OpenID: A Contrarian View

17 Comments

ScreenshotWe’ve offered you plenty of coverage of OpenID here at WWD: from early coverage when OpenID was in its infancy, through a look at the balance between providers and consumers, to dutifully mentioning when sites that we cover support OpenID. And yet, despite these various deep dives and having tried several OpenID providers myself, I have to confess: I just don’t use OpenID. Beyond that, it’s starting to look like a bad solution to a marginal problem to me.

It’s worth pointing out that this attitude puts me out of step with some of my technological peers and WWD readers. Indeed, what got me started thinking about OpenID again was the appearance of the Demand OpenID site, where (at the moment), 422 people are demanding OpenID from 673 web sites. The site was inspired in part by a WWD reader who couldn’t use OpenID to comment here, and two of you readers are demanding it here. (Just to be clear, WWD does not have an official stance on OpenID, although we’re currently unlikely to switch to an OpenID-enabled site).So what’s my beef with OpenID? It’s threefold: I don’t need it, I can’t use it, and I don’t trust it.

I don’t need it: Like the majority of readers who’ve commented to us about identity management, there are already good solid solutions for managing logins across a multitude of web sites. I’m currently using 1Password; others depend on RoboForm or the built-in password management functions in their browsers, among other choices. WIth 1Password I can create as many unique logins and strong passwords as I like, and though there is still a single point of failure, it’s a point of failure under my control; I can take measures I consider appropriate to protect my computers and software. With OpenID, if there’s a compromise there’s not much I can do to protect myself across the web of sites where I’ve used it.

I can’t use it: Like the folks behind “Demand OpenID,” I’m finding plenty of sites that I use on a daily basis that don’t support OpenID. Demand as I might, I need to be able to log on to those sites today; thus I have to have a password-management solution in place. If I’m going to need to manage passwords anyhow, why not do that for every site I visit? I’m aware that this is a chicken-and-egg problem, but so far there are no sites that are requiring me to use OpenID instead of a traditional login; until there are, there’s no compelling reason to move me in that direction.

I don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own personal take is that at least some OpenID implementations make it frighteningly easy for malicious sites to steal your credentials. There are providers working to prevent this – Verisign and Vidoop are two of them – but the average naive user won’t know enough to look for a secure provider. Given that I believe widespread OpenID adoption would make it an attractive target for phishers, and that the average user will not use it securely, I am loathe to encourage its adoption.

I realize there are people for whom OpenID is a good solution: many of them are in the always-on-the-go, never-use-the-same-computer-twice group of cutting edge hyperconnected web workers who are smart enough to avoid the security pitfalls. But I believe the bulk of users, even the bulk of web workers, don’t fall into this category. If you spend most of your time on a single device, and are adequately happy with your current login and password authentication, then there’s no need to push your identity management out to the cloud.

17 Comments

Benno Blumenthal

The problem that I would like a solution to is “mashup authentication” — a mashup created by combining two web items that are in different security domains belongs to both domains. Classic example would be a figure made from two different restricted datasets.

You don’t want to type in two different userids/passwords for the same item, and no browser is ready to do such a thing, anyway. A solution would have both sites accepting a common id, and the mashup server could verify the id against both original data servers, thus the hope that OpenID (or something like it) could solve this problem in a way your alternative solutions don’t. Not that I know that OpenID can solve the problem, the point is that some kind of authentication service is necessary in order that the Internet can take this next step.

Michael Graves

While it’s certainly nice to just skip the password process with relying parties by using OpenID, part of the problem here is that “password automation” is getting confused with the core value proposition of OpenID itself. OpenID wasn’t conceived or built out to compete with or replace password managers. Instead it was about creating names in a universal namespace in such a way that new efficiencies could be realized and new value created.

For example, as Scott Kveton points out above, your OpenID is an “index to you” on the public web. That’s a double-edged sword, but it does present an important “I need it” and “I can use it” advantage; with an OpenID consolidating your relationships with sites and providers, you now have a way to aggregate and manage your online reputation. This means that OpenID can serve as the basis for lightweight, efficient reputation and trust decisions that will gain you entry (and by the same token, possibly deny it to you, so you’re accountable — another important feature of the system) to resources quickly and easily based on the information you can supply with your ID.

As far as the trust issue goes, we have in place what we expect to see in an emerging marketplace for a technology like this. Big service providers like Yahoo! and AOL are equipping their users with OpenIDs and providing solid warrants for trusting the integrity of the logins (*as* logins) they verify. Pure play OpenID providers like JanRain (where I work) and Vidoop provide full-featured profile management for OpenID, along with security and communications “extras”. Other providers exist in more informal arrangments; you can spin up your own OpenID provider on your own laptop if you want with minimal effort.

The diversity in this space is a strength, not a weakness. If OpenID defined a military-grade biometric authentication system, or an Experian credit bureau scrub, the costs and logistical demands of the system would keep it from ever getting of the ground. Like PGP, rather than SSL, OpenID is decentralized, and looks to the marketplace for organic “circles of trust” to form naturally, rather than by ordaining “trust roots” that control the hierarchy. That makes things a bit more chaotic in the marketplace, but much healthier in the long run for trust to be managed and delivered at best cost and quality.

Zbigniew Lukasiak

One thing is to remember the multiple passwords – and this is solved by password managers – the other thing is the requirement to register at any site that you’d like to comment on (and as CAPTHCHA is failing it seems that this is more and more required).

Stefan Hayden

Password managers do a lot for removing the need to remember all those passwords. Similarly OpenID needs a bigger push with browser makers to integrate openid.

