Yahoo Adds Its Muscle to OpenID Single Sign-On Standard

Yahoo, with its 248 million active registered users worldwide, has announced that all of them will be able to use their Yahoo IDs as an OpenID to let them eliminate separate IDs and logins at Web sites that support the open, decentralized digital identity framework.

“What Yahoo has announced today is the ability for people with accounts on Yahoo and Flickr to use those accounts via OpenID to login to nearly 10,000 different services around the Web,” David Recordon, open platforms tech lead of Six Apart and vice chair of the OpenID Foundation, told LinuxInsider.

“This is beneficial as it means that a Yahoo user going to comment on a blog, join a community, or sign up for a new service does not have to create a new username and password, but rather can use their OpenID from Yahoo,” he explained.

Yahoo’s initial OpenID service will be available in public beta on Jan. 30, and it will enable a seamless and transparent Web experience by letting users use their custom OpenID identifier on my.yahoo.com or to simply type in “www.yahoo.com” or “www.flickr.com” on any site that supports OpenID 2.0. Alternatively, Web sites that accept OpenID 2.0 will be able to add a simple “Sign-in with Your Yahoo ID” button to their login pages that will make it even easier for their users.

Huge Coup for OpenID

“I see Yahoo as being an extremely important catalyst in mainstream adoption of OpenID,” Recordon noted. “In a single announcement, they’ve added nearly a quarter-billion new OpenIDs to the entire ecosystem. In just two weeks, this has already been a great year for OpenID with Yahoo joining AOL, Apple, Google, Microsoft, VeriSign and others in their support of OpenID.”

The Yahoo announcement effectively triples the number of people who are able to use OpenID, and the OpenID movement is clearly hopeful that Yahoo’s support will help spur adoption.

One-Way Back Scratching

Yahoo’s support, however, only goes one direction. “If Yahoo decides to accept OpenID on their own properties, it would allow the other 150-plus million people with OpenIDs to login and use Yahoo services without having to directly create a new Yahoo identity if they didn’t want to,” Recordon explained.

So who are those 150 million OpenID users?

“Most of today’s users are definitely tech-savvy,” Scott Kveton, chairman of the OpenID Foundation board, told LinuxInsider. “I liken OpenID to RSS — if you ask a casual user of the Internet what RSS is, they will probably shrug their shoulders.

“However, RSS is used in many, many popular applications,” he added. “I think OpenID will take the same path and we’ll start to see applications that take advantage of what it means to be an OpenID; I’ve proved I own this specific, unique end-point for myself on the Internet. What I land there — services or otherwise — will be what really propel OpenID’s growth and adoption.”

Yahoo’s implementation is based on the OpenID 2.0 specification. Yahoo worked closely with the OpenID Foundation and community to finalize the specification in December 2007. The specification includes new features that improve security and usability of OpenID, making it the most user-friendly single sign-on and online user-authentication standard, Yahoo said. Yahoo’s users who log in with their Yahoo ID on OpenID sites will have the added protection of Yahoo’s sign-in seal wherever they go on the Web. No e-mail or IM addresses are revealed or disclosed as part of the login process, Yahoo noted, which further helps protect users from phishing or other attacks.

All Eggs in One Basket?

Critics of OpenID contend that users are essentially putting all of their access details in a single basket — if the basket were ever compromised, so to speak, nefarious individuals could gain access to everything inside the basket.

“The balance between convenience and security is always going to be an issue,” Stephen O’Grady, RedMonk industry analyst, told LinuxInsider. “OpenID certainly has its issues, but then so too does the challenge of remembering multiple passwords for different sites and accounts. While in theory it would be more secure to use different, unique, strong passwords for different venues, in practice most people use one simple one throughout.”

If users use a single, robust authentication system, it’s not only convenient, it may also be stronger than many weak login methods, he noted.