Login standard OpenID has gotten a huge boost today from Microsoft, as the company has announced that users will soon be able to login to any OpenID site using their Windows Live IDs. With over 400 million Windows Live accounts (many of which see frequent use on the Live’s Mail and Messenger services), the announcement is a massive win for OpenID. And Microsoft isn’t just supporting OpenID – the announcement goes as far as to call it the de facto login standard.
The news parallels Yahoo’s announcement in January that users would be able to use their Yahoo IDs on any OpenID site – a move that instantly tripled the protocol’s potential user base. But it also comes with the same caveat that we had with the Yahoo news: while Windows Live accounts will work for logging into other sites, it’s unclear if Live will become a “relying party” that would allow users to login with third party OpenIDs.
Bill Gates initially pledged support for OpenID in early 2007, but the company has been slow to actually implement it (unfortunately this has been a trend in the industry). For now Live’s role as an OpenID provider is in testing, with widespread support planned for “sometime in 2009″. If you’d like to try it out now, check out the instructions on the blog post here.
the question is when yahoo and microsoft sites will start allowing users to login into their services with an openid!
until then, openid is cute, but really nothing else…
Yep, you’re right.
Yeah, this has been the big problem with OpenID to date. Everyone and their dog wants to be an OpenID *provider*, but not enough companies actually support OpenID logins to their own site.
OpenId should start requiring it I think. Its just dumb that everything will be OpenId yet nothing is open.
Exactly. It takes exactly no balls to be an OpenID provider unless you’re going to be a consumer as well. No company should be given a modicum of praise unless they implement the whole package.
OpenID is _worthless_ otherwise.
Haha… very true
I’ll get excited when I start seeing major sites start supporting OpenID logins, not just providing authentication support. Sure, lots of smaller sites support it (including my blog). But wouldn’t it be nice if you could use this “de facto standard” to get into Microsoft Live too?
The way I understood this blog and the one from C-Net is that Windows Live ID will fully support Open ID “de facto standard” Below is the hyperlink to the other blog that I’m refering too.
http://www.netw.../102708-microso
OpenID is so easy to integrate, I really wish more sites would start supporting it. But, not in the half assed way that Sourceforge did.
Hey,
Check out the screencast of the experience here: http://www.vimeo.com/2082994
re. only being a relying party:
Windows Live ID is the Identity Provider for Microsoft and partner web properties, so we will only be acting as an OpenID Provider.
Other Microsoft web properties will make their own decisions about whether it is important for their business to act as an OpenID relying party (for example HealthVault today is a relying party of 2 OPs).
You may want to also check out the other Federation announcements we made today http://dev.live.../10/27/420.aspx.
-Angus Logan
http://blogs.ms...com/angus_logan
[fixed typo]
Hey,
Check out the screencast of the experience here: http://www.vimeo.com/2082994
re. only being an OpenID Provider and not being a relying party:
Windows Live ID is the Identity Provider for Microsoft and partner web properties, so we will only be acting as an OpenID Provider.
Other Microsoft web properties will make their own decisions about whether it is important for their business to act as an OpenID relying party (for example HealthVault today is a relying party of 2 OPs).
You may want to also check out the other Federation announcements we made today http://dev.live...30;..7/420.aspx.
-Angus Logan
http://blogs.ms...com/angus_logan
this might well be really nice for services !
many times I visit a online store and wish to simply login and send one of my identities information rather than autofill messing up the box’s etc
just need the stores to support it
plus I want to login to yahoo with a hotmail address AND login to MSN with a yahoo address since I can message yahoo through MSN messenger and do the same through yahoo messenger I dont see the problem…
really myspace, google and such should step up and start useing this to login to profiles since your allowed to have a google ID of a non gmail account and myspace uses external email address’s anyway I dont see the problem !
this is a great step
regards
John Jones
http://www.johnjones.me.uk
Finally! Widespread, easily integrated federated identity….
Wake me when I can log into Windows Live with my Gmail credentials. Until then I won’t look at this as anything other than another “me too” move.
See the announcement re. Microsoft Federation Gateway – http://dev.live.../10/27/420.aspx
OpenID’s dead. It will go nowhere. Try using OpenID… WORST.USER.EXPERIENCE.EVER!
