Our identities online are becoming ever more valuable to the companies that we entrust them to. What happens though when a company just ups and closes shop (Pownce, for example) and deletes your stuff? Sure, the individual files you’ll have on your computer anyway, you won’t have lost anything as far as bits and bytes are concerned–but what about friendships you’ve built up with people who you only know through the service. Your data should be portable so that you can take it to any service and not lose those relationships that you’ve built up in one walled-garden when it collapses, or you decide to move on. OpenID tries to solve this brand-centric problem by placing you at the centre of your data and allowing the sites you trust access through a single sign-on. OSnews is contemplating implementing OpenID and would like your feedback, but there are a few questions to consider–please read on for details
- 1. Do you already have an OpenID account?
- As a technical audience I generally expect you to know implicitly if you have an OpenID account somewhere. Many of the accounts with other sites you have also operate as OpenID addresses too—such as Google accounts, Yahoo accounts, MySpace, Facebook and more.
- 2. Do you make use of your OpenID account?
- OpenID sign-ons are beginning to appear on more and more sites. Since I’ve become averse to registering yet-one-more-account, I’m open to the idea of sites offering an OpenID sign on.
- 3. Would you welcome OSnews offering an OpenID login option?
- OSnews—being yet one more account—has its fair share of readers who follow the site but do not register. Maybe, offering OpenID would encourage more people to join in the discussions if they didn’t have to go through the rigmarole of registering yet-one-more-account. There has been much complaint about the interface of OpenID being less than smooth (having to navigate through another site to login / overly-complicated login forms with millions buttons for different providers); would OpenID logins on OSnews be a feature you would find advantageous?
- 4. Should OSnews be an OpenID provider?
- You can get an OpenID just about anywhere. Do you think OSnews should also be an OpenID provider, so that your OSnews account would let you sign in on other websites with your own OSnews OpenID address such as ‘id.osnews.com/kroc’ or somesuch. Would you see a need for that, or welcome such a feature?
- 5. Is owning your own identity important to you?
- With most of us leasing our identities out to large data silos elsewhere, does it really matter all that much that you have a single sign-on, or central ‘identity’. Do you fly by night, and prefer having segregated accounts for each kind of activity and location on the Internet you work?
- 6. What should OSnews let you do with your data?
- It’s your text in our database, what should you be allowed to do with it? What about issues of abuse and moderation? How should your account be managed and what controls should you (and others) have? Where should the line be drawn between what is fair and what is required? All very tough questions!
And of course, ‘none of the above’! Do you think it’s a waste of time and you’re quite happy with traditional registration and login? Please weigh in in the comments, thanks.
I use OpenID sometimes, not always, but yes, I do.
I find it quite good, as you can login anywhere with just one account (URL) and a password, but I find many flaws in the actual OpenID, such as, as you stated, the need to change pages to login.
Sure, it’s not much for high-speed Internet users, but those viewers in netbooks, or mobile devices, with a may-be limited connection would suffer.
I’d find a good thing that a little pop-up spawns and asks you the URL and password, very minimal, like with simple Javascript.
But, also, not many people use this system, or even know it exists, so the progress would be a bit harder.
They are working on improving the experience: http://openid.net/2009/09/25/more-powerful-and-easier-to-use/ you can now create a browser pop-up to do a login. Personally, I would have preferred an iframe as actual browser pop-ups is just asking for all sorts of support-issues with various browsers.
I’ve noticed that browsers can fill in saved passwords into invisible fields, so it’s even possible to create a single-click login button (if you’ve told the browser to remember your password before); OpenID would hinder this, yaddayaddayah.
I want Google Wave comments!
That would be the best UX.
You don’t mind phishing then? (equal complaints for pop-ups)
The main difference between using a popup window and an iframe from a phishing perspective is that the popup displays the URL bar whereas the iframe does not include any of the browser’s chrome.
Except where it doesn’t.
The point is to not let the site you’re logging in to have your identity information. The parent JS security context has full access to the child iframe’s JS security context, meaning the site asking for your OpenID credentials could then steal them from you.
1. Do you already have an OpenID account?
Yes.
2. Do you make use of your OpenID account?
I use it whenever I can whenever a site offers it.
3. Would you welcome OSnews offering an OpenID login option?
Yes, it would be great.
4. Should OSnews be an OpenID provider?
I wouldn’t make use of this, I use Verisign for my OpenID provider.
5. Is owning your own identity important to you?
I like the ability to log in to a site safely and automatically in the background instead of bringing up my password safe constantly.
6. What should OSnews let you do with your data?
It seems like anything you would normally be able to do with your account you should be able to do with OpenID.
I like OpenID because it’s a great step toward secure token authentication. Verisign, and I’m sure others, offers security token login for your OpenID account.
