Since you like the drivers license analogy. One thing California doesn’t do is go out of business and render it impossible for you to use that piece of authentication, nor do they suddenly change their terms of service and start charging you a monthly fee for having that authentication mechanism that you use for absolutely everything.
So all websites that use OpenID should have a redundant OpenID provider, or some sort of password. But that’s just about as lame as using a password program to manage all your website passwords, which then makes you say Why Bother!
I personally DO NOT WANT THIS. I don’t want all my internet accounts to be linked together. I don’t want to FB connect the world. I don’t want any random Googler to be able to procure a profile of me and my interests in a 2 second search. Internet is freedom only while its abercrombie anonymous.
Aaron Em: The card is only your username. You still have to enter the password. If you want to stay anonymous like Waoo suggests, don’t use it. I would like to use it for everything, I’m a big fan of SSO (And OpenId since it’s exactly the same concept)
You should go check out https://www.nemid.nu/om_nemid/about_nemid/ - there you have your Internet Driver’s License for Danish citizens. It’s the Danish government who have issued every Dane using online banking with a keycard which they are obliged to use whenever they need to get in contact with online services. For instance: Me and my wife moved recently and I used my NemID account to log in with the same user to various services and change out address, daycare options etc. That is one possible implementation of your vision I think - what is your opinion about NemID?
I’d prefer the authenticator method (like some games/banks are using). If you haven’t seen these then its a small device about the size of a usb stick which is paired with your online account.
You simply press a button to receive a random number which is effectively your password. This means that its almost impossible to guess or steal your password from a dodgy site as it changes every minute or so.
Armed with this and your email address gives a security level that I would be happy to log into many sites without the worry of my password being stolen.
I’m sure this could somehow be used to hide who you are as well. A service where it automatically creates a random acount for you to use on login for a specific site so you can seperate your activities and stop anyone data farming all your details from one logon id.
I’d happy pay a small fee for one of these devices for my online licence.
That is already the present in Denmark. At least for banking and contacting the authorities (including tax paper work and similar). The solution is far from good in my view but it is a secure solution with one set of credentials for multiple sites. Other websites (than financial institutions and govermental offices) could opt to use it but it’s not widespread (if spread at all)
My online identities are all only as secure as the email address I choose to associate them with, thanks to the ubiquity of the “forgot password” link.
Is it not then easy enough to create a form of secure login wherein a site will just ask for the email address you register with them then send a “login” button to that account, thereby combining the “single login” convenience of OpenID while offloading the security concerns to the user and his email account? Of course, not everybody has access to their email everywhere they would use such sites, but as an option to fit the OpenID’s goal of a single identity, would it not suffice?
Although I use openID for SO, it’s the only site I use it for and I can’t see it ever achieving mass adoption
That’s ironic, considering the very comment you just left could have been through your OpenID.
So all websites that use OpenID should have a redundant OpenID provider, or some sort of password.
This also happens with email/pass – that’s why you have to set up “what was your first pet?” and “what’s your favorite movie” question on a lot of sites.
“Otherwise, you’re identified in some way or another. Heck, your IP aaddress identifies you unless you’re paranoid enough to use TOR.”
Of course.
But there’s a difference between leaving an IP address, and leaving a link to your facebook profile as I am doing now. (Which is okay for this site, less cool for hornyasians.com)
TAG Heuer watches only to do wristwatch. In the <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />United States, many people like elegant replica watches, choice of elegant replica Rolex watches, probably because they are relaxed personality and elegant sport concept alike. Now more and more replica watches UK people also fell in love with replica TAG Heuer watches, its cross-border concept many from car with tables of the union, the passion, the time and replica watch technology perfect union, if you are fond of pure male virility design and function, must be in consumption before patronage up replica watches stores.
There are 2 critical points to this that must be enforced no matter what is decided/done/implemented to resolve this question.
CHOICE MUST REMAIN - Choice bythe useras to which routeto take must remain. The choice to either continue using multiple distinct ID’s/accounts or to use some single account like Open ID.
DECOUPLED PROFILES Between On line and Real World - The ability to seperate your on line identoty(s) from your real world ID (i.e. seperating your website logins from your drivers licens and credit cards) must remain an option.
