Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Joins OpenID Coalition

Posted by timothy on from the inflection-point-perhaps dept.

the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."

4 of 272 comments (clear)

  1. Re:Anonymous SSO? by thrillseeker · · Score: 5, Informative

    The openid protocol allows you to limit the information given to the system you're logging into to a minimum of "authenticated" - that is, no additional; information such as a (verified) email address is passed, though one is still required for an openid account establishment. It's up to the requesting system whether that minimal information is sufficient. Of course, your IP address can still be captured unless you use an anonymizing proxy.

  2. Re:Problem by Anonymous Coward · · Score: 5, Informative

    So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.

  3. Re:OpenID? by phoenix.bam! · · Score: 5, Informative

    I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.

  4. Re:One Password to Rob Them All by Jellybob · · Score: 4, Informative

    Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.

    Maybe you should try reading the spec then, since that's exactly what it's designed to do.

    The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:

    1) If you don't already have a session open, you login, and then go to 2.

    2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).

    This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.

    If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.