1. Yes
2. Not much.
3. I don’t care. I already have an OSNews account.
4. No. There are already enough providers.
5. I don’t use much an OpenID, and I don’t think it’s worth the implementations and the risk should it be compromised.
6. The web is public. If I choose to publish some blog, comment or something to the public, then the right thing would be that it remains as I published it. Tying what I said to a digital identity so it can be processed and a profile be made for sharing with marketing companies is not ok. As for the question, I think it’s more interesting if it’s rephrased as “What should OSNews *do* with your data?”. And the answer is simple: do nothing.
And yes, it’s a waste of time and effort. OpenID and single sign-on are all crap. Oh, how I miss the old internet with no flash, almost no ads, no webapps, pure and plain HTML 4 and CGIs. I’m getting old.
OpenID is a great way reduce the number of accounts on the internet and thus reduce the number of passwords.
OpenID is easy to use, requires no extra tools and a great many people already have an OpenID identity (even if they don’t know).
But OpenID is not the only solution. I applaud the initiative to move towards Identity 2.0 facilities, you might as well think about implementing Information Card login too. A pity that noone even knows about it, pity that Microsoft failed in distributing the necessary tool (CardSpace in Vista), but it is an even more sophosticated facility.
So OpenID: yes, by all means, but enable the use of Information Card too.
Information Cards are the single most revolutionary idea in online identity management that the world has seen, and it is not an understatement to say that nobody knows what it is. It’s an open standard, but I know of no alternative browsers that support a non-Microsoft implementation. I ran Microsoft’s for a while just hoping to, even once, be prompted for an InfoCard, but I never was and it’s a WPF application so it uses a few hundred megabytes of RAM just sitting in the background, so I eventually uninstalled it.
http://en.wikipedia.org/wiki/Information_Card
“Patent promises have been issued by Microsoft, IBM, and others, ensuring that this Information Card technology is freely available to all.”
I installed Bandit’s Digitalme on Ubuntu, using firefox as browser with the bandit identity selector. And it seemed to work, I even demoed it to a small crowd of security experts.
Switching distribution is not the best way to keep all functionality, so I never got to install digitalme om my current Mandriva and Arch, but I am convinced of the power of infomation card.
It has a few problems, but the openinfocard Identity
Selector addon for Firefox mostly works. I’ve used it
on Linux and FreeBSD.
https://addons.mozilla.org/en-US/firefox/addon/10292
Anyone interested in an open source licensed implementation of Information Cards might take a look at the new release of DACS, which includes demonstrations.
http://dacs.dss.ca
1. Yes
2. Yes
3. Yes, don’t forget to allow for multiple OpenID accounts per user, nothing worse than having a single OpenID attached with that provider going bust
4. Possibly, it cannot hurt but it should come after you can ingest our external OpenIDs. id.osnews.com/kroc is rather long though, maybe osnews.com/~kroc ?
5. Incredibly
6. Everything? Purge it. Option to remove email address if we attach an OpenID. Option to hide all information from public. etc
(account renaming (once, maybe?) would be handy too, as long as you keep old accounts reserved and redirected to new)
1. Do you already have an OpenID account?
No, unless my Google account counts.
2. Do you make use of your OpenID account?
NA
3. Would you welcome OSnews offering an OpenID login option?
It’s irrelevant to me since I autologin.
4. Should OSnews be an OpenID provider?
I don’t care.
5. Is owning your own identity important to you?
Yes, but I’m not sure how OpenID helps with this.
6. What should OSnews let you do with your data?
What data?
I don’t like the OpenID concept because I prefer to use a different password at each site. It seems insecure to me to only have one login which could be used everywhere. I use KeePass to manage my passwords and I probably have almost 100 passwords that I don’t even know because they are long random strings. KeePass memorizes them for me.
I’m getting off-topic here, but one thing that really annoys me about a lot of websites is the restrictions they place on passwords. I should be able to use 200 character passwords with high-ASCII characters in them and spaces and all punctuation. I can do that with KeePass, but few sites permit me to. They make me only use alphanumeric 12-letter passwords way too often.
Edited 2009-10-02 22:23 UTC
3. Would you welcome OSnews offering an OpenID login option?
Yes please. And then please write an article telling us about issues you encountered while implementing it.
1. YES
2. YES. Wherever possible
3. YES. That would be awesome
4. Please, NO. There’s already a lot of providers. I always feel like that lot of providers just spoil the whole idea. I already have both Google and Y! OpenIDs. I try to use just my Google ID. Multiple accounts mean multiple passwords and we will end up in the same situation as now.
5. YES.
6. You guys could provide options (in account preferences) for those data. This is one area where lot of people won’t argree.
On top of these, I would like to link my current data with OpenID. Without this, I would end up with two accounts in OSnews which is not good.
Thanks.
1. Do you already have an OpenID account?
I don’t.
