Comments on: The Killer App for OpenID

By: Killer App for OpenID « OpenID with Strong Authentication

Killer App for OpenID « OpenID with Strong Authentication — Sun, 17 Feb 2008 23:49:46 +0000

[...] social networking by stevepepple on February 17th, 2008 There’s an interesting discussion on Mark Evan’s blog about the potential of a killer application for OpenID: One of the biggest challenges facing [...]

By: steve pepple

steve pepple — Sun, 17 Feb 2008 23:37:28 +0000

Ken makes a good point that if a central OpenID username/password is compromised to an attacker, the attacker gain access to all of that user's accounts. The team I work with has been working to solve this problem. Our implementation of OpenID binds a users openID to a security device, like a smart card or USB token, TrustBearer OpenID. So this removes the need for username/password altogether and improves account security.

By: Mark Evans

Mark Evans — Sat, 16 Feb 2008 11:51:05 +0000

Aswath,

I’ll check out OAuth. Thanks, Mark

By: ProjectX Blog » Blog Archive » Digest - Xlinks 16/2/08

ProjectX Blog » Blog Archive » Digest - Xlinks 16/2/08 — Sat, 16 Feb 2008 00:03:18 +0000

[...] The Killer App for Open Id Added on 02/16/2008 at 12:48PM The Killer App for Open Id [...]

By: Aswath Rao

Aswath Rao — Fri, 15 Feb 2008 23:43:24 +0000

For the application you are thinking of, what we should consider is OAuth (oauth.net) and not OpenID. Even though OpenID allows one to have a single “username” and “password” across multiple sites, you end up sharing the credential information potentially compromising security. On the other hand OAuth allows a user to get a more restrictive permission token from the contributing site and pass it on to the consuming site. The restriction could be on the scope of access and/or duration of validity etc. Additionally, use of OAuth does not require use of OpenID and so can be used immediately. You can read an explanation of OAuth from users’ perspective at http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html

By: Mark Evans

Mark Evans — Fri, 15 Feb 2008 17:24:06 +0000

Guy:

Glad you like the idea.

To be honest, OpenID continues to struggle partly because it’s not even offered as an option many places, although that may be changing as companies such as Yahoo get on board. If people get exposed to it, try it and use it, then there will be a bigger community that can, hopefully, improve OpenID.

By: Guy Goldstein (PageOnce)

Guy Goldstein (PageOnce) — Fri, 15 Feb 2008 17:18:22 +0000

Integrating the OpenID to PageOnce is a great idea.
And adding a way to view your information for websites which support OpenID authentication instead of username and password is on our roadmap

By: Mark Evans

Mark Evans — Fri, 15 Feb 2008 15:30:28 +0000

Darren:

Guilty as charged! Good points on both fronts.

Mark

By: Darren Barefoot

Darren Barefoot — Fri, 15 Feb 2008 15:20:42 +0000

You make an assumption in the first paragraph–”most people don’t see it as a huge issue”–that needs more attention. First, have you got any proof?

More importantly, even if people don’t perceive it as a ‘huge issue’, that doesn’t meant that it’s not a problem worth solving.

By: Ken Dyck

Ken Dyck — Fri, 15 Feb 2008 13:17:36 +0000

It seems to me that OpenID suffers from even greater security risks than PageOnce does. Once somebody cracks your OpenID password, they have access to every website that supports it, even ones that you might have never visited.