OpenID 2.0 has several new security and usability improvements over previous versions.
OpenID 2.0 endpoints are published using the Yadis protocol. OpenID 2.0 Providers advertise the location of their endpoints, as well as the versions and extensions that they support using Yadis. New in OpenID 2.0 is Relying Party discovery, in which OpenID Providers are able to verify the location of a Relying Party's OpenID endpoints using Yadis.
The Yahoo! OpenID Provider verifies a Relying Party's realm and endpoints by making a Yadis request to the openid.realm to discover the realm's OpenID endpoints. If Yahoo! is unable to verify the realm and endpoints, the user will be warned that the user is signing into an unverified site. Yahoo! caches the Yadis document to improve performance for users who sign into popular sites.
OpenID identifiers can be recycled over time, and OpenID 2.0 specifies that OpenID Providers append URL fragments to the end of an OpenID URL as a generation identifier. The entire OpenID URL with the fragment, if present, should be used to identify the user. For instance, the following two OpenIDs are unique and represent different users:
Yahoo! will only support Relying Parties running on webservers with real hostnames (IP addresses are not supported) running on standard ports (Port 80 for HTTP and Port 443 for HTTPS).
New in OpenID 2.0 is the concept of Identifier Select, in which a user can just specify their OpenID Provider, rather than having to type in their entire OpenID URL. Users can just type in yahoo.com or flickr.com to initiate the Sign-in process. In order to optimize this experience, we provide special buttons that Yahoo! users can click on to sign in. Clicking on the Yahoo! Sign-in button auto-fills and submits yahoo.com on the OpenID sign-in form.
Yahoo! Sign In Buttons:
OpenID Relying Parties should note that, while the use of the Yahoo! ID and password as authentication credentials is sufficient for many use cases, it is not good for all use cases. For example: using just the Yahoo! ID and password to allow financial transactions (e.g., a purchase with a credit card stored by the Relying Party) is not recommended. In such cases, Yahoo! recommends that an additional factor of authentication should be used by the Relying Party before allowing the transaction to be completed.
In order to enable Relying Parties to automatically detect and decide whether a Yahoo! OpenID assertion is appropriate for their use cases, we use the PAPE extension to communicate the quality of our assertion. Yahoo! OpenID assertions are marked as NIST Auth Level 0 to indicate that Yahoo! OpenIDs should not be used to authorize any transaction of value, including, but not limited to, financial transactions, or accessing sensitive information, such as social security numbers and credit card numbers.
Relying Parties can download the Yahoo! button images to help users start with the OpenID. Yahoo! will guide users who click on the button through the OpenID setup process. Download the various Yahoo! OpenID buttons.
Yahoo! displays the above warning for Relying Parties which fail to implement Section 13: Discovering OpenID Relying Parties of the OpenID 2.0 Protocol. Implementing Relying Party Discovery enables Yahoo to verify your site's OpenID Realm when servicing Authentication Requests from your site.
Your site must publish a discoverable XRDS document listing all the valid return_to URLs for your Realm. An excellent writeup describing how to do this can can be found here: Why Yahoo! says your OpenID site's identity is not confirmed.
Please note: We recommend that your site links to its XRDS document using the X-XRDS-Location HTTP header. If your site links to its XRDS document by embedding a meta tag within the HEAD section of your realm document, errors can occur if the realm document is larger than 64KB or if the document redirects to another URL.
Yes! Yahoo has a global audience, and Relying Parties can specify the language to be used on Yahoo!'s OpenID screens by using the experimental xopenid_lang_pref parameter in the OpenID authentication request.
Yahoo! is working with the OpenID Commnity to write an extension for RPs to specify the user's language preference in a standarized format.