Comments on: Most OpenID criticisms are misguided

By: This Week’s Bookmarks at Not So Relevant

This Week’s Bookmarks at Not So Relevant — Sun, 18 May 2008 07:01:40 +0000

[...] Most OpenID criticisms are misguided | Community Site News [...]

By: Rowan

Rowan — Tue, 13 May 2008 19:00:54 +0000

People also seem to get hung up on the common misconception that OpenID means having one username and password. It's defining that split between identification and authentication that developers (and eventually users) will need to start adapting to.

The key here is that your OpenID provider needs to be told which site is attempting to verify your identity. It's then down to the provider to decide what level of authentication is necessary. For example: if it was a request from Twitter, you're probably not overly concerned and password or cookie authentication would be fine. However, if the request was from the bank you might to use something like a keyfob. I guess, it could even go through to a human being who then phones your number and asks if you want to authenticate against the site.

You might even argue that it's more secure, as an attacker does not necessarily know what kind of authentication method will be used, or even if the same one will be used each time.

By: Aaron Klemm

Aaron Klemm — Mon, 12 May 2008 18:30:19 +0000

Tamlyn: great post! These current criticisms of OpenID are unfortunate, but getting the right information out there is going to help a lot.

By: nerd.

nerd. — Fri, 09 May 2008 10:19:34 +0000

OpenID isn't something I've played with yet, and I haven't really made up my mind on it (fears harking back to Micro$oft's ill-fated Passport service) but that was an interesting read.