2. Do you make use of your OpenID account?
n/a
3. Would you welcome OSnews offering an OpenID login option?
Sure. I’m sure a lot of visitors would like it.
4. Should OSnews be an OpenID provider?
need: no. welcome: yes
5. Is owning your own identity important to you?
Because of my paranoid nature I actually prefer having segregated accounts for each kind of activity and location on the Internet. Besides, Lastpass solves a lot of problems for me.
6. What should OSnews let you do with your data?
It’s the internet; I don’t really believe I own my comments. I ‘donate’ them to the internet, for everyone to see, even though they’re generally quite useless. People who use their real name and such might think otherwise about their comments though.
I have several OpenID accounts, mostly I use my Google one.
I don’t think OSNews should be an openid provider… if every site is a provider we’re little better off than a world without OpenID.
I would only prefer a site-specific ID to an OpenID account if it gave me some kind of cred–like a low slashdot UID, it’s meaningless but important.
As for the cumbersome nature of openID login… I wouldn’t worry about that. It’s only a little more irritating and a lot less of a bother than remembering Yet Another Username and Password.
I have an openid account running off my domain, I use it wherever it is accepted.
I just registered with osnews so I could say I would only register with osnews if you had openID
Thanks for the effort, that helps
Yes, I joined too just to say that I would have joined a long time ago if OpenID is supported. Now that I have registered though, I don’t have any use for it. This whole poll is extremely biased, because the only people who can comment are the people who are okay with creating yet another internet account. So, please, support OpenID!
Be sure that you are willing to deal with the pain. Many people will login with their Google OpenID account, and then realize that they have multiple google accounts (one for work, one for home, maybe multiple blogger sites). The complexity of allowing users to have multiple openids associated with their one OSNews account are easy to underestimate, imo.
Honestly, I hate openid because of issues like that. But its a reasonable option for the people who don’t have such issues (mostly MyOpenID users).
If it ain’t broke.. but at least leave the traditional login alone.
OpenID is a single point of failure. Lose that, lose everything.
I don’t want future employers scanning my osnews comments, finding out about my irrational hatred of ADA.
Anti Dentite!
I have openid accounts with multiple different sites I dont remember and I dont know what they do
1. Do you already have an OpenID account?
Yes.
2. Do you make use of your OpenID account?
No.
3. Would you welcome OSnews offering an OpenID login option?
Yes. Those who have it may use it…
4. Should OSnews be an OpenID provider?
No. I don’t see any usefull in OpenID, while it will inflict some server2server traffic and some security risks, so I would prefer no OpenID here, as far as there’s so many providers…
5. Is owning your own identity important to you?
Never needed it.
6. What should OSnews let you do with your data?
Nothing. OpenID owner should tune up everything at OpenID provider.
I prefer using OpenID on the sites that uses that for log-in, though there isn’t that many sites that uses it for now, I hope the snowball is starting to roll faster and faster.
There has been much discussion about the relatively (in)security about using OpenID, if your OpenID has been compromised (with a single pass-phrase), all the the sites you attached your OpenID to is wide open for the cracker.
However osnews.com is not a mission critical site, with bank account info, etc. There would be no need for great security concern, but there is a beautiful solution to above mentioned insecurity.
This security issue is solved beautifully with the cheap Open Source/hardware Yubikey USB dongle (www.yubico.com). With the Yubikey every press of the button generates a unique one-time-token password (64 chars long) which is authenticated with servers back at Yubico.
OpenID combined with Yubikey gives a much higher degree of security, than ordinary logins on several levels.
1) One time token pass-phrase, instead of similar/same password for all different website logins.
2) A standardized (open source) implementation, instead of a yet a new “homegrown” login system with potential security vulnerabilities such as SQL injection, site cross-scripting, and so on and so forth.
Implementing OpenID log-ins with Yubikey is no different than without, the OpenID login implementor does not need even know how the person authenticates
I am proposing this, since I am lazy and just want to use my Yubikey USB device to log-in to as many sites as possible.
In my humble opinion there is no real need to act as a OpenID provider as people who uses OpenID got it from somewhere else, perhaps a site that is exclusively a OpenID provider. But if you choose to to also be a OpenID provider (not a bad idea) consider also implement Yubikey support for logins
So pretty please with sugar on top, please incorporate OpenID logins.
Do incorporate openid login.
osnews is not “mission critical” site (for end users anyway), so it often ends up with the crap password you tend to use on bulk sites on the internet. OpenID would thus increase security as you can easily use your “high value” password for that.
I don’t see the point in making osnews an openid provider, as osnews is a minor player with no financial liabilities. The crew could basically go (more?) insane and start abusing the openid accounts for fun and profit. Let’s leave OpenID hosting for big dogs (or pseudo-big ones – my OID is at Launchpad).
