is a disaster.

The "My" prefix

[chickenwing]

Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing. It seems to be some kind of conspiracy by marketing people to force us all to use baby-talk to do anything with a computer.

Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.

I can't even begin to understand what "MySQL" is supposed to mean.

It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.

What is this?

[binkzz]

It's nothing more than a day's work. There is nothing to speak of, the passwords aren't stored encrypted and no intelligent thought seems to have been put into it. As someone else already mentioned, anyone can take the entire user database with personal information from the site (everything except the password). If I were to run a site using the MyUID, I could obtain users' MyUID passwords as they tried to log in on my site, giving full access to any user's account who logs in via my site. Outrageous!

Interestingly, it does say in the ToS:

MyUID will not give or sell your private account information or your password to anyone,

which seems a lie. But it goes on!

MyUID will supply any information we have about you to law enforcement officials if neccessary.

They'll rat on you even if not required by law. Yay!

In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.

... Wow..

The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.

Registered user #1 is mastergoon, so this is just blatent self-advertising on slashdot.