On January 18th, Yahoo announced support for OpenID 2.0. OpenID is an open framework for decentralized single-sign-on. It effectively allows user to register with one trust Identity Provider (IdP), and then sign in to any other OpenID-enabled site by just providing the details to the IdP where the user has established the account. For example, once Yahoo start with this service, I would be able to go to any web site that also supports OpenIDs, and tell that site that I am a Yahoo user. The site will then verify my credentials using Yahoo’s sign-on system – effectively meaning that once I have my Yahoo account, I will not need to remember many other usernames and passwords for other sites that support OpenID, but just be able to log in straight to them.
Sounds exciting, doesn’t it? Well, it’s certainly exciting news for the OpenID community. But what does this actually mean for the users and for the further advance of the technology? Before I dwell on the question, let’s look at the facts. Yahoo claims 248 million registered users. That’s about as big as it gets in terms of providing, and of course the OpenID scene is thrilled. On January 30th, Yahoo will debut its first public beta version of the service. Yahoo has, interestingly, chosen to support only version 2.0, instead of offering support for the more established version 1.1.
So why support only version 2.0? Yahoo specifically points to security as the reason (OpenID 2.0 is more secure). This is most likely because of several oversights in the OpenID 1.1 specification that could be exploited for potential phishing attacks. Understandably, Yahoo does not want to be haunted by that. This is why Yahoo is promoting its “sign-on seal” for the OpenID service as well. A “sign-on seal” is a special piece of text or a small image that you can configure, which is displayed every time Yahoo asks you to sign in. This is done in order to prevent phishing attempts from rogue sites that pose as Yahoo branded login sites. Yahoo has introduced this feature in mid-2006, and actually done it in a very elegant and user-friendly way.
Rarely are grand announcements made without some kind of “gotcha” – just like in this case: Yahoo will start by allowing other site to consume Yahoo OpenIDs, but not the other way around – it will not accept OpenIDs from other providers (at least for the time being). This is actually quite a big deal. The big advantage of having an OpenID is that I don’t have to keep manage and remember passwords in the many other sites that I use. So if the “big boys” such as Yahoo, AOL and potentially even Google in the future, claim that they “support OpenIDs” but will only allow their IDs to be used in other places – not the other way around. Hence, it will not be possible yet to sign into Yahoo’s services using, for example, an AOL account.
AOL has been supporting OpenID for some time now, announcing support for providing OpenIDs to its users almost a year ago (similar to what Yahoo has now done, but with Version 1.1). Even though AOL stated that it would work “gradually” in order to accept OpenID identities from other entities as well, this progress has been very slow, and AOL has drawn criticism because of it. Yahoo on the other hand does not directly mention a planned support for accepting OpenIDs from other entities. In Yahoo’s press release, it’s all about adding 248 users to the OpenID “ecosystem”. Ominously, no reference for the other way around. Hopefully this will happen however, because otherwise Yahoo’s step, although in the right direction, is a one-handed one: let the drawbridge to the castle down, but only let people out, not in. Now that Yahoo is the biggest contributors of OpenIDs in the Internet, will it also be a leader? Or will other major players, such as Google, who is experimenting with OpenID already through its blogs, or even AOL, make the first step in also accepting OpenIDs? Not just myself will be watching carefully over the next months.