I can never remember my OSnews login and password, so using my OpenID (Myspace or Facebook, I didn’t know Facebook was one too?) would be good. I currently just use Opera Link to remember my password for all my machines.
I’m not sure OSnews should be an OpenID provider, but it should accept OpenID as a login.
1., 2., 3. : Yes
4.: No point. Those likely to use openid with OSNews already have an account.
5.: Single signon is ideal for non-critical data/sites like this one.
6: Nothing.
For those that know and want to use OpenID I think it would be in improvement. The more sites use it, the more useful it becomes and hopefully it also improves how easy it’s to implement.
I’ve actually bought a domain for me to implement it with, maybe some family and friends also might want to use it.
I looked at how easy it is to implement it using an existing library and I can say, it takes longer then a day and I’ve not had any time after that.
1. Do you already have an OpenID account?
Yes. As noted, most of us have one.
2. Do you make use of your OpenID account?
So far, rarely.
3. Would you welcome OSnews offering an OpenID login option?
In spite of the noted busy login box and the clumsiness of switching websites, yes.
4. Should OSnews be an OpenID provider?
I assume it’d be as good as any, so why preclude it?
5. Is owning your own identity important to you?
I prefer to use separate identities for use into different realms of my life. Tech/sport/perso/business etc.
“Fly by night” has a nasty ring to it. It’s simply a matter of privacy.
Why the question? I can’t see how this would impact OSnews’ handling of OpenID.
6. What should OSnews let you do with your data?
Modify, delete. Maybe record the login history for the id owner’s eyes only, as a service.
Let the owner opt in for use of demographics by OSnews itself, if desired.
1. Do you already have an OpenID account?
No. I probably would not get one just for OSNews, or for any one or two other web sites I frequent.
2. Do you make use of your OpenID account?
No (see above)
3. Would you welcome OSnews offering an OpenID login option?
Sure. I presume I wouldn’t be required to use it.
4. Should OSnews be an OpenID provider?
Makes no difference to me.
5. Is owning your own identity important to you?
I think it’s too late for that
6. What should OSnews let you do with your data?
I don’t claim it. I try not to put anything I don’t want to lose, or potentially be broadcast to the world, on any public web site.
=========================================
I’m not familiar with OpenID. I see pluses (single sign-on) and minuses (security; one site’s breach turns into potential takeover of your “identity”). In any case, if it is much trouble to use, I won’t use it, and if it is much trouble to support, I wouldn’t blame the OSNews staff for giving it a pass.
No, it does not – unless the site taken over is the openid provider.
OpenID has the advantage that only one site needs to have high security. This won’t metter if you use different password on all sites, but then you are bigger man than most…
Instead of just OpenID you could consider using RPX combines many different login systems and is very easy to integrate into the website:
https://rpxnow.com/
I absolutely do not want to promote brand-based logins. These are a detriment to the web, and only helps over-complicate the login process by adding more and more buttons as brands want to get in on the space.
When we do OpenID, it will be a single text box and you will be expected to know your OpenID URI regardless of who it comes from. None of these companies will pay us to push their brands for them, so I ain’t doing it.
1. Do you already have an OpenID account?
yes
2. Do you make use of your OpenID account?
when i can
3. Would you welcome OSnews offering an OpenID login sure
4. Should OSnews be an OpenID provider?
that’s your call
5. Is owning your own identity important to you?
sure is.
6. What should OSnews let you do with your data?
it would be nice to be able to export the information and relationships say in xml
1 Yes
2 Yes
3 Yes (choice is great :-))
4 Wouldn’t hurt, but no show stopper
5 Depends on the application
6 Just another account, just include the “forget everything about me” option
1. Do you already have an OpenID account?
I used to have a videntidy OpenID, but that site went down long ago. Nowadays I use yahoo
2. Do you make use of your OpenID account?
sometimes
3. Would you welcome OSnews offering an OpenID login option?
yeah
4. Should OSnews be an OpenID provider?
yeah, i think OSnews will stay online, so I doubt I would run the risk I had with videntity.
5. Is owning your own identity important to you?
yeah
6. What should OSnews let you do with your data?
nothing unless i want you want to
Yes, do it.
Don’t be a provider – there are many already.
*But* I would assert that it is essential that you offer the ability to associate an existing account with an OpenID.
This core function is too rarely available & leads to me having multiple accounts available on several sites, such as Blogger.
1. Do you already have an OpenID account?
Yes
2. Do you make use of your OpenID account?
Yes
3. Would you welcome OSnews offering an OpenID login option?
Very much so. While I’ve been following OSnews for years, I created my account very recently and was very disappointed that you don’t already support OpenID.
4. Should OSnews be an OpenID provider?
No particular need.
5. Is owning your own identity important to you?
That would be nice too. I mostly just hate the password sprawl.
6. What should OSnews let you do with your data?
No opinion.