17 Comments

Summary:

We’ve offered you plenty of coverage of OpenID here at WWD: from early coverage when OpenID was in its infancy, through a look at the balance between providers and consumers, to dutifully mentioning when sites that we cover support OpenID. And yet, despite these various deep dives and having tried several OpenID providers myself, I have to confess: I just don’t use OpenID. Beyond that, it’s starting to look like a bad solution to a marginal problem…

ScreenshotWe’ve offered you plenty of coverage of OpenID here at WWD: from early coverage when OpenID was in its infancy, through a look at the balance between providers and consumers, to dutifully mentioning when sites that we cover support OpenID. And yet, despite these various deep dives and having tried several OpenID providers myself, I have to confess: I just don’t use OpenID. Beyond that, it’s starting to look like a bad solution to a marginal problem to me.

It’s worth pointing out that this attitude puts me out of step with some of my technological peers and WWD readers. Indeed, what got me started thinking about OpenID again was the appearance of the Demand OpenID site, where (at the moment), 422 people are demanding OpenID from 673 web sites. The site was inspired in part by a WWD reader who couldn’t use OpenID to comment here, and two of you readers are demanding it here. (Just to be clear, WWD does not have an official stance on OpenID, although we’re currently unlikely to switch to an OpenID-enabled site).So what’s my beef with OpenID? It’s threefold: I don’t need it, I can’t use it, and I don’t trust it.

I don’t need it: Like the majority of readers who’ve commented to us about identity management, there are already good solid solutions for managing logins across a multitude of web sites. I’m currently using 1Password; others depend on RoboForm or the built-in password management functions in their browsers, among other choices. WIth 1Password I can create as many unique logins and strong passwords as I like, and though there is still a single point of failure, it’s a point of failure under my control; I can take measures I consider appropriate to protect my computers and software. With OpenID, if there’s a compromise there’s not much I can do to protect myself across the web of sites where I’ve used it.

I can’t use it: Like the folks behind “Demand OpenID,” I’m finding plenty of sites that I use on a daily basis that don’t support OpenID. Demand as I might, I need to be able to log on to those sites today; thus I have to have a password-management solution in place. If I’m going to need to manage passwords anyhow, why not do that for every site I visit? I’m aware that this is a chicken-and-egg problem, but so far there are no sites that are requiring me to use OpenID instead of a traditional login; until there are, there’s no compelling reason to move me in that direction.

I don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own personal take is that at least some OpenID implementations make it frighteningly easy for malicious sites to steal your credentials. There are providers working to prevent this – Verisign and Vidoop are two of them – but the average naive user won’t know enough to look for a secure provider. Given that I believe widespread OpenID adoption would make it an attractive target for phishers, and that the average user will not use it securely, I am loathe to encourage its adoption.

I realize there are people for whom OpenID is a good solution: many of them are in the always-on-the-go, never-use-the-same-computer-twice group of cutting edge hyperconnected web workers who are smart enough to avoid the security pitfalls. But I believe the bulk of users, even the bulk of web workers, don’t fall into this category. If you spend most of your time on a single device, and are adequately happy with your current login and password authentication, then there’s no need to push your identity management out to the cloud.

You’re subscribed! If you like, you can update your settings

  1. I signed up for Open ID but have never been able to get it to work right (Open ID knows I’m registered but I get rejected when I try to use it). Now, I’m kind of glad it hasn’t worked out for me!

    It is a hassle having all of these usernames and even more passwords. I might try one of those software solutions you mention.

  2. There is currently a huge disparity between those offering to be OpenID providors and those offering OpenID as a signup or login option along with the myriad if features that many sites prefer not to implement.It’s the laissez faire approach to full implementation which probably helps undermines OpenID’s credibility.

  3. Thanks for explaining your views. Since I was the one who apparently kicked off this round of OpenID discussion I figured I’d respond to your objections (even if I can’t use OpenID to do it). You raise some good points; OpenID is far from perfect, and those of us who want to see it adopted more widely need to address some of the issues you raise.

    I’ve been told that WWD can’t do OpenID right now because you’ve chosen a hosting platform (WordPress.com) that restricts your features, but I would assume that if WordPress.com starts accepting OpenID there wouldn’t be any reason you would actively refuse it, would you?

    In response to “I don’t need it”… you’re right, there are already password managers. But if more sites supported OpenID, you wouldn’t need a password manager in the first place. Wouldn’t it be nice to manage one OpenID instead of using a password manager to manage a bunch of standalone passwords?

    “I can’t use it” You can’t use it everywhere yet. But there are quite a few places you can use it. And there are (a few) sites that require it. Ma.gnolia is probably the biggest, but also Pibb, Treasurelicious, Twitterwhere, and Twitterfeed (that I know of).

    “I don’t trust it” Looks like a bunch of FUD to me. I fail to see how it’s any less secure than a bunch of standard usernames/passwords (and the reality is that many people use the same password everywhere). The “average user” won’t use it any more or less securely than they currently manage their passwords. But some OpenID providers (such as Vidoop) create a more secure environment than a standard password.

    I don’t think that OpenID is a magic solution to all identity and password issues… but given that it’s fairly easy to support, it seems that web/technology services ought to at least offer it as an option for those users who want to take advantage of OpenID.

    Thanks for your post… the more discussion, the better!

  4. I have to agree with most of your points here Mike and I’m one of the biggest OpenID cheerleaders out there.

    There is a realization that is occurring among users and developers of OpenID and that’s that OpenID is a very important building block but not for the reasons we all originally thought.

    I think the real strength in OpenID lies in the fact that a user can now point at a single URL as their own. Not only do I have a place on the Internet that I’ve proved I “control”, its also a single point of contact, a place to store my friends, messaging, etc. These applications are coming and I think those are what will drive OpenID.

    One interesting side effect of the OpenID as a URL is that reputation is going to be baked into the Internet. You’ll be able to reference everything you’ve done on the public Internet because it will be indexed by your personal URL. Like it or not, that’s going to happen (I personally love it).

    Bear in mind, most users won’t know or care what an OpenID is. Users want solutions, not a bunch of technology. Once somebody can make OpenID more usable and tied to other real solutions that’s when its going to take off.

    Finally, the reality of the situation is my mom never got SMTP, she got email. The same will be true with OpenID.

  5. I agree with you analysis that OpenID isn’t the solution, but I do think there is value in the ability to validate and confirm identify on the web. On this note, I think Facebook is in the best position to control that, and reap the rewards. If you’re interested, I wrote more about it:Facebook and Identify

  6. Sorry, link didn’t work, try this

  7. I realize your points are valid for the mass, but we are technical users… I don’t see what’s so difficult about setting up your own provider with phpMyID.

    It took me 5 minutes to set it up, and I’m glad there are more and more sites that accept it. Specially when there’s something to try out and the only thing you have to do is provide your OpenID.

  8. Couldn’t agree more, OpenID just doesn’t cut it. At WackWall we are planning to integrate Google account login some time soon, I think it solves all the three problems you mentioned.

  9. “a bad solution to a marginal problem” – Best description of OpenID ever.

    OpenID is like using the same logon and password everywhere, which is a very bad security practice. If your OpenID is compromised (by whatever method you want to imagine) you are pretty well screwed.

    I can see OpenID being used for low-value accounts like blog comments and the like, but I don’t think it will ever become mainstream in high-value and/or financial transactions.

  10. Nicholas Hebb Thursday, May 22, 2008

    >> “I don’t trust it” Looks like a bunch of FUD to me.

    I don’t think that’s a fair characterization of the concerns over this. I am really wary of any solution that could be a single point of failure with wide reaching consequences.

Comments have been disabled for this post