OpenID: A Contrarian View

ScreenshotWe’ve offered you plenty of coverage of OpenID here at WWD: from early coverage when OpenID was in its infancy, through a look at the balance between providers and consumers, to dutifully mentioning when sites that we cover support OpenID. And yet, despite these various deep dives and having tried several OpenID providers myself, I have to confess: I just don’t use OpenID. Beyond that, it’s starting to look like a bad solution to a marginal problem to me.

It’s worth pointing out that this attitude puts me out of step with some of my technological peers and WWD readers. Indeed, what got me started thinking about OpenID again was the appearance of the Demand OpenID site, where (at the moment), 422 people are demanding OpenID from 673 web sites. The site was inspired in part by a WWD reader who couldn’t use OpenID to comment here, and two of you readers are demanding it here. (Just to be clear, WWD does not have an official stance on OpenID, although we’re currently unlikely to switch to an OpenID-enabled site).So what’s my beef with OpenID? It’s threefold: I don’t need it, I can’t use it, and I don’t trust it.

I don’t need it: Like the majority of readers who’ve commented to us about identity management, there are already good solid solutions for managing logins across a multitude of web sites. I’m currently using 1Password; others depend on RoboForm or the built-in password management functions in their browsers, among other choices. WIth 1Password I can create as many unique logins and strong passwords as I like, and though there is still a single point of failure, it’s a point of failure under my control; I can take measures I consider appropriate to protect my computers and software. With OpenID, if there’s a compromise there’s not much I can do to protect myself across the web of sites where I’ve used it.

I can’t use it: Like the folks behind “Demand OpenID,” I’m finding plenty of sites that I use on a daily basis that don’t support OpenID. Demand as I might, I need to be able to log on to those sites today; thus I have to have a password-management solution in place. If I’m going to need to manage passwords anyhow, why not do that for every site I visit? I’m aware that this is a chicken-and-egg problem, but so far there are no sites that are requiring me to use OpenID instead of a traditional login; until there are, there’s no compelling reason to move me in that direction.

I don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own personal take is that at least some OpenID implementations make it frighteningly easy for malicious sites to steal your credentials. There are providers working to prevent this – Verisign and Vidoop are two of them – but the average naive user won’t know enough to look for a secure provider. Given that I believe widespread OpenID adoption would make it an attractive target for phishers, and that the average user will not use it securely, I am loathe to encourage its adoption.

I realize there are people for whom OpenID is a good solution: many of them are in the always-on-the-go, never-use-the-same-computer-twice group of cutting edge hyperconnected web workers who are smart enough to avoid the security pitfalls. But I believe the bulk of users, even the bulk of web workers, don’t fall into this category. If you spend most of your time on a single device, and are adequately happy with your current login and password authentication, then there’s no need to push your identity management out to the cloud.


Comments have been disabled for this post