How do I get an OpenID?
It's not hard...
To use OpenID you need an account with an OpenID Provider.
You might already have one
Many sites have already given their users an OpenID. You might already have one and not know it.
If you don't have an account with one of those websites, you can get one from them, or choose from many other OpenID Providers:
Who should my provider be?
We've compiled a list of the OpenID providers that we really like. Click on one of them and follow the steps there. After you have your OpenID, come back and read our tutorial on how to log in with OpenID!
Very comprehensive: Easy to use and secure. Also, you can give them lots of information and then control when they give it out.
Very easy to use. If you're a Yahoo! user, you've got an OpenID, and it's really easy to remember too. It's just yahoo.com no matter what your username is.
Let me choose my provider
We have compiled a list of all the OpenID providers we can find. But first, here are some important things to consider when choosing an OpenID Provider: (Skip to the list)
- Trustworthiness: Choose a provider that you trust.
- Your OpenID Provider holds on to your information and is in charge of only letting you sign in with your OpenID. Because of that, you should choose a Provider you trust to do those things properly. Just like you don't want to give your credit card number to just any web site, you want to choose an OpenID provider with a strong reputation. Examples include: AOL and LiveJournal.
- Longevity: Choose a provider that will stay around for a while.
- If your OpenID Provider goes under, it will be very difficult to retrieve your online identity. That's pretty scary. But, if you choose an OpenID Provider that will stick around for a while, you don't need to worry.
- Comprehensiveness: Choose a provider that gives you extra services.
- The more public information about you that you can store in your OpenID, the less often you have to fill it out when you sign up for new web sites. Good providers hold on to lots of information about you and let you choose which web sites have access to which information. VeriSign is a good example of a provider that does this.
- Security: Choose a provider who can secure the log-in process.
- Just as with any website, some are more secure and some less. Consult the list below to see the providers that we found to be the most secure. Our Rubric for how we scored them can be found at the bottom of the page.
- Social implications: Choose a provider with which you want to be identified.
- Just as with e-mail, using a particular OpenID Provider has social implications. Most people don't use Gmail for work-related e-mails, because e-mails from company accounts are more professional. Also, whenever you send an e-mail with Gmail, it reveals to the person you're e-mailing not only your e-mail address but also your Google username, which identifies you on other Google services. Similarly, if your OpenID is from LiveJournal, it reveals to the world that you're a LiveJournal user, and where your LiveJournal is located, so people who see it can go and read your public journal entries if they want to. Web sites can also use this information to provide you more specialized service. In short, your choice of provider extends what the online world knows about you, so you should choose a provider based on what you want the online world to know. If you don't want anyone to know that you have a LiveJournal, don't use your LiveJournal account as your OpenID. If you don't want to advertise your AOL screenname, choose a provider other than AOL.
That said, here is a list of the providers that we know about along with some comments we or other OpenID users have developed about them. Ones with ★'s next to them are our recommendations.
|Name||Ease of use||Security||Remembers information||Multiple profiles||Anti-phishing measures||Password protected|
The list below is our rubric for choosing a security rating in the provider list. A provider starts with the lowest security rating (1), and the rating grows according to whether the provider has the feature associated with that rating level. If a provider fails at any level, its security rating cannot go any higher. In other words, if a provider has a security rating of 4, it has fulfilled requirements 2 through 4, has not fulfilled 5, and may or may not have fulfilled 6 through 10.
- Absolute lowest score: the site does not meet basic security requirements.
- The site uses SSL when logging in.
- The site uses SSL when registering.
- The site has an up-to-date SSL Certificate.
- The site makes you type in their address or use a bookmark in order to log in.
- The site lets you use spaces and symbols in your passwords.
- The site tells you when you have a strong password.
- The site employs a second technique to combat phishing (on top of #5).
- Your password cannot be changed or given out before you answer a security question.
Notes on the rubric
This rubric reflects our (informed) biases as to what we think makes for a secure OpenID Provider. We did not, however, choose them with the goal of making certain providers look good and others bad. We ourselves were at times surprised at the poor security practices even well-known providers employ.