OpenID logins May 4, 2010 12:47 PM   Subscribe

Pony Request: OpenID and Metafiler? Any plans?

We talked about it about three years ago, and I was wondering if there had been any changes. As an alternative or in addition, it would also be great if we could associate an existing account with an OpenID.
posted by bonehead to Feature Requests at 12:47 PM (27 comments total) 1 user marked this as a favorite

I think my thinking is the same as last time -- they might be handy for logging into MeFi with an associated OpenID, and maybe someday we'd be an OpenID provider, but that's a lot tougher.
posted by mathowie (staff) at 1:37 PM on May 4, 2010


I recall the original discussion and my take from it was that it'd be really neat if MeFi were a login provider in addition to simply accepting an OpenID login from somewhere else, since for many people (myself included), Metafilter is sort of the center of their online activities and identity.

I'm not sure that I'd want to use an OpenID from any of the other sites that I'm a member of and which provide such a service (Google, Facebook) to login to Metafilter, since that would seemingly link those accounts together and I'd rather keep them separate. With the exception of the minority of users here on MeFi who use their real names, I suspect many people might have that problem. One of the alleged benefits of OpenID is a "cohesive identity," but many people have Internet identities that are intentionally firewalled from each other.

It'd be pretty awesome if MeFi were an OpenID provider but I can also imagine Matt et al not wanting to be responsible for that on an ongoing basis. (Serious question: what happens if your OpenID provider goes out of business? Are you just SOL, and have to do some sort of account-recovery/backdoor on each site you previously used OpenID auth with? If that's the case, running an OpenID provider would be really serious business.)
posted by Kadin2048 at 1:37 PM on May 4, 2010


Speaking of which, Facebook Connect has all sorts of neat features, and it's such an innovative, forward-thinking and unobtrusive system. Just a win-win, really. Wouldn't it be great if we cou-

No! Wait! I was only kidding! Put that bat down! *CRASHBANGPOUNDPOUNDPOUNDPOUNDCRUSHSTOMPSTOMPSTOMPAIIIIGH!!!gurgle*

...nevermind then...

posted by zarq at 1:43 PM on May 4, 2010 [1 favorite]


Sweet funky McMonkey, YES!
posted by blue_beetle at 1:54 PM on May 4, 2010


I agree with the end of the Facebook comment, although I had nothing to do with the beating. I was too busy checking for sub jobs for tomorrow.
posted by theichibun at 1:58 PM on May 4, 2010


Yeah, my thought was simple to use my existing (Google) OpenID as login credetials for metafilter. Failing that, simply have a link in my profile (since Google allows me to have a much more complicated profile than MeFi does).

This came to mind as I've had to swap browsers a few times recently at work (Free of IE6 at last! Free at last!) and at home (Firefox->Chrome). Relogging into everything was a bit of a pain. Password files doen't always migrate cleanly. Had to do more than a few password resets.

MeFi as an OpenID provider seems like a opening a box of hurt. Semi-anonymous IDs based on mefi profiles? It's probably not as big a deal as say 4chan offering ID certification, but I can't imagine that would lead to things mefi would always want to be associated with.
posted by bonehead at 2:02 PM on May 4, 2010


Yeah, my thought was simple to use my existing (Google) OpenID as login credentials for metafilter.

I'm not sure how this works with the fact that our membership costs money. Doesn't this mean that anyone with a Google ID would then have a MeFi login?
posted by jessamyn (staff) at 2:05 PM on May 4, 2010


Ooh. Tricky.
posted by bonehead at 2:07 PM on May 4, 2010


Doesn't this mean that anyone with a Google ID would then have a MeFi login?

Yeah, that's how some sites do it. I know Stack Overflow has pure OpenID accounts. But here you would also have to have a standard MetaFilter account. So the only advantage if we set this up is that you wouldn't have to remember your MeFi account credentials once you associate your MeFi account with an OpenID account. And that alone might be worth it.
posted by pb (staff) at 2:13 PM on May 4, 2010


Just so I understand, are a couple of possibilities:

1) Open ID is just another way to log into a standard account. No extra info in profile.

