Yahoo, the maligned Internet company looking to turn things around in 2008, said today it is backing the OpenID 2.0 digital identity framework, allowing its 248 million users to access multiple Web sites with one ID.
With the help of partners such as Plaxo and OpenID creator JanRain, Yahoo will support OpenID in public beta beginning Jan. 30, allowing users to use their OpenID identifier, which is a personalized URL, to access their Yahoo pages.
Web sites that accept OpenID 2.0–there are 9,000, including Google Blogger, AOL, Microsoft VeriSign and Sun Microsystems–will be able to add a “Sign-in with Your Yahoo! ID” button to their login pages that will make access easier for users.
Yahoo’s support could be a boon for the OpenID movement, which currently boasts 120 million identifier URLs. If Yahoo’s users go for OpenID, that could triple the total, making the technology a lot more credible.
OpenID is a fine concept. Who wouldn’t want to move online among multiple social networks, blogs, and wikis without retyping in the same ID information?
There is a big push afoot for data portability, allowing users to move data in and out of walled gardens, so it would make sense to start by enabling single sign-on for these sites. Plaxo and Google’s OpenSocial effort are two of the leading purveyors of the data portability concept.
When Robert Scoble was briefly kicked out of Facebook for yanking out data with a Plaxo tool, hundreds of people rushed forward to demand his reinstatement even though he was in the wrong.
People get crazy about wanting to control their data and what they can do with it, which leads me to my security concern about OpenID. How secure is it?
OpenID professes to be safer than the traditional e-mail/password log-in. Because it uses a URL, no e-mail or instant messaging addresses are revealed or disclosed as part of the login process, protecting users from phishing or other attacks.
But users are responsible for their identifiers. If someone grabs your computer, laptop, or mobile device and finds your URL, you’re done for, right? Well, no.
Plaxo Chief Platform Architect Joesph Smarr told me today such a scenario is highly unlikely because the technology was created by cryptography geeks dissatisified with current security methodologies.
OpenID not only encrypts but digitally signs and double-checks the information flowing back and forth. Moreover, Smarr said you don’t have to keep your OpenID URL secret for it to be secure.
Users have to sign in to their OpenID provider to prove they own that OpenID. That can be a login/password like normal, but it can also include a secure key fob, a client-side cert, replying to an SMS, and so on.
OK (grumble, grumble), but I’m going to go back to standby that if humans can design something, humans can break it. It’s only a matter of time before folks find a way to break OpenID. If that happens, stick a fork in the emerging protocol.
Until then, enjoy the digital convenience OpenID has to offer.