Slashdot Mirror

← Back to Stories (view on slashdot.org)

MySpace Joins OpenID Coalition

Posted by timothy on from the inflection-point-perhaps dept.

the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."

25 of 272 comments (clear)

  1. Defeat the purpose? by kgwilliam · · Score: 5, Insightful

    "Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?

    1. Re:Defeat the purpose? by CastrTroy · · Score: 5, Insightful

      What I don't get about OpenID is that it seems to give my OpenID provider access to every site I log onto. As much trouble as it is having to manage hundreds of logins, I don't think the proper solution is to proxy all my logins to some third party.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Defeat the purpose? by Wolfger · · Score: 5, Insightful

      Absolutely. This is why OpenID is going nowhere fast. Everybody wants to be a provider, but virtually nobody wants to accept OpenID credentials from other sites. LJ does, and to my surprise Identi.ca has since day one, but most "OpenID sites" are providers only. It's sad, and makes baby Stallman cry.

      --
      Nothing to see here. Move along.
    3. Re:Defeat the purpose? by maxume · · Score: 5, Interesting

      You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

      For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

      --
      Nerd rage is the funniest rage.
    4. Re:Defeat the purpose? by Chyeld · · Score: 5, Interesting

      It doesn't. And you aren't.

      Implemented properly, OpenID works thusly:

      You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

      The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

      The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

      This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

      The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

    5. Re:Defeat the purpose? by ohtani · · Score: 3, Informative

      You completely misunderstood the article and the concept of OpenID.

      The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.

      OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication for (e.g., MySpace) allows you to login to other sites which support OpenID as a method of authentication. So if I had a user account on MySpace named ohtani, I would login to another site as www.myspace.com/ohtani. I am then redirected to the MySpace website to login if I am not already logged in, and asked to accept that MySpace can pass on the credentials to the site I'm logging in to. That link is then established and the OpenID supporting site marks me as authenticated as the MySpace user.

      This is where it gets tricky for places like MySpace: Say I used Yahoo! as an OpenID provider. Or even my own website (which currently does indeed allow me to login with OpenID elsewhere). MySpace can't exactly have a user like me login to their service as my website and edit my profile. They have to have some form of a mechanism of creating the user at that point if that OpenID name has never been seen. But the user name used (the OpenID URI) is, well, odd for MySpace. So they'd probably ask one to choose a MySpace user name that would map to it. From there, MySpace would allow one to login to that account any time that OpenID is used for authentication. At least that's PROBABLY what will happen. Not all sites work like this. For example, LiveJournal (created by the very people who helped make OpenID) lets one login with an OpenID, but an account with that OpenID is then created with limited functionality. Friends and comments are allowed, but no posting to your own journal.

      OpenID support doesn't require you to "create" an OpenID to use it. Your existing user ID on an OpenID provider IS your OpenID. Any site that becomes an OpenID provider is simply allowing you to use an OpenID name they specify to you (often in the form of username.domain.tld or domain.tld/username) to log in elsewhere. You do nothing but just use it elsewhere. There are popular sites supporting OpenID. There's also plug-ins for blogging software to support being an OpenID provider or consumer.

      On a different note, with OpenID becoming more and more popular, this will mean that we DO have to be careful and come up with a mechanism for anti-spam via OpenID, especially in cases where the system is more automated like LiveJournal's. Or else a spammer could simply have one domain and with that domain an infinite number of users able to login by simply changing the OpenID slightly (e.g.: a.example.com, b.example.com, c.example.com, aa.example.com, etc)

      --
      Pancakes. Oh I blew it.
    6. Re:Defeat the purpose? by Chyeld · · Score: 3, Informative

      Actually no.

      You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com

      You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.

      I suggest glancing over the specs for authentication:Version 2 or Version 1 for clarity.

  2. Blah Blah Blah... by anom · · Score: 5, Insightful

    Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.

  3. Mixed up Facebook and Myspace in TFS by LighterShadeOfBlack · · Score: 4, Insightful

    Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use

    No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.

    Jesus fucking Christ, is proof-reading really that hard?

    --
    Spelling mistakes, grammatical errors, and stupid comments are intentional.
    1. Re:Mixed up Facebook and Myspace in TFS by LighterShadeOfBlack · · Score: 5, Funny

      ...pointing out that...

      Wow, proof-reading really is that hard.

      --
      Spelling mistakes, grammatical errors, and stupid comments are intentional.
    2. Re:Mixed up Facebook and Myspace in TFS by jc42 · · Score: 4, Funny

      You just got bit by what's being called "Muphry's Law. Briefly, it says that any time you write a criticism of someone's spelling or grammar, what you write will inevitably contain a spelling or grammatical error.

      The law has had other names, but people seem to like the idea of giving it a name that's a mispelling of the famous Murphy's Law.

      (And note my two mispellings in this post. ;-)

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  4. Problem by Rinisari · · Score: 4, Interesting

    A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

    --
    Colin Dean Go a year without DRM
    1. Re:Problem by TheRedSeven · · Score: 3, Insightful

      An obvious concern related to the parent--as more and more transactions happen over the internet, do I want a single password for all of them?

      Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).

      For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.

    2. Re:Problem by Anonymous Coward · · Score: 5, Informative

      So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.

    3. Re:Problem by Jellybob · · Score: 3, Insightful

      I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.

  5. Is 1 ID really wise? Single point of failure? by SpecialAgentXXX · · Score: 3, Insightful

    Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.

    Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.

  6. Re:Anonymous SSO? by thrillseeker · · Score: 5, Informative

    The openid protocol allows you to limit the information given to the system you're logging into to a minimum of "authenticated" - that is, no additional; information such as a (verified) email address is passed, though one is still required for an openid account establishment. It's up to the requesting system whether that minimal information is sufficient. Of course, your IP address can still be captured unless you use an anonymizing proxy.

  7. Re:OpenID? by cathector · · Score: 3, Insightful

    > Who cares about a unified username/password "experience".

    fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.

  8. Re:Microsoft Support by gbjbaanb · · Score: 4, Insightful

    They do, Passpoor or maybe its Windows Livid, or something like that I think its called :-)

    The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.

  9. A Major Advantage You're Missing by floateyedumpi · · Score: 5, Interesting

    All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

    With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

  10. Re:Anonymous SSO? by 0xygen · · Score: 3, Interesting

    I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.

    For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.

    My password might be needed for "level 2" allowing my into my webmail.

    A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.

    With the current state of affairs though, I think we can but dream...

  11. Re:OpenID? by phoenix.bam! · · Score: 5, Informative

    I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.

  12. Re:One Password to Rob Them All by Jellybob · · Score: 4, Informative

    Good security doesn't even let the other party know your cleartext password, or access your account with them without it. But I don't see how OpenID will do anything like that.

    Maybe you should try reading the spec then, since that's exactly what it's designed to do.

    The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:

    1) If you don't already have a session open, you login, and then go to 2.

    2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).

    This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.

    If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.

  13. Re:DO NOT WANT by Serious+Callers+Only · · Score: 4, Insightful

    And if only ONE of those websites is compromised, my login is now compromised across the board,

    Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.

    You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.

  14. Re:Web Monoculture by Sancho · · Score: 4, Insightful

    It's just a little different from that. Let's look at a couple of scenarios.

    Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
    This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.

    Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
    This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.

    Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."

    Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.