Nice and all but (and not to criticise) I would have thought the fact that this just adds another provider would be highlighted. What’s the point of the ‘de facto standard’ if you can’t login anywhere useful with it?
Just another media grabbing exercise which might also convince a few users not to give up their Live accounts a few year’s down the line.
Wake me when I can log into Windows Live with my Gmail credentials. Until then I won’t look at this as anything other than another “me too” move.
This is great news. As several of the other commenters have pointed out, what really needs to happen and has needed to happen for the last year is for more companies to start supporting OpenID in a clear way and letting people actually use it.
Pretty much everyone now “has” an OpenID via Yahoo and AOL. The key is going to be integrating it in a way that makes sense to users and lets them actually reap the benefits from not just single-sign-on but from their whole identity.
I’m a businessman. Let’s say a hacker logs into my store and steals value from me… in some form. Are the so called ‘openID providers’ liable for my losses? I assume they are NOT. But in fact they ARE, they provided the hacker with ‘means’ to defraud me of my money.
It’s not suitable for any business, people. I mean – it’s not USEFUL for me as a businessman, there is no legal basis for using this useless toy in my for profit business. And I can not imagine another business that could use it and it would be useful for the business. But of course Web 2.0 people can keep playing with this toy for as long as they want.
You either don’t understand OpenID or you are intentionally spreading FUD. Go watch the video of how it works: http://simonwil...nid-screencast/
If a malicious user signed up for an account on your site using Gmail then defrauded you, does that mean Gmail is responsible for your loss? They are no more responsible for it than an OpenID provider would be for an OpenID login. OpenID just makes the signup procedure more user friendly. OpenID replaces the username and password humdrum.
You clearly didn’t understand Alex’s comment. His point is that OpenID isn’t secure from a businessman’s standpoint because it uses 3rd party authentication on 2nd party sites.
If Gmail gave someone else your login details, they may very well be liable to you. If an OpenID provider does…where does the fault lie? With the provider, or the website allowing the OpenID login?
Tom Morris, Stop being a fanboy for a moment and read what he actually said. The whole concept of OpenID has one huge fundimental flaw with the whole system. Trust. You have to trust that your openID host is honest. Also apps/websites that implement openID have to trust your openID host as well.
Not to mention the fact that any one can host an openID, without any creditials or knowledge of basic security.
Which is why we people can do OpenID whitelisting – if you don’t want BobsRandomWebsite.com to login you filter them out and only allow the big boys to provide authentication (Google, Yahoo, LiveJournal, AOL, Vidoop, MyOpenID etc.). Security is between the user and the OpenID provider – just as it is with e-mail.
Anyone can host an e-mail server. When you sign up for a website, it e-mails the password to you. You may trust sending your passwords to a big company e-mail provider like Gmail or Yahoo. But the nice thing with e-mail – and OpenID – is if I think I can handle my e-mail better than Gmail, I can run my own server.
I can understand why a bank would want to steer clear of OpenID. But for almost anything else, I can’t see a reason not to use it. In fact, reducing the known usability bottle-neck of signup (”Hey, just fill out this long form, then go to your e-mail inbox and click a link, stand on one leg and sing the National Anthem” vs. “Just type your AOL/Yahoo/Microsoft login in”) seems like a significant competitive advantage.
The key here is you are a BUSINESSMAN as such, you are being ignorant when it comes to technology. I don’t run around and tell you how to run your business. So, don’t tell me what you don’t know. Until you have RTFM and designed and implemented an OpenID web application. STFU & STFD. And if a CRACKER breaks into your site that is your fault. Even if someone were to glean your databases all they would get is a mapping of uid to openid_url. That is hardly a security risk.
Is there an idiot’s explanation of how OpenID works ? I couldn’t find one in plain sight.
We have to welcome this move form microsoft many sites should follow this
If an unsuspecting internet user were to signup to a ‘hacked’ or otherwise an openID server with an inept server admin, this would raise some serious concerns for security.
The average Joe knows nothing about security, and would not realize that choosing your openID host to signup to openID with is actually a major security flaw / risk factor.
At a recent conference I went to, a speaker was pushing webmasters to use openID. I did raise this issue, and the speaker could only offer that perhaps that this is not a strong enough tool for use in the business / banking sector.