If some users want to cinnect the 2 so they are one thats fine but IT MUST be a choice.
The fastest way to tyranny by an ever aggresive and power hungry government is to make iot easier for them to associate your online activities with your real world ones and to control both thru licensing and restriction of said licensing.
The author may have used the term License to mean an associating of an ID an not an authorization to do something but you can bet your bottom dollar that a power hungry politician would love nothing more then to control your access to and what you can do on line.
Someone just referred me to this article on StackOverFlow.
I just want to say that this example is misleading. True, a debit card can be accessed anywhere in the world (such as open-id), but when you retrieve cash from Shanghai, China, that ATM is actually talking to my Bank here in the States. The cash will be charged TO MY BANK plus service charge. That ATM is simply giving me cash on behave of my bank, that “acting in behave” is what the service charge is for. The debit card itself identifies not only me/my bank (make sure we are valid, i.e, I don’t have a expired card and my bank is real, but more importantly, how to talk to my bank for transactions and charges.
In web term, OpenID and OAuth, it’s not true at all. The content is local to the website, it’s not acting on behave of my OpenID PROVIDER, NOR it’s talking to my OpenID provider for detailed transactions such as contents I read, stuff I did at a local website.
If ATM is truly like OpenID, that means, I can take my debit card, go to a foreign ATM (being a valid user at a valid bank), after this authentication process is passed, I retrieve the cash out of that ATM and voilla. My bank doesn’t know about it, I get the cash. I’m a billionaire after a few ATM tries.
Just to add a bit more “background” processes going on between an ATM and my bank.
After the transaction is over and my bank charges me for the amount + transaction fee. Because my bank has to PAY the foreign bank for the money I retrieved plus maybe half of that service charge and the other half of the service charge is for my bank to process this whole thing.
If OpenID is truly like Debt cards, then all consumers should be required to post back the actions to the providers or some other types of information exchange to make it worth awhile both for the consumers as well as providers.
A debit card itself means nothing if ATM and the BANK don’t have an agreement.
I prefer to give the visitors of my website a choice: use OpenID if you like, if not… there’s always the “standard” site login. Personally, I’d like to remove the standard site login completely (as I really like the idea behind OpenID), but I understand not everyone is ready yet.
I’m totally in agreement with the point of the post, but I do want to point out that it makes more sense to describe this item as a “passport” than as a “driver’s license”, since the possession/use of it doesn’t imply that someone has any particular level of aptitude in Internet. Calling it an “ID” would be even more appropriate.
I almost never see openid anywhere (Except on some blogs) and when I see it, I just dont bother commenting. I still have to enter my passwords into a dozen different places. The only place I saw log in with facebook was dailymotion. This site offered to let me login with facebook, but the button didnt show up so I had to register yet another username and password combination.
I can aggree it’s hard to remember so many passwords. I wish there was some sort of standard. Never heard of typepad until I had to register to make this comment.
Just wanted to say thank you for implementing OpenID as the authentication platform for SE sites.
The low barrier of entry is one of the primary reasons that I log in to comment/contribute as often as I do. I only wish the Linux and Open Source development world would wake up and do the same. Nowadays, if a site requires registration to join the conversation, I don’t waste my time.
Aside from the attaboys, there is one other key issue that OpenId addresses. Email addresses are not a good form of identification. The sad fact that many people use the same password for their email addresses as they use on many other accounts creates a massive security risk.
A really common attack vector is:
gain a password for the account
use that password to login to their email (email was the account username)
scan email messages for information about accounts on other sites
request password be sent to email from those other accounts
gain access and change passwords on all accounts to limit legitimate access
By removing password storage and not requiring email credentials, the security risk is limited to the OpenId account itself and OAuth servers where the OpenId account is stored.
It’s staggering for me to think of how many accounts known or unknown that I have used similar authentication info on over the years. If my password variations were compromised, there’s no way I’d be able to find all of the accounts to update the auth info.
I think shouldn’t be too long that there will be a third party company standing up and create some sort of finger print identity API.
The beauty of this solution is that you are the identity, there is nothing to remember and you can have multiple identities if you will(using multiple finger for multiple web sites).