MySpace is becomming OpenID issuer, which will make them the second largest behind Yahoo!.  But here is the thing, an issuer is only half the puzzle.  In order for OpenID to work you have to allow people without MySpace OpenID’s to log in.  Don’t get me wrong, the more OpenID accounts that are out there the better chance OpenID has to becoming a standard.   When companys like Yahoo! and MySpace simply issue OpenID’s this doesn’t accomplish the goal for which OpenID was created, and thus will eventually kill OpenID and our chances for single sign on accross the web.

TechCrunch also mentions MySpace may be working on an extended OpenID for their Data Availability program.  This is all well and good, but if we start using OpenID for data portablity, doesn’t this need to be build into the standard of OpenID, not as an addon by spacific companys?  If MySpace uses OpenID for their Data Avilability program then I’m going to guess I will need to use my MySpace OpenID to have access to this data and if thats the case, who is next?  Yahoo!, Google, Facebook…this list goes on.  Now I have ten different OpenID’s just so I can have access to all my data.  BOO!

I say if you are going to be a OpenID issuer then you also need to support OpenID logins.  Otherwise your only hurting the other people like me who want OpenID to secceed.  MySpace, Yahoo!…ect stop leaving one let in the water, get on board or swim with the fish, you choose.

While listening Security Now the other week I heard them talking about PayPal offering two factor authentication via a little key dongle you could buy for $5. This little dongle displays a random 6 digit number every 30 sec, which you can hook in with PayPal and Ebay. I thought this was a great idea so off I went to spend my $5. I received the dongle yesterday. It’s pretty small about 2in. x 1in. and hooking it into my account was easier than registering for a new email address.  Now when I go to log in I type my user name and password, then after my password I type in the 6 digit number on the dongle.  Works great.

The best thing about the Security Key is that fact that it uses Verisign’s Identity Protection service. Which means any site could possible use the same service, meaning this dongle can work on those sites also. In any case, you know how I like the idea of OpenID. Well Verisign has added the ability to use this dongle to there OpenID server. So now not only can I have two factor authentication on PayPal and Ebay, but also on any site using OpenID. Woot!!

The other day I was listening to Security Now, a podcast about computer security, and they where talking about OpenID. I have OpenID implemented on this site in case you didn’t know. Anyway, a cool thing about OpenID is since it is open source, you can create your own way to verify yourself. So I can run an OpenID server off my web host, thus I am responsible for my own security and authentication. I like this idea, but one thing I don’t like is that most OpenID server simple use the standard user name and password for verification. This kind of sucks if my credentials get compromised, as this would open up every site I use OpenID on.

Idea for Verification
I got to thinking about this and how it can be improved. First I would only use the user name and password as a way of telling the OpenID server to start its verification processes. The next step would be to have the server use a key located somewhere to authenticate the user. This key would have to be created new after a certain amount of time. Once this key is validated then the server would know its really you. The great thing about this system is the key isn’t created by the OpenID server, it has to be created outside the OpenID server. This way if your user name and password are compromised they would only be good for a day, or less depending on how you have your key set up.

Idea for Storing the Key

• The key could be stored in a non web accessible directory on the the same web server as OpenID. This would entail logging into the server though ssh or other means and creating the key. Still pretty safe as you would need access to the server in order to change the key.
• Another way could be simply running your own OpenID server on you local machine, and storing the key only when the server is running.
• GmailFs or other remote mounting disks.
• Another site to create the key, although I don’t like this idea.
• You could even encrypt the key, before storing it somewhere.
• Many other possibilities

This weekend I spent a lot of time playing with OpenID. I tried to implement it on this blog, but I need to compile my own PHP and have GMP enabled. I tried to do this but it didn’t work out. Also the plugin I was using didn’t want to find my OpenID endpoint. But I hope with a little help I will be able to bring OpenID as another way to login.

This weekend I also had a long conversation with some people about OpenID and the way many sites are implementing it. The problem I have for example LiveJournal, is that I have no way to associate my OpenID with my already created account. I know LiveJournal gives you an openid, but I want to use my own. Thus meaning I have to create a new account. I hope in the long run this will be fixed my site like Digg who are going to implement this technology.

[Update]: Looks as though I have OpenID running. It is in dumb mode, I don’t know what that means, but it can be fixed with gmp. Everyone give it a try.