Dear Community,
what do you think about using OpenID for Challenge-Sites?
Here is some information:
YouTube (simple explanation), some information
from Google and
A longer
video from GoogleTechTalks is also online.
Plaxo published
A Recipe for OpenID-Enabling Your Site
Software I'd suggest:
OpenID-Selector (JavaScript) and
lightopenid (PHP).
Stackoverflow uses something very similar to the OpenID-Selector.
I really like OpenID and I would like it to get used in some more websites.
Reasons for OpenID:
Too many passwords: I don't trust some challenge websites I've found and for all of them I don't want to use a password which might get critical (so I have to use different passwords for eBay, Amazon, Email, Server, and the Challenge websites. Even if I used the same password for all challenge-websites, that were 5 different passwords)
Too many usernames: Quite often I have the problem, that I don't remember my username for challenge websites, as moose is used quite often and I have to take moose2, themoosemind, ...
Easier Registering: With OpenID and attribute exchange you don't have to fill a form. No Email-confirmation

Easier Login: Most of the time you don't have to type in your password again
More possibilities of proving your identity: The OpenID protocoll doesn't need a special login. The identity provider may identify the user like he thinks its the securest way. This means, a two-way authentification is also possible. You could additionally get a SMS with a random code to log in each time you use OpenID. German users could also use the
new identity card with a "
Komfortlesegerät" to prove their identity.
If you like to do these, ask the user if it's ok for him to publish his OpenID!
* (Possibly) easier
Challenge Accounts registration in wechall: If other websites displayed the OpenIDs of the users, could directly sync the sites.
"Discovery" possbile: If a new User registers at with OpenID, could automatically check if this OpenID is already at other challenge sites (if they allow search for OpenID) and add these sites to the wechall-profile without bothering the user with registering Email-Adresses.
Concerns agains OpenID:
* It is basically a method of re-using a password. This is never a good idea. -> Password re-using is already happening. So OpenID wouldn't change anything.
* If the system of the OpenID provider is somehow compromised it then gives access to the linked services
* Once the OpenID-Account is hacked, the attacker knows the sites which use OpenID and has the account for logging in.