It's clear there there is no consistent set of features among any of the popular authentication providers.
Below is an attempt to aggregate the similarities and differences I've noticed, but I would appreciate your advice on what additional features that are missing, and what are the important features to consider when looking at an outsourced provider.
Authentication
- 2 Factor Authentication Per Session (Google, Verisign , MyOpenID)
- 2 Factor Authentication Per computer: Facebook
- Beta (features subject to change) Yahoo 2/22/13
- Force Password Change (LiveID every 72 days)
Privacy
- Email Address Hidden/Not Shared (LiveID, ClickPass)
- Offers a unique ID per website (ClickPass )
- Information Sharing Controls (Yahoo, Facebook, Google, LiveID, LiveIDServices)
Forgot Password Feature
- Most Secure (Google has Phone, OTP, and a difficult survey to fill out)
Delegation Support
- Verisign
- ClickPass
- (many others)
SignIn Seal / SiteKey
View Authentication History
- Full Logging of date, action, and target MyOpenID
- Good logging but inefficient for auditing access Facebook
- Limited to Grant and remove authentication Google, Yahoo
Active Session Summary
End user features
- Easy sign in/sign up process (Aol)
- Option for "difficult" sign in process to improve security (Verisign), also see this related question
Supports Connected Accounts
Token Replay Protection
- ADFS (also see WIF for RP protection)
Connection Security
Question
Did I miss any important application features?
Are there some features I shouldn't pay attention to when comparing providers?
Some examples of additional information that is missing in this list include encryption specifics, ISO/SAS70 certification, or if the providers are using DNSSec. I could use help in gathering this information, and prioritizing what's important and not.
Please share additional info, or correct mistakes as you see fit.