2) Option to allow members only/general public access to OpenID profile off-site.

I'd like to use 1 and 2, but even just 1 would be great.
posted by bonehead at 2:20 PM on May 4, 2010


Is a Metafiler something like a nail filer, but used to declaw cats?
posted by qvantamon at 2:38 PM on May 4, 2010


I think it's a file you use for sharpening other files.

Semi-anonymous IDs based on mefi profiles?

Sure, why not? (Except for the obvious "maybe Matt doesn't want to.") There's no requirement that OpenIDs map 1:1 to actual human beings. Some people seem to think that they should, or that a correctly-implemented system should allow you to control your personal information so that you wouldn't want to have more than one, but if you have both a Google and Yahoo ID, you have two OpenIDs already. And they are pseudonymous and free; you can sign up for as many of the things as you want.

Since MeFi requires a $5 signup, it would likely be much closer to a 1:1 mapping than many other OpenID providers, but I don't know if that's really an argument for or against offering the service.
posted by Kadin2048 at 2:52 PM on May 4, 2010 [1 favorite]


This will be implemented immediately following the rollout of threaded conversations, the ability to assign MetaFilter Pony PointsTM to favored posts and comments, the return of the <img> tag, and the Second Coming of Jesus.

Seriously, though, anything that adds complexity to the Metafilter user experience should be avoided.
posted by killdevil at 3:31 PM on May 4, 2010


Sounds like too much trouble and confusion to me.
posted by dunkadunc at 4:44 PM on May 4, 2010


What would the gain be?
posted by Pope Guilty at 4:51 PM on May 4, 2010


Is a Metafiler something like a nail filer, but used to declaw cats?

It is used to file files, natch. (It can also be used to derail threads.)
posted by domnit at 5:15 PM on May 4, 2010


What would the gain be?

Trivially, it makes logging in easier. You are credentialed by the Openid provider, so you don't need to remember your mefi password

More importantly, it can link the fragmented parts of on-line identity.

If I have a web page, or a twitter feed, if I want my contact info to be available (and only to certain groups of people), I can do that. In this sense, it's like a more flexible version of the profile page.

If I comment on other places on the web, like certain blogs, my identity can carry over there too. It's as if I could use my mefi id to log onto other discussion sites. I'm "bonehead" here, but I'm other usernames elsewhere. I would prefer to unify at least parts of my identity.

It's all opt-in. You don't have to participate. If you don't want it, you (probably) won't even have to think about it. It's not too much trouble for people to have their Flikr or Fuelly accounts linked in their profiles, is it? This isn't much different.
posted by bonehead at 5:33 PM on May 4, 2010


I have never really understood what value people see in OpenID or similar single-signon schemes.

What could I do with OpenID that I couldn't do just as easily, if not more so, by picking the same username and password everywhere I go?
posted by flabdablet at 6:17 PM on May 4, 2010


it can link the fragmented parts of on-line identity.

Yes, by all means, let us ensure that all of the Usenet posts I made as a 14-year-old will be readily available to all.
posted by killdevil at 6:48 PM on May 4, 2010


Ugh, OpenID. :/ Please don't do what Stack Overflow did and make it the only sign in mechanism. Unless every site did this (will never happen), it does not solve the "single sign on" issue it purports to and just becomes yet another sign-on one has to remember. My browser solves this issue already for me, all OpenID adds is another level of complexity to the user experience, potential security flaws, and reliance on a third-party service. Solution in search of a problem IMO.

fiabdablet - The only convincing thing I've heard is when you want to change all those passwords, or they have different constraints on password/username, making this impractical. I wonder what browsers these people are using that don't store login credentials and auto-fill the forms. NN4? lynx?
posted by cj_ at 6:50 PM on May 4, 2010


What could I do with OpenID that I couldn't do just as easily, if not more so, by picking the same username and password everywhere I go?

