If i prompt end users of my web-application for their SalesForce username/password; is it enough for me to successfully use APIs to extract data from their accounts and present it to them.

Would i need some other information too from end users like - Their Security Token, Organization Id etc.?

The SalesForce Login API appears to need security token too (appended to the password).

I am trying to write a web application(java) using is which SalesForce users can view some their SalesForce data inside my application.

For this i need to prompt the user for their SalesForce user and password. These can be ANY SalesForce users... they could belong to any organization/enterprise.

But username/password is not enough for Login to work succesfully, i think  the 'security token' is also required(we need to append it to password). But it is very unlikely that any user will remember their Security Token.

Is my understanding correct? How can i solve this problem.

Is there a online authentication mechanism (like Google OAuth/OpenId)?

I am able to get data for my developer salesforce account, but how to do the same for my end users?