What's wrong with Yahoo's OpenID implementation

Posted on by

Today Yahoo [launched support](http://open.login.yahoo.com/) for [OpenID](http://openid.net/). On the surface this seems great for OpenID. Unfortunately there are a number of problems with it.

For those unfamiliar with OpenID, it is a [single sign-on](http://en.wikipedia.org/wiki/Single_sign_on) system, which allows users to remember a single username and password for signing in to any site which supports OpenID . There are two basic parts to the OpenID system: sites which wish to allow users to sign in using an OpenID (the “relying party”), and sites which host your OpenID (the “OpenID provider”). Yahoo has chosen to be the latter, an OpenID provider.

Most OpenID providers give their users a simple, easy to remember OpenID like “username.livejournal.com” or “username.wordpress.com”. However, by default Yahoo provides their users with an obscure OpenID like “me.yahoo.com/a/1bjkvd893414lka09i23”, impossible for any normal person to remember. Why not use “me.yahoo.com/username” like most other OpenID providers, you ask? Simple: so Yahoo can force other sites (the “relying parties”) into placing “Sign in using Yahoo” buttons on their login pages. If a site wants to allow millions of Yahoo users to easily sign in, they must include this button. Free advertising for Yahoo.

If other OpenID providers follow this trend we’ll soon end up with login pages covered with dozens of “Sign in using ________” buttons. This is definitely *not* then intention of OpenID. Any user with any OpenID provider should be able to type their OpenID into any site which supports OpenID, and it should just work.

Additionally, Yahoo has chosen not to be a relying party themselves. This means that users who have OpenIDs from any number of other providers can’t sign into Yahoo using their existing OpenID. They’re basically saying “Yeah we support OpenID… as long as WE’RE in control”.

To become an acceptable OpenID provider, Yahoo should:

* give users https://me.yahoo.com/username by DEFAULT, not as an option buried somewhere in the settings.
* educate users to type either me.yahoo.com/username or yahoo.com into OpenID login pages, NOT have Yahoo-specific buttons.
* become an OpenID relying party, i.e. allow other people to log into Yahoo using their OWN OpenIDs.

In the meantime, I suggest getting an OpenID from an [another provider](http://openid.net/get/) such as [myopenid.com](https://www.myopenid.com/). If you have a personal website or blog, you can easily use it’s URL as your OpenID via delegation. Sam Ruby has an [excellent overview of various OpenID options](http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers).

  • guest

    I agree with tom and shreyas, You are wrong! your solution has indirectly opened doors for spammers on Yahoo Mail!