Another day, another major internet security flaw (step aside, Heartbleed). A bug has been found in OpenID and OAuth, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Here's what you need to know about the security flaw.
Tagged With openid
OpenID is an open standard for logging onto various web services with a single digital identity. The tool puts your online identity back in your hands — and as it turns out, OpenID on your own domain is surprisingly easy.
A recent usability study conducted by Yahoo shows that users are still confused by OpenID—the single sign-on technology out to eliminate multiple usernames and passwords. Tech site Webmonkey reports:
The study observed nine female Yahoo users in their thirties who considered themselves of medium-to-high internet savvy. The participants were told they could log in with their Yahoo ID at a third-party site. In many cases, the users tried to log in using the site's main login, rather than the OpenID login. Users don't understand multiple ways to log in, at least not without some education.
Web security firm VeriSign has re-launched its Personal Identity Portal, an OpenID-backed portal that provides one-click sign-ins for many popular webapps and e-commerce sites. The biggest downside from using a software solution or another login handler is having to visit your personalised PIP page before moving ahead, but that can be a blessing if you can remember your password there but not at, say, Circuit City. The PIP page provides bookmarklets for quick access, but security-conscious users can also require that VeriSign authenticate another key or a browser certificate before granting access. The PIP service is free to use, and works wherever OpenID is supported. To learn more about OpenID, check out our review and walk-through.Personal Identity Portal
This will be welcome news to anyone who hates doubling up on online accounts and identities - you can now use your Google account as an OpenID login. This means you can log in to any site which uses OpenID using your Google credentials. Digital Inspiration explains how to do it:
"To create a custom OpenID URL with your Google Account username, go to appspot.com and login using your Google credentials. You will be assigned an OpenID sign-on that looks something like this:
Good stuff. I haven't gotten around to creating an OpenID, and this could mean I don't need to. Anyone know of any compelling reason why you should have a standalone OpenID rather than using your Google ID?
Now that both Yahoo and Blogger have moved toward OpenID support, maybe it's time you weighed the pros and cons of OpenID and got started using it. Already use OpenID? Let's hear what you love about it.
Laurel Papworth has written up an interesting review of online identity manager ClaimID, which she says is a nice social aggregator of online identities.
"Think of ClaimID as a social bookmarking site for identities and profiles. You link to your profile page or account login on some other site and then bookmark it. There's a hidden/private field and you can choose whether to turn the API functions on or off."
ClaimID uses OpenID to let you verify or 'claim' pages and profiles about yourself online, providing a central repository for yourself or others to search (portfolio 2.0?). It also has the handy bonus of having a private field for password hints, so you can use it as a reminder for the passwords for the sites you visit infrequently.