Linked by Kroc Camen on Fri 2nd Oct 2009 19:42 UTC
OSNews, Generic OSes

Our identities online are becoming ever more valuable to the companies that we entrust them to. What happens though when a company just ups and closes shop (Pownce, for example) and deletes your stuff? Sure, the individual files you'll have on your computer anyway, you won't have lost anything as far as bits and bytes are concerned--but what about friendships you've built up with people who you only know through the service. Your data should be portable so that you can take it to any service and not lose those relationships that you've built up in one walled-garden when it collapses, or you decide to move on. OpenID tries to solve this brand-centric problem by placing you at the centre of your data and allowing the sites you trust access through a single sign-on. OSnews is contemplating implementing OpenID and would like your feedback, but there are a few questions to consider--please read on for details

Permalink for comment 387550
To read all comments associated with this story, please click here.
Jonix
Member since:
2007-02-14

I prefer using OpenID on the sites that uses that for log-in, though there isn't that many sites that uses it for now, I hope the snowball is starting to roll faster and faster.

There has been much discussion about the relatively (in)security about using OpenID, if your OpenID has been compromised (with a single pass-phrase), all the the sites you attached your OpenID to is wide open for the cracker.

However osnews.com is not a mission critical site, with bank account info, etc. There would be no need for great security concern, but there is a beautiful solution to above mentioned insecurity.

This security issue is solved beautifully with the cheap Open Source/hardware Yubikey USB dongle (www.yubico.com). With the Yubikey every press of the button generates a unique one-time-token password (64 chars long) which is authenticated with servers back at Yubico.

OpenID combined with Yubikey gives a much higher degree of security, than ordinary logins on several levels.
1) One time token pass-phrase, instead of similar/same password for all different website logins.
2) A standardized (open source) implementation, instead of a yet a new "homegrown" login system with potential security vulnerabilities such as SQL injection, site cross-scripting, and so on and so forth.

Implementing OpenID log-ins with Yubikey is no different than without, the OpenID login implementor does not need even know how the person authenticates

I am proposing this, since I am lazy and just want to use my Yubikey USB device to log-in to as many sites as possible.

In my humble opinion there is no real need to act as a OpenID provider as people who uses OpenID got it from somewhere else, perhaps a site that is exclusively a OpenID provider. But if you choose to to also be a OpenID provider (not a bad idea) consider also implement Yubikey support for logins



So pretty please with sugar on top, please incorporate OpenID logins.

Reply Score: 1