Sometimes, I do feel like I've just gotten out of a cave.

Anyways, I just downloaded the latest version of the web framework that I use and noticed that they include support for decentralized authentication mechanisms (Janrain, OpenID, etc).

I already have an implementation of the old school authentication mechanism done for my project, but I am now seriously wondering whether the above would be better.

My gut reaction as a user is to think that this is a great thing (instead of providing quadzillions usernames and passwords for various web sites, you can authenticate yourself with multiple web sites using a particular service that you like to use... ex: Yahoo, Google, Facebook, etc).

However, I won't claim to be the final authority in terms of what other users prefer.

So, I was wondering if people that are interested in providing some feedback could offer some thoughts on whether they would like or dislike (perhaps even hate) such an authentication scheme and why.

I love it, I mean the site I'm logging TO doesn't really get my login info as far as I understand it, so it's far safer that way - or at least I believe google can properly secure their servers :D

I wish GOG would provide OpenID for its users. That would be very useful.

Well, maybe for Twitter I'd be okay, because I don't really care about that account, but there is no way that I'm logging in on a third party app / client / web / service / whatever with my Windows Live ID.

Can you elaborate?

Is it because you don't trust Windows Live?

What about Yahoo, Google, Paypal or VeriSign?

I mean, minimally, you need to trust your email service provider when you login on GOG...

I think services like OpenID are the future. In one swoop companies can negate any responsibility for being hacked and losing your credentials (except OpenID of course). No more of this 'how is my password stored' concern, it's not!

It is because I don't trust other sites, and because I have everything on my Windows Live ID. Seeing that hacked and messed up would set me back quite a lot.

Oh, and for all I know, the textboxes where one writes down his Twitter / Facebook (or something similar) user / pass could be sending the details to the site before connecting with Twitter / Facebook. It all depends on how the site is coded.

Until I see exactly what a site does (the source code), I won't trust any site that uses these direct signings (through their site). Only if the site redirects me (like SteamGifts does), then it is okay.

What about this?: http://stackoverflow.com/users/login

It gives you many login options and redirect you to the sites in question...

Pretty much, reminds me with an argument I had with now defunct Vongo. They claimed that I somebody had been watching movies on my account for months after I closed it. Not possible, I watched all those movies in on single month before closing the account.

Moral of the story, keep a close eye on credit card statements and make sure things are canceled that you canceled. The rep blamed me when it was clearly a clerical error on their part. Didn't get my money back, but I probably should have reported the fraudulent activity to my credit card company.

I'd actually prefer writing down passwords on a piece of paper on my desk rather than using OpenID or such (for more than one service). Even with the front door wide open, that piece of paper would be far less accessible (and searching my desk for it is no trivial matter - it has multiple layers and booby traps in between).

Decentralized auth mechs (DAMs) are only that much better than using the same password for all your accounts as the difference between the weakest security regime used and the one used by the DAM in question.

Yet it's potentially even more 'dangerous' as all these accounts are inexplicably tied together - if I have both an online poker account and a AA account (if such exists?) and both get hacked (unrelated), far less information is gained by the hackers compared to if I used OpenID for both and my OpenID password was hacked/cracked, or even just the list of sites where this ID is being used. Add a dozen more accounts to the same (Open)ID and anyone gaining access to it gains access to more information about you than any single account reveals (or is even allowed to collect).

I'm tired and have a fever so the above might not make much sense. Let me try to sum it up: I dislike DAM schemes for two reasons. 1) You're putting way too many eggs in the same basket. 2) You tie together multiple accounts, thereby revealing information about yourself that's nobody's business.

The ability to mange your identities is what keeps you safe.... using a singular login allows full access... imagine if someone hacked your FB at 2am and your asleep... and they hit every single "facebook" site and started pulling data... your entire life is done, they have everything and in 3 years your identity is used to buy something illegal overseas...

What about a web site that provides non-free services, but that doesn't store your credit card information or personal information (like GOG)?

And that is a problem.

However, you do realize that it is a problem that is already present with pretty much all web sites that provide password recovery via email including GOG right?

If someone hacks you email account, he has all the keys to your kingdom.

Frankly, I do not recall any recent web site that I've been to that doesn't provide a password recovery via email feature.

Which is why I use different e-mail accounts for different "web accounts" - usually 1-10 "web accounts" for every e-mail account. And, where possible, activate "secret question" options and such.

Regardless, hacking an e-mail account is usually a lot harder than hacking "web accounts". If you set it up correctly, it'd be safer to e-mail all your passwords to yourself and check your mail everytime you forget your password, than using OpenID or such. More cumbersome, granted, but safer. It's the ever recurring security versus usability problem. Laziness is (in most cases) the number one security vulnerability.

That is a lot better, but only if the connection between the two means that only your username is passed, and not other stuff (Twitter allows third party apps to do whatever they want with your account, excluding private messages and the password, which is utterly stupid as the apps can change your account info (name, email, stuff, if I understood the API correctly) and even post tweets that you won't really tweet like ads and stuff).