Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Joins OpenID Coalition

Posted by timothy on from the inflection-point-perhaps dept.

the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."

5 of 272 comments (clear)

  1. Problem by Rinisari · · Score: 4, Interesting

    A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

    --
    Colin Dean Go a year without DRM
  2. Re:Defeat the purpose? by maxume · · Score: 5, Interesting

    You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

    For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

    --
    Nerd rage is the funniest rage.
  3. Re:Defeat the purpose? by Chyeld · · Score: 5, Interesting

    It doesn't. And you aren't.

    Implemented properly, OpenID works thusly:

    You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

    The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

    The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

    This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

    The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

  4. A Major Advantage You're Missing by floateyedumpi · · Score: 5, Interesting

    All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

    With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

  5. Re:Anonymous SSO? by 0xygen · · Score: 3, Interesting

    I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.

    For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.

    My password might be needed for "level 2" allowing my into my webmail.

    A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.

    With the current state of affairs though, I think we can but dream...