Eight top OpenID providers comparison
This is my second post in a series on OpenID. See my previous post here.
For a project I did, I had to add OpenID to an existing website. One requirement of the project was that external OpenID providers should be used (thus the site would not also "be" an OpenID provider). To make sure the newly added code to support OpenID registration would work with most OpenID providers, I tested quite a few of these providers. This gave me quite a good overview of what functionality OpenID providers (should) provide, and how they compare to eachother. The OpenID providers I used for testing and this comparison are a sub-list from here.
The comparison table below lists each OpenID provider and gives a comparison of the most important features these providers (should) support. To be part of this comparison, the provider has to provide all functionality at least in English.
OpenID provider details the OpenID providers.
Version shows which OpenID version is supported. Listed will be either 1.1, and/or 2.0 (still in draft), and/or XRDS and/or Yadis.
HTTPs indicates whether HTTPs is enforced during the authentication, even if you type in the OpenID without the protocol (i.e. no leading http:// or https://).
Login redirect indicates whether the OpenID provider will allow you to login from a consumer (regular website that provides an OpenID login) by redirecting the user to the OpenID provider's login page. Already a few providers don't allow you this anymore. They will send the user to a very basic page, telling the user to first login to the OpenID provider. This page usually does not even contain a link to the login page. That page mentions that not putting a link on the page is to prevent phishing. I don't see that. How does not showing a link prevent phishing? A user would only know there is no link on that page if she has ended up on that page before. And even if she has seen the page before, would she remember that if ever ending on a phishing page with a link to the supposed login? I doubt that.
Simple registration ext indicates whether the OpenID provider supports this extension which allows very basic profile information to be passed back to the consumer. Examples are an email address and the nickname.
Personas allows you to assign a multiple of those profiles to the same OpenID (URL).
Additional features lists any specific features worth mentioning.
OpenID provider | Version | HTTPs | Login redirect | Simple registration ext | Personas | Additional features |
|---|---|---|---|---|---|---|
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
| |
|
|
|
|
|
|
I was really surprised to find out that not all providers perform the authentication in HTTPs. Sounds like a basic security feature that be enabled by default as OpenID provider. Also all above OpenID providers seem to be run by a commercial company. Not many non-profit versions exist (like mijnopenid.nl). This one I did not include because it is in Dutch.
If you want a free anonymous OpenID, check this Anonymous OpenID server. Note that anybody can use that anonymous OpenID since it requires no authentication!
This service lets you use your Yahoo! account as an OpenID.
Conclusion
Based upon the above table and my experience, the most secure (i.e. HTTPs), solid (not in beta) and flexible (multiple profiles) OpenID provider is myOpenID.com. Of course you should try not to be dependent on one provider and therefore use delegation; see my previous posting for an explanation of delegation.
Add to:
Del.icio.us
DZone
Reddit
Digg
11 comments:
If you are looking to run your own OpenID server that supports all of these features (https, multiple profiles, version 1.1/2.0, etc ) in the matrix along with things like LDAP, then check out Atlassian's Crowd OpenID server.
Just as a clarification, ClaimID does offer https - https://claimid.com/
@fred: Thanks for pointing that out. After some more tests I found out: claimid does not enforce https when you type in an OpenID like claimid/mytest. For example myopenid.com does a redirect to https if you enter mytest.myopenid.com (thus w/o the protocol).
Neither do videntity, livejournal, wordpress support this.
Getopenid and aol do support it too.
Special case: Verisign. You are redirected to a landing page. When you login to the URL given in the landing page, it does a HTTPs redirect.
I've updated the table to reflect this better.
Hi: Good analysis. By way of introduction I am the technical director for the PiP here at VeriSign and I wanted to offer some commentary as to PiP specifically.
1) I am really not clear on the column which says "Login redirect" could you explain that a bit better? In our current implementation in order to reduce phishing attacks we require that a user be logged into the PiP first before any transaction with an RP. You might also check out our SeatBelt product which is anti-phishing form filler to enhance the overall protection (https://pip.verisignlabs.com/seatbelt.do)
2) I'm not really clear in our section where you have Https you have for us N/A which I'm not clear on. Our entire site is supported with an Extended Validation certificate so HTTPs is used exclusively when logging into and interacting with the site.
3) Under additional features in fact we do support multiple personas and in our latest release this has been enhanced. You can now from a single user account create multiple OpenID urls.
4) I would also point our some of the new features we have added. We now support 2nd factor authentication with an physical token. If you have a Paypal Security Key you can now bind that with your PiP account (https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside) In addition, we support Microsoft's Cardspace service which allows you to take your OpenID identity and from that create a Managed Identity Card.
Keep your eye on us - many good things to come.
Good review, excellent resource. MyOpenID also has a great affiliate program, including the ability to give/host your members OpenID accounts in the form of username.yourdomain.com
Nice work, thanks for sitting down and organizing that info for everyone.
I'd love to see more comparisons like this, perhaps delving deeper into other security aspects, like anti-phishing for example.
Cheers,
Tara
In the comments of this jyte claim Robert Mark White provides a great list of each of these providers 'unique features'.
if you ask me, this entire comparison is bunk due to the absence of myvidoop.com. they use https and have all the other bells and whistles you speak of. pretty sure they have an affiliate program that revenue shares. dare i say myvidoop.com is the "boy wonder" of openID? yes, i do. yes, i do.
Good job.
how does myvidoop compare?
Excellent - exactly what I needed. Thanks a lot, I'm going straight to MyOpenID :-)
Post a Comment