If you do that, each of those sites has your credentials and could impersonate you at any of the others, or just leak your username and password to the world. With OpenID, the only entity that's vulnerable to such an attack is the identity provider, which you can run in your own secure environment if you're so inclined.
posted by teraflop at 8:25 PM on May 4, 2010 [1 favorite]


flabdablet: “What could I do with OpenID that I couldn't do just as easily, if not more so, by picking the same username and password everywhere I go

Avoiding exactly that is the biggest argument in favor of schemes like OpenID. If you use the same userid/password everywhere, now all your logins are made vulnerable to the weakest site's security. If just one of them does something stupid like storing passwords as plaintext (which a lot do, to facilitate password "recovery" rather than a password reset) and then their DB is compromised, now all your logins are compromised.

E.g., if you use the same login at HappyPonyForum as you do on eBay, your eBay login's security is suddenly only as safe as the people running HappyPonyForum keep it.

The idea behind OpenID and other distributed SSO schemes is that you pick an OpenID "provider" that you trust. Trust not to get compromised, and also trust to be around for the foreseeable future. You get an OpenID from them, which instead of just being a username, also has a domain component. (It looks more like a URL than an email address, though, a design choice I'm a bit skeptical of.) When you want to sign up or log in to an OpenID-aware site (HappyLlamaForum), rather than creating a new account and thus trusting HappyLlamaForum with your usual password, you just give them your OpenID name. There's a little trickery that ensues where you authenticate to the OpenID provider that you want to let HappyLlamaForum see your info, and then you're in. But to the user it's not substantially different from a regular login.

The key improvement to you as a user is that HappyLlamaForum never stores your password. Only the OpenID provider has that.

If the OpenID provider is compromised then you're in big trouble, but if HappyLlamaForum's database backup gets stolen it's no big deal; the thief can't use any information saved there to impersonate you on other sites. (If they do it right they shouldn't be able to impersonate you on HLF either, but this depends on what their alternative login / account recovery system is like. If they have a "multiple question" type thing, which is common, someone could get that from the database and then steal your account. Personally I think that account recovery systems are the Achilles' heel of OpenID and all other SSO systems. If you use the same questions across multiple sites it's just as bad as using the same password everywhere; you didn't gain anything. Cf. Sarah Palin.)

But as you can see there's kind of a chicken-and-egg problem at work; nobody cares about OpenID because nobody thinks they'll get their identity stolen until it happens, and site admins don't want to implement a feature if it's not something that most users care about. I don't know if it will really gain critical mass or not. Google seems to like it, though.
posted by Kadin2048 at 8:50 PM on May 4, 2010 [3 favorites]


One of the problems with OpenID is that it requires cross-scripting (at least to authenticate), which is a "feature" I do not allow on my browser. It's far too easy to exploit in nasty ways.
posted by stoneweaver at 9:12 PM on May 4, 2010


The way Kadin2048 describes it makes it sound to me like it makes as much sense as monocrops do.
posted by aniola at 12:56 AM on May 5, 2010


pb: Yeah, that's how some sites do it. I know Stack Overflow has pure OpenID accounts. But here you would also have to have a standard MetaFilter account. So the only advantage if we set this up is that you wouldn't have to remember your MeFi account credentials once you associate your MeFi account with an OpenID account. And that alone might be worth it.

Or, on sign-up, you can choose a username and enter an OpenID identifier, instead of choosing a username and a password. There's no reason you can't have private accounts on a site using just OpenID for authentication -- the site only allows known OpenID identifiers to log in.

One of the problems with OpenID is that it requires cross-scripting (at least to authenticate), which is a "feature" I do not allow on my browser. It's far too easy to exploit in nasty ways.

You mean JavaScript? Pretty certain OpenID doesn't require that. It's all form submissions and redirects.
posted by chrismear at 2:54 AM on May 5, 2010


(Sorry, second quote there was from stoneweaver, not pb.)
posted by chrismear at 2:54 AM on May 5, 2010


what is this "logging in" thing? do people really log out?
posted by desjardins at 7:08 AM on May 5, 2010


« Older The Schofields on Discovery Health tonight   |   Follow Tuesday Newer »

You are not logged in, either login or create an account to post comments