Sunday, September 2, 2007

Eight top OpenID providers comparison

This is my second post in a series on OpenID. See my previous post here.
For a project I did, I had to add OpenID to an existing website. One requirement of the project was that external OpenID providers should be used (thus the site would not also "be" an OpenID provider). To make sure the newly added code to support OpenID registration would work with most OpenID providers, I tested quite a few of these providers. This gave me quite a good overview of what functionality OpenID providers (should) provide, and how they compare to eachother. The OpenID providers I used for testing and this comparison are a sub-list from here.

The comparison table below lists each OpenID provider and gives a comparison of the most important features these providers (should) support. To be part of this comparison, the provider has to provide all functionality at least in English.

OpenID provider details the OpenID providers.
Version shows which OpenID version is supported. Listed will be either 1.1, and/or 2.0 (still in draft), and/or XRDS and/or Yadis.
HTTPs indicates whether HTTPs is enforced during the authentication, even if you type in the OpenID without the protocol (i.e. no leading http:// or https://).
Login redirect indicates whether the OpenID provider will allow you to login from a consumer (regular website that provides an OpenID login) by redirecting the user to the OpenID provider's login page. Already a few providers don't allow you this anymore. They will send the user to a very basic page, telling the user to first login to the OpenID provider. This page usually does not even contain a link to the login page. That page mentions that not putting a link on the page is to prevent phishing. I don't see that. How does not showing a link prevent phishing? A user would only know there is no link on that page if she has ended up on that page before. And even if she has seen the page before, would she remember that if ever ending on a phishing page with a link to the supposed login? I doubt that.
Simple registration ext indicates whether the OpenID provider supports this extension which allows very basic profile information to be passed back to the consumer. Examples are an email address and the nickname.
Personas allows you to assign a multiple of those profiles to the same OpenID (URL).
Additional features lists any specific features worth mentioning.






















































































































































































OpenID provider



Version



HTTPs



Login redirect



Simple registration ext



Personas



Additional features



WordPress




1.1




No




No. Shows after login whether you want to continue signing in.




Yes




1




N/a



LiveJournal




1.1, Yadis, XRDS.




No




No. But shows username + password fields on the landing page.




No, e.g. nickname is not passed back.




0. Could not find where to enter e.g nickname.




N/a



AOL




1.1, Yadis.




Yes




Yes




No




0. Could not find where to enter e.g nickname.




The OpenID takes the form of openid.aol.com/yourname instead of yourname.aol.com or similar.



VeriSign PIP




1.1, 2.0, Yadis, XRDS.




N/a




No. Does not show whether you want to continue after login.




Yes




1. At authentication you can indicate which fields should be passed back. You can also create new custom fields!




Still in beta. I do remember seeing multiple personas but it seems they dropped it. Very basic landing page if you go to the OpenID URL.



MyOpenID




1.1, 2.0, Yadis, XRDS.




Yes




Yes




Yes




Yes, many.




Very elaborate OpenID provider. Provides the most functionality. From JanRain, Inc, which also provides many libraries for implementing OpenID.



GetOpenID




1.0, maybe 1.1.




Yes




Yes




No




0. Could not find where to enter e.g nickname.




The OpenID takes the form of getopenid.com/yourname instead of yourname.getopenid.com



Videntity.org




1.0, maybe 1.1.




No




Yes




No. At least, you can fill it in on a profile page, but I noticed multiple sites not being able to find any nickname in the OpenID reply.




1




Strange that they seem to support a profile, but I couldn't get it to return for example a nickname when logging in with an OpenID. In any case, on the page where you have to allow/deny, it does NOT show any of the fields I filled in on the profile page.



ClaimID




1.0, maybe 1.1, Yadis, XRDS.




Yes when you specify the protocol in your OpenID




Yes




Yes




1. If you haven't filled in your profile, you can enter it there on the spot.




The OpenID takes the form of claimid.com/yourname instead of yourname.claimid.com.






I was really surprised to find out that not all providers perform the authentication in HTTPs. Sounds like a basic security feature that be enabled by default as OpenID provider. Also all above OpenID providers seem to be run by a commercial company. Not many non-profit versions exist (like mijnopenid.nl). This one I did not include because it is in Dutch.

If you want a free anonymous OpenID, check this Anonymous OpenID server. Note that anybody can use that anonymous OpenID since it requires no authentication!
This service lets you use your Yahoo! account as an OpenID.

Conclusion
Based upon the above table and my experience, the most secure (i.e. HTTPs), solid (not in beta) and flexible (multiple profiles) OpenID provider is myOpenID.com. Of course you should try not to be dependent on one provider and therefore use delegation; see my previous posting for an explanation of delegation.

11 comments:

Justen Stepka said...

If you are looking to run your own OpenID server that supports all of these features (https, multiple profiles, version 1.1/2.0, etc ) in the matrix along with things like LDAP, then check out Atlassian's Crowd OpenID server.

fred said...

Just as a clarification, ClaimID does offer https - https://claimid.com/

Techie said...

@fred: Thanks for pointing that out. After some more tests I found out: claimid does not enforce https when you type in an OpenID like claimid/mytest. For example myopenid.com does a redirect to https if you enter mytest.myopenid.com (thus w/o the protocol).
Neither do videntity, livejournal, wordpress support this.
Getopenid and aol do support it too.
Special case: Verisign. You are redirected to a landing page. When you login to the URL given in the landing page, it does a HTTPs redirect.
I've updated the table to reflect this better.

Gary Krall said...

Hi: Good analysis. By way of introduction I am the technical director for the PiP here at VeriSign and I wanted to offer some commentary as to PiP specifically.

1) I am really not clear on the column which says "Login redirect" could you explain that a bit better? In our current implementation in order to reduce phishing attacks we require that a user be logged into the PiP first before any transaction with an RP. You might also check out our SeatBelt product which is anti-phishing form filler to enhance the overall protection (https://pip.verisignlabs.com/seatbelt.do)

2) I'm not really clear in our section where you have Https you have for us N/A which I'm not clear on. Our entire site is supported with an Extended Validation certificate so HTTPs is used exclusively when logging into and interacting with the site.

3) Under additional features in fact we do support multiple personas and in our latest release this has been enhanced. You can now from a single user account create multiple OpenID urls.

4) I would also point our some of the new features we have added. We now support 2nd factor authentication with an physical token. If you have a Paypal Security Key you can now bind that with your PiP account (https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside) In addition, we support Microsoft's Cardspace service which allows you to take your OpenID identity and from that create a Managed Identity Card.

Keep your eye on us - many good things to come.

Kevin said...

Good review, excellent resource. MyOpenID also has a great affiliate program, including the ability to give/host your members OpenID accounts in the form of username.yourdomain.com

Tara Kelly said...

Nice work, thanks for sitting down and organizing that info for everyone.

I'd love to see more comparisons like this, perhaps delving deeper into other security aspects, like anti-phishing for example.

Cheers,
Tara

Kevin said...

In the comments of this jyte claim Robert Mark White provides a great list of each of these providers 'unique features'.

mike said...

if you ask me, this entire comparison is bunk due to the absence of myvidoop.com. they use https and have all the other bells and whistles you speak of. pretty sure they have an affiliate program that revenue shares. dare i say myvidoop.com is the "boy wonder" of openID? yes, i do. yes, i do.

openvatar.com said...

Good job.

witeshadow said...

how does myvidoop compare?

Johannes said...

Excellent - exactly what I needed. Thanks a lot, I'm going straight to MyOpenID :-)