So tell me – what good is this? Without a real method of authorizing hosts to become an openID provider (through rigorous security tests and contracts (a server administrator could login as you through their records)) then there remains massive security flaws with openID… and I am not about to commit my customers to this.
There’s a reason why no one wants to be a relying party – OpenId simply doesn’t give us high enough confidence in the actual identity of a claiming party. No one with data that they value (including all the big boys and every enterprise software company out there) will rely on OpenId until there’s a guarantee that the identity provider’s authentication is equal to or superior to your requirements. Today, this can’t be known.
And that’s just the technical story … try to convince the corporate strategy folks that they should rely on their competitor (Google/Yahoo/Microsoft/AOL) for their users to access their site. Just doesn’t fly.
OpenID has a place and is relevant technology that provides and excellent solution to a real problem. Users hate managing user names and passwords and hate filling out registration forms.
Yes, there are concerns about OpenID’s security, but this has to be weighted against what your are trying to protected. Do you really care if your blog identity is hacked? Do you care if your eCommerce identity is compromised? The true is most users don’t care or don’t know any better! It’s the websites that care, they need to manage their exposure, and this is why we are seeing limited consumers of OpenID, and white lists are not scalable in the long term. Any identity management system the relies on the assertions is prone to trust issues.
What if an identity provider was anonymous and untrusted?
This is the problem with quickly evolving technology. Almost like the browser wars. Things get developed / financially backed too quickly, and then blindly followed by big organizations, without due consideration.
“What if an identity provider was anonymous and untrusted?”
The same as if an e-mail provider is anonymous and untrusted. They provide a de facto identity hub through the use of ‘recover password’.
Yes, but only if the identity provider had that capability.
Wouldn’t it be nice if the user created and owned their key to decrypt their identity…
A brief prospectus on NY Institute of Technology, C.C.A., and DSU
New York Institute of Technology
New York Institute of Technology is a private academicly centered institution of higher learning. Founded in 1955, the institute now holds 10,000 students at its multiple campuses. The college university is fully accredited by the CHEA. Specific program accreditations include: Accreditation Board for Engineering and Technology, Foundation for Interior Design Education Research, American Dietetic Association for Preprofessional Program, and a number of others. The institute offers applicant freshmen academically-oriented programs leading to A.S., B.B.A, and M.A. degrees.
California Arts College
Founded to encourage advanced studies, the California College of the Arts offers a procedural approach to liberal arts academic, enabling students in a finctional range of disciplines in fine arts, operations, design, and History.
With an university population of around 1,550, the institution demonstrates state-of-the-art resources and operations in a community oriented, social university structure. Pupils learn from an established staff of renowned teachers in in-depth courses, with an node of 24 per class. Staff advisors, educated in enabling puils in establishing their college experience, are part of a respected program.
Drake State University
Drake State University was started through the stratigic combination of community outreach efforts. A multicultural, collaborating focus is an integral area of many degree programs at DSU. Founded to engage academic enrichment and achievement, central to the mission of Drake is its exceptioinal means to accommodate a wide array of styles of learning through professional assessment, collaborative experience and on-line focus. Throughout its organization you will find a learning community which is active with leading edge curriculums, professional structure and personal enrichment programs. Drake State University emphasizes the value of one on one relationships which are often established amongst students and faculty. As a direct result, a good number of students create the perfect combination whch enables them to tool the mantra of a Drake credential to propel them toward their professional goals.
Drake is founded by a notable group of Directors, each of whom holds a special subject of expertise which can help guide the educational outlook and giving of the organization. In a historically competitive career market, DSU has focused itself to enable the seeing of a growing number of applicants across a collection of areas of expertise. Its pupils have experienced subsequent success in the workplace, strengthening its reputation in the professional world.
I’m a businessman. Let’s say a hacker logs into my store and steals value from me… in some form. Are the so called ‘openID providers’ liable for my losses? I assume they are NOT. But in fact they ARE, they provided the hacker with ‘means’ to defraud me of my money.
It’s not suitable for any business, people. I mean – it’s not USEFUL for me as a businessman, there is no legal basis for using this useless toy in my for profit business. And I can not imagine another business that could use it and it would be useful for the business. But of course Web 2.0 people can keep playing with this toy for as long as they want.