Hot on the heels of Yahoo’s announcement to get on board with OpenID comes the news that Microsoft, Google, IBM, and VeriSign are all jumping on too. That’s fantastic news. If they stick to it, I’m sure it won’t take too long for everyone else to follow suit, and we’ll finally have that Internet-wide authentication system.
While we’re already taking advantage of OpenID on Basecamp, Backpack, and Highrise and integrating them all through our OpenBar, there’s still a lot more to do. We have quite a few plans to take OpenID usage even further and the news that all the big boys are starting to pay attention as well only prove to encourage those plans.
So if you haven’t already looked into this whole OpenID thing, I’d strongly recommend doing so. It’s one of those things where before you have it, it doesn’t really seem like a big deal. But once you do, you find it hard to believe you ever lived without it. And you’ll be somewhat annoyed when applications don’t support it (yes, yes, we’ll get Campfire on board as well).
Jon Maddox
on 07 Feb 08When these guys let me log in with my OpenID, I’ll jump for joy. For now, meh.
Nick Plante
on 07 Feb 08It’s about time already :-)
Nathaniel
on 07 Feb 08I would love to have Ta-da Lists support OpenBar – I use Ta-da all the time because it looks so nice on my iPhone.
Jonathan Mercer
on 07 Feb 08Whilst this looks like a good idea, my experience (limited to 37signals products) made me go back to regular login. I had all my products working nicely, and then the openid server went offline, and I was left stranded. Untill this is bulletproof – it’s too much of an ‘all you eggs in one basket’.
It could be that I just wasn’t smart enough to work out how to ‘get back’ easily – but it was really worrying when I couldn’t access anything – and I couldn’t sort it out easily.
You need much better and clearer (and I mean really clear) instructions on how it works, and what to do if it goes wrong.
I can see you techie guys think it’s easy, but I just don’t have enough headspace to work out what to do six months after I have set it up and forgotten how to reverse it.
And I mean – much clearer! (and not hidden away on a page you never go to, and can’t because you can’t get access!)
Thanks anyway.
Seth
on 07 Feb 08It’s really cool to see a lot of the web finally coming together. With all these major companies signing on to OpenID and other companies using Google’s new Social Networking API the future looks awesome for the web! Not to mention FF3, IE8, and all the other browser improvements that are finally peering over the horizon.
Mark Holton
on 07 Feb 08This is great news! ...cannot wait until there is a consensus + the api. Thanks for the heads up on this.
Felipe
on 07 Feb 08I second Jon Maddox: now that the “ID” part is implemented, what about the “Open” part?
Benjamin King
on 07 Feb 08I love the idea of OpenID like the rest of you but I’m concerned about security…I just read this blog article this morning that shows how OpenID is vulnerable to cross-site scripting (XSS) and cross-site request forgeries (CSRF) attacks. I think the security of OpenID needs to implement SSL/Certificates to avoid these types of attacks.
http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts
Daniel
on 07 Feb 08Any plans for supporting OpenID 2.0 in your apps in the near future? ‘Cause my newly gained Flickr-OpenID seems to be version 2.0 and when I try to sign up for Basecamp, I get an error, that the OpenID Server can’t be found.
Doug Smith
on 07 Feb 08I don’t know about the others, but Verisign has been working with OpenID for a while now. They have service called Personal Identity Provider (PIP) that acts as an OpenID server for you. The cool thing is that you can associate that with one of their secure token key fob or credit card devices to log in.
Regarding the concerns of having all the eggs in one basket, you can have multiple providers. You can switch between them or specify some as backups in case one is down.
There is a delegation feature where you can add a couple header lines to your own Web site and use that to log in. It then sends the authentication request off to the provider you specify.
If the provider goes down or you decide you don’t trust them, just change it to point to a new one whenever you want. You can then continue to use your own site as the login but it will point to a different provider.
Brandon Wright
on 07 Feb 08This is great, I just started actually using OpenID very recently for 37signals products, and I’m happy to see the Google getting on board finally.
But what about your Open Bar? It doesn’t seem to work consistently. I have my OpenID associated with 2 Basecamp accounts, backpack and highrise, but it doesn’t seem to detect that. There was one screen where I was able to use open bar to switch between my basecamp accounts, but it disappeared for no apparent reason.
nat
on 07 Feb 08I was excited when I heard that Yahoo was going to support OpenID, but I’m less than impressed with their implementation. I don’t want to use my Yahoo ID AS an OpenID, I want to log into Yahoo with the OpenID I already have. If that’s what they consider “support,” what’s the point?
Jacob
on 08 Feb 08We now have every major Internet company allowing you to use the ID from THEM elsewhere.
They have destroyed the whole point of OpenID by not accepting OTHER ids for THEIR sites.
Bob Monsour
on 08 Feb 08I agree with nat, when I saw the announcement I figured that since I had a yahoo acct (that I only use for yahoo finance) I could go there and tell it to use the OpenID provider that I’m already using with 37S. As nat points out, Yahoo (and I expect the other biggies will as well) wants to be your OpenID provider; hence more drive for lockin.
I hope this will change, but I’m undoing my Yahoo OpenID usage for now. That said, it looks like from another comment that Verisign may have gotten it (more) right.
Let’s hope that the new kids will really collaborate on this.
Jeff
on 08 Feb 08The problem with OpenID is that it’s still to computer sciencey of a concept for John Q. Websurfer to understand. It’s not conceptually simple enough for people to get it.
Personally, I just wish that every service would use the same absolutely guaranteed unique thing for my user name: My e-mail address. I’ve been saying this for ten years, and I still have to try and figure out which variant of my typical user name is in use at a particular site. If they were all using my e-mail address, there would be no issue.
Joe Van Dyk
on 08 Feb 08Email addresses aren’t always unique. If I leave a company, and another [email protected] joins Boeing, they’ll get my old email address.
Same thing if you don’t login to hotmail or whatever. Or, if you work for a company that fails and sends the domain name to someone else.
Joe Van Dyk
on 08 Feb 08Except that 37signals doesn’t seem to support openid 2, which yahoo is using… :D
Tom Krush
on 08 Feb 08Your article has just made me realize the coolness factor in OpenID. I was introduced to the idea a while back but figured it was not worth the time. I just looked at a few different sites describing OpenID and I am happy with what it does. Thanks 37signals for helping me look into the technology.
JBagley
on 08 Feb 08I wrote a simple guide to using OpenId a while back on my blog – which someone commented regarding security of OpenId. How by putting all your login credentials in one place makes it more secure? Or is it more of an ease of use thing, than a security thing?
bradley benson
on 08 Feb 08OpenID is working wonderfully, as I have several basecamp accounts to log in to, however with other apps that support the basecamp API (blinksale being one) it doesn’t give you the option to enter the OpenID address to access your basecamp account, it only supports the username/password feature.
Danny W
on 08 Feb 08This is great to hear! We just implemented OpenID support for our time tracking tool, Harvest, and it really makes jumping around OpenID-supported apps nice and easy.
This discussion is closed.