I log on to gmail when I open my browser. If I did that with my openid then openid sites would seem much easier to use. With openid in so few places it does seem like a pain every time I use it. And if it was built in to the browser it could just auto log me in.

In general Openid has been on full court press for a while now and is not *needed* in any one place yet. But hopefully the point where openid is easier then 20 different username/password combos is not too far off.

At the very least I feel the best result have come from openid when hard criticism come out about real problems. And while I think It’s real and valid it does mean that the problems can’t be fixed.

Deepak

I agree with part of the argument. However, to say that this is a marginal problem is wrong. The idea of identity as URI is very elegant, and something to be encouraged. The implementation is the critical path and how the spec evolves (without getting unusable).

João Almeida

But some OpenID providers (such as Vidoop) create a more secure environment than a standard password.

With MyOpenId I always sign in with a certificate and not a regular password.

Tim Renshaw

I have to confess that as closely as I follow and often espouse the value of OpenID, I’m a complete hypocrite as I don’t use it day-to-day. I like OpenID more as a demonstration of what we need than an actual solution to that need. I play with some of the IPs offerings waiting to see if someone is going to offer a secure IP solution with additional security services of real value.

That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…

Nicholas Hebb

>> “I don’t trust it” Looks like a bunch of FUD to me.

I don’t think that’s a fair characterization of the concerns over this. I am really wary of any solution that could be a single point of failure with wide reaching consequences.

Peter

“a bad solution to a marginal problem” – Best description of OpenID ever.

OpenID is like using the same logon and password everywhere, which is a very bad security practice. If your OpenID is compromised (by whatever method you want to imagine) you are pretty well screwed.

I can see OpenID being used for low-value accounts like blog comments and the like, but I don’t think it will ever become mainstream in high-value and/or financial transactions.

Emil

Couldn’t agree more, OpenID just doesn’t cut it. At WackWall we are planning to integrate Google account login some time soon, I think it solves all the three problems you mentioned.

Ivan V.

I realize your points are valid for the mass, but we are technical users… I don’t see what’s so difficult about setting up your own provider with phpMyID.

It took me 5 minutes to set it up, and I’m glad there are more and more sites that accept it. Specially when there’s something to try out and the only thing you have to do is provide your OpenID.

Ariel Diaz

I agree with you analysis that OpenID isn’t the solution, but I do think there is value in the ability to validate and confirm identify on the web. On this note, I think Facebook is in the best position to control that, and reap the rewards. If you’re interested, I wrote more about it:Facebook and Identify

Scott Kveton

I have to agree with most of your points here Mike and I’m one of the biggest OpenID cheerleaders out there.

There is a realization that is occurring among users and developers of OpenID and that’s that OpenID is a very important building block but not for the reasons we all originally thought.

I think the real strength in OpenID lies in the fact that a user can now point at a single URL as their own. Not only do I have a place on the Internet that I’ve proved I “control”, its also a single point of contact, a place to store my friends, messaging, etc. These applications are coming and I think those are what will drive OpenID.

One interesting side effect of the OpenID as a URL is that reputation is going to be baked into the Internet. You’ll be able to reference everything you’ve done on the public Internet because it will be indexed by your personal URL. Like it or not, that’s going to happen (I personally love it).

Bear in mind, most users won’t know or care what an OpenID is. Users want solutions, not a bunch of technology. Once somebody can make OpenID more usable and tied to other real solutions that’s when its going to take off.

Finally, the reality of the situation is my mom never got SMTP, she got email. The same will be true with OpenID.

Aaron

Thanks for explaining your views. Since I was the one who apparently kicked off this round of OpenID discussion I figured I’d respond to your objections (even if I can’t use OpenID to do it). You raise some good points; OpenID is far from perfect, and those of us who want to see it adopted more widely need to address some of the issues you raise.

I’ve been told that WWD can’t do OpenID right now because you’ve chosen a hosting platform (WordPress.com) that restricts your features, but I would assume that if WordPress.com starts accepting OpenID there wouldn’t be any reason you would actively refuse it, would you?

In response to “I don’t need it”… you’re right, there are already password managers. But if more sites supported OpenID, you wouldn’t need a password manager in the first place. Wouldn’t it be nice to manage one OpenID instead of using a password manager to manage a bunch of standalone passwords?

“I can’t use it” You can’t use it everywhere yet. But there are quite a few places you can use it. And there are (a few) sites that require it. Ma.gnolia is probably the biggest, but also Pibb, Treasurelicious, Twitterwhere, and Twitterfeed (that I know of).

“I don’t trust it” Looks like a bunch of FUD to me. I fail to see how it’s any less secure than a bunch of standard usernames/passwords (and the reality is that many people use the same password everywhere). The “average user” won’t use it any more or less securely than they currently manage their passwords. But some OpenID providers (such as Vidoop) create a more secure environment than a standard password.

I don’t think that OpenID is a magic solution to all identity and password issues… but given that it’s fairly easy to support, it seems that web/technology services ought to at least offer it as an option for those users who want to take advantage of OpenID.

Thanks for your post… the more discussion, the better!

emalyse

There is currently a huge disparity between those offering to be OpenID providors and those offering OpenID as a signup or login option along with the myriad if features that many sites prefer not to implement.It’s the laissez faire approach to full implementation which probably helps undermines OpenID’s credibility.

Antoinette

I signed up for Open ID but have never been able to get it to work right (Open ID knows I’m registered but I get rejected when I try to use it). Now, I’m kind of glad it hasn’t worked out for me!

It is a hassle having all of these usernames and even more passwords. I might try one of those software solutions you mention.

Comments are closed.