both yahoo and blogger have just become openid providers

they do not seem to have any plans to let their users move grom id/password on their own sites to openid

{openid only recieves real support from sites allowing login credentials to be associated with an openid {or even a few} thus giving the users the choice to only have to remember the one set of credentials for all sites they use openid instead of username / passwoed}

more openid providers are not really needed, and yahoo's encoraging of people to use a login with yahoo on their sites runs contrary to the entire point of openid

I just never! get tired! of these headlines!

Well, they did try this and it didn't work.

I think the reason was more a lack of trust of Microsoft than anything technical. So, Yahoo! may be more successful, but I suspect there is likely to be some ingrained mistrust of having passwords stored on the web in one place.

People, especially in the UK now, are much more aware of data loss than they were before HMRC decided to throw it all away. How many companies publish their mistakes? None? How often is it the result of a press leak that we find out about data losses? Every time? Most of teh time?

With passwords, if they haven't got them, they can't lose them.

We really don't need more OpenID providers at this stage of the game. We need more sites that support it for log in. Now if Yahoo had announced that, we'd be cheering.

Note that OpenID and oAuth are on the roadmap for OpenSocial.

Uh, how is it a tempting target for phishing attacks, exactly?

The whole POINT of OpenID is that it means phishing attacks are pretty much impossible: unless the phisher goes to the trouble of creating several different fake login pages and detecting the domain of the URI you enter on the target site (then redirecting you to the correct fake, hoping that you don't notice it IS a fake), then it can't happen—and even then it only works if you use one of the well-known OpenID providers (Verisign, AOL, Yahoo, for example). If you run your *own* OpenID server (or use a corporate one), any phishing attempt is dead in the water from the outset.

I rescind my earlier comment, I see how it could be done though MitM attacks. There are quite a few avenues for combating that, though (for example, you authenticate with your OpenID server using an X.509 client certificate—no passwords transmitted, attack fails from the outset).

Great idea! Let's make it easy for the hackers so that once they've hacked one of your logins, they'll have access to all of them. Whoever thought that one up ought to be shot!

...that El Reg could follow suit soon? Pretty please?

a social security number for the internet. By making it "easier" for people to have one ID (login) for just about everything, will make it easier to track users across the net. What happens if a slightly under secured site has its user ID's hacked? Or is it going to make it easier for the powers that be to keep a handle on everyone? What will this do for online privacy?

Whatever happened to the concept of changing your passwords often or using different ones in case your online account gets hijacked? I see trouble brewing.

Now, this reminds of something the UK government intends to do.

And it has the same dificencies: it provides a single portal for any security loopholes to be exploited. Woohoo. At least it may be marginally more secure than something the UK government implements...but that's not very difficult.

Paris, cos I haven't used her as an icon yet.

What's wrong with more OpenID providers? If you are really paranoid you'd implement your own provider on your own server and create one account. That way you've got nigh on full control and can shut down access to all your online accounts automatically. Would there be anything wrong if every single person in the world implemented their own provider and used that? It's not worth the effort for 99.999% of people but, genuinely, what's wrong with it?

@Colin Guthrie

. That's what's wrong with it. So for those who may not be that savvy or are just too lazy, having one ID for everything leaves holes.. or is it that just one hole will be needed now?

something like that we didn't use it because no one trusted MS (fairly well reasoned I think). This seems to decrease your safety while probably only very slightly lowering the number of passwords you use hell if you wanted to you could use the same username and password for all logins yes of course I know this differs in that there is only one repository of your details but I don't see it as being all that secure since they will need to send authentication details in some way across domains making spoofing easier.

Its all getting too much. Maybe just have eyeball scan instead but after a few beers you cant log in to surf anywhere with bloodshot eyes:)

At the moment this looks like nothing more than an easy way to make up fake details for staying anonymous on forums and blog posting etc. I've just signed up to one with a fake email account (the only proof of who I am I needed to give) and I can now easily troll message board without having to fill in registration forms and validate my email account every time.

Sweet! I just signed into LiveJournal with my OpenID account - it only took five seconds!

With OpenID 2.0's directed identity mode, it is possible for the OpenID Provider to choose the identity URL sent back in the response.

This would make it possible for an OP to give a user a different identity URL for each Relying Party that they visit. Provided that these different identity URLs can't be correlated (i.e. they don't contain a common user identifying section, and there are multiple users on the same OP), RPs shouldn't be able to correlate your profile by identity URL.

Now while this is possible, I don't know whether many OPs that provide this sort of service. As Yahoo is only supporting OpenID 2.0 they would be in a position to do so, but you'd need to check first.

Basket???

Come on folks.

The hallowed pages of our Register have already hosted articles on alternative, mush stronger methods of authentication - GrIDsure for example.

Why start off trying to make life easier & safer, then not do the homework? Fixed passwords & PINs are finished, they are dinosaurs. We are on the slope towards the second decade of the 21st Century, lets use something better. Even Paris could work that out.