Simon Willison’s Weblog

Subscribe Use your Yahoo! account as an OpenID

27th January 2007

In an ideal world, some or all of the sites with large user databases (Yahoo!, AOL, Google, Amazon and so on) would act as OpenID providers, allowing their users to sign in to OpenID supporting sites around the Web. Until that happens, people who want to use OpenID need to sign up for Yet Another Account to do so., launched today, is my attempt at speeding up the process. It uses Yahoo!’s Browser-Based Authentication API to allow you to sign in with a Yahoo! account, then lets you create one or more OpenIDs (of the form to use with sites that support the OpenID standard.

In effect, it lets you use your Yahoo! account as an OpenID.

Phishing protection

I’ve built in a couple of features to help protect users against phishing attempts.

The first is based on Andreas Gohr’s MonsterID. When you log in for the first time, you are asked to pick one from a selection of four random monsters. Your monster will greet you when you log in to the site, helping defend against malicious sites that try to copy the “logged in” view.

The second is a landing page based on my suggestion from last week, which requires you to log in manually or with a bookmark rather than presenting you with a login link directly. This is similar to MyOpenID’s SafeSignIn feature, but it’s on by default and you can’t turn it off.

The nature of the site means that a successful phishing attack would have to compromise your Yahoo! account as well. Yahoo! have their own phishing prevention in the form of the Yahoo! personalized sign-in seal (similar to the monster, but visible before you log in).

Other providers

An older (unreleased) version of the site included support for Flickr, Upcoming and Google authentication. I’ve dropped those in favour of Yahoo! for a couple of reasons. Firstly, supporting just one form of authentication makes the site easier to explain. Secondly, none of those APIs were designed with single-sign-on in mind. All three exist primarily to give a third party service access to your data; as such, their authentication flows include permission pages which warn that will have access to your private photos, events or calendar.

I’m very open to suggestions and feature requests. The top of my list at the moment is an interface for viewing and changing the list of sites which always have access to your identity.