- OpenId is open source and can be implemented by anyone.
- In both cases my credentials are held on a third party server.
- The only advantage I can think of for using Microsoft Passport is the reliability of Microsoft.
views:
309answers:
4
+4
A:
OpenID is a decentralized authentication system while Passport is centralized.
If you use OpenID, you'll not relying on any single third party provider which can shut down services or act as a big brother or ... because you are using a distributed authentication mechanism.
And you can have much more users sign in easily as all major providers (including Microsoft) are going to support OpenID in the near future. You are not forcing users to create accounts on any OpenID provider. If they want, they can run their own authentication server to sign in to your site.
Mehrdad Afshari
2008-12-09 18:20:27
Ehh, I would say yes and no. You are still reliant on the one vendor that you decided to go with. For instance at SO my openID is through wordpress. So if wordpress shut down their OID service today, I would have to go find a new service. Worse, in the case of SO I would loose all my rep. :)
EBGreen
2008-12-09 18:27:00
Having said that I would still prefer OID over passport.
EBGreen
2008-12-09 18:27:31
Good point. But this is not SO's problem, it's the user's problem. Users can run their own server and not let it go down. But if MS starts charging SO or shutting down services, it'll be SO's problem too.
Mehrdad Afshari
2008-12-09 18:32:28
As I pointed out, Google, MS, Yahoo are all going to support OpenID in the near future, so it's at least going to be as reliable as Passport.
Mehrdad Afshari
2008-12-09 18:33:27
OpenID not only goes down when your server goes down, but if you switch to a different OpenID server, then you're not recognized the same. If you do it on SO then you'll lose all your points (unless they've fixed that).
Lance Roberts
2008-12-09 18:42:57
If you switch users on Passport, you lose all your emails! And you can't switch providers at all. It's a comparison. It can't do magic, of course. By the way, SO could provide an OpenID migration path to make you log in with one ID and then set it to another ID. This is not OpenID's fault. It's SO's
Mehrdad Afshari
2008-12-09 19:14:05
I agree that the migration issue is an SO issue and not an OID issue. Although I have no idea how easy OID makes such a migration. My comments were just to point out that multiple *potential* hosts does not inherently equate to reliability.
EBGreen
2008-12-09 19:21:02
Yes, after all, reliability depends on the authentication server. From a single user perspective, using OpenID might not make a big difference, but if you look at a Web site as a whole, if one server gets shut down, only some users will get hurt. Others will continue to work without problem.
Mehrdad Afshari
2008-12-09 19:42:43
That is a valid point.
EBGreen
2008-12-09 20:32:01
+1
A:
Passport is tied to one vendor, open ID seems to me to be a phishing nightmare waiting to happen.
I would say use open ID for single sign on where the security isn't vital (blog/forums/etc), and something more like microsoft cardspace for things where security is more important (ecommerce)
http://dotnetslackers.com/articles/security/microsoft_cardspace_getting_started.aspx
Matt Briggs
2008-12-09 18:31:37
I've seen that "phishing nightmare" comment before - possibly by you. I don't see it. Care to elaborate?
Paul Tomblin
2008-12-09 18:43:27
Refuted at http://stackoverflow.com/questions/318677/what-are-the-dangers-of-using-openid-for-your-website
Paul Tomblin
2008-12-09 19:09:16
To be fair, there is some risk of a phisher capturing your password by imitating your OpenID provider's login page. Sure, if you're careful with SSL it won't happen to you, but the same is true of any phishing attack, and they succeed every day. If I'm expecting to type my pswd, I'm more vulnerable.
Steve Jessop
2008-12-09 19:20:01
But I doubt OpenID is any more of a phishing target in this respect than Passport. And in any case, PayPal should keep the phishers busy indefinitely, since that's where the money is.
Steve Jessop
2008-12-09 19:21:59
I was referring to what onebyone described. I would not trust passport for highly secure information either for the same reasons, but passport for all intents and purposes as a single sign-on provider is dead.
Matt Briggs
2008-12-09 19:42:29
@Paul Tomblin: I never commented on an OpenID question here before. The link you pointed to was talking about issues not related to phishing, and one guy who got all pedantic about whether or not phishing is a security hole.
Matt Briggs
2008-12-09 19:45:09
I'm not saying OID is bad, I am just saying I wouldn't use it for ecommerce or banking, or any public facing site that is a big target for fraud. You cannot trust users to read the url or look at certs, and you can't trust the security of arbitrary third party providers.
Matt Briggs
2008-12-09 19:48:27
+4
A:
If you use OpenID, you can choose who your backend authentication provider is and change it at will. If you have your own web page, then a bit of code at the top can point to your authentication provider. If you don't like that one any more, change it to something else.
Also, if you prefer, you can run your own OpenID authentication provider. Then your authentication credentials aren't held by anybody else at all.
Greg Hewgill
2008-12-09 18:32:42
It's problematic to change OpenID providers. On SO (unless they've fixed it) you'll lose your points.
Lance Roberts
2008-12-09 18:44:14
Lance, what Greg is getting at is to use a personal URL (mine is my name, aaronhockley.com) as your OpenID URI. I have delegation configured from my provider (currently Vidoop). But in about a minute, I could change that delegation to use another provider. My URI wouldn't change.
ahockley
2008-12-09 20:13:14
Unless you forgot to keep your domain registration up, or forgot to pay the hosting bill, or simply decided not to use the domain name anymore.
EBGreen
2008-12-09 20:25:34
I want to be clear that I think OpenID is a good solution. I just like to be sure that both pros and cons are present in the discussion.
EBGreen
2008-12-09 20:26:43
A:
Microsoft Passport only supports username/password authentication. Lots of OpenID Providers support Cardspace login, X509, or other phishing resistant means. That means that your OpenID can actually be more secure than MS Passport.
Andrew Arnott
2008-12-17 04:55:35