One login for all sites would be more than wonderful, talk about a world wide identity.

My only problem is OpenID makes you login with a URL, not really fond of this.

There are other solutions, like Aliixer’s LoginShare for example, I think a more secure method.

http://www.aliixer.com/share/

Vidoop is cute, but the “click pictures” thing has been done to death before and is just as weak as it has always been. Consolidating all my logins to one site is exactly what I want, but I’m not creating a “single keys to the castle” situation without a MUCH stronger security mechanism in place.

I love where OpenID, iCards, OpenSocial, etc. are all going, but they all are hindered by a truly secure implementation. Soon as someone offers me one, I’m all over it.

In a way, this is already the case. We have single sign-on today: email. An attacker can focus on getting the credentials for your email address, search through your inbox for services you have, and go to those services asking for a password reset.

Previously if there was a weakness in the login process of software used on many websites it would have been some time before they were all updated with any fix. Now with OpenID providers reputation dependent on how well they are secured it will be in their interest to respond to any security weakness (real or perceived) as quickly as possible.

Of course many people will host their own OpenID provider but I’d still argue that the number of installations that have to be updated is reduced by an order of magnitude.

There will still be the problem of individual sites getting hacked, but as long as they aren’t OpenID providers then it won’t spread to any other sites because there won’t be any passwords to steal. And if an OpenID provider were to get hacked, well we may be putting all our eggs in one basket - collectively a smaller set of baskets - but (if you’ll excuse me mixing metaphors) previously the security of our password was only as secure as the weakest link in the chain - the least secure site you used - whereas now at least we can start to make better decisions about what level of security we are comfortable with for our identity, and make sure those baskets are lead lined and bullet proof.

For instance, https://myvidoop.com

I see it as some sort of monopol. If everyone uses the same way, everyone is affected by one break. IF the monopol is working, there is no problem.. IF Microsoft would make secure software, we wouldn’t have the problems we have today.

I think the idea behind OpenID is good in Theory. But in Reality, it shatters with the same reason MS shatters. It is NOT secure. There WILL be flaws. And since everyone uses the same…everyone will be attackeable the same way.

Diversity may lead to a lot different ways to secure things, and i think lots of those actualy arn’t designed good. But if one of those breaks, none else is affected. Unfortunately, we tend to go into a monoplized software biosphere. Thats not only MS. Its the same with wordpress, phpBB and a lot other software. What we seen recently with those mass-hacks, is exactly this problem. Its ONE software that has ONE flaw. And it makes almost everyone vulnerable since everyone uses it.

Another thing is, that most ways to secure a software uses the same way even if the software isn’t the same.
Even if phpBB and wordpress use different cookie names, they basicaly verify it the same way. So actualy we already HAVE a monopolized Biosphere.
And therefore we can just move on to OpenID, since those people work on it do focus on the security only.

So my personal conclusion is, we SHOULD move on to OpenID. But we too have to REALY be carefull, since it WILL break. And when that happens its back to the application admins to clean up. As usual. Its always the admins who run in case something happens. We never can rest. Always bee carefull, and don’t relly on the software. Software can’t fix a unfixable problem. As long the Internet works as it does today, there is no way to prevent such things happen.
And I dont think its too bad… another solution (just a example) would be to give every Internet-User a Key-card and a card-reader, only allow those verified into the Net…and I dont want that. It would maybe fix the technical vulnerablilities, but would open a HUGE door for social/governemental abusage.

In the end, i run. Fix my server, fix the Clients computers at work and in my circle of friends.. But on the other side… its what gets me my monthly paycheck or a beer and dinner at friends home. So why complain.