My problems with OpenID

I’ve been tempted to write why OpenID has been driving me up the wall.

I have not implemented OpenID in any application, so I come at it not as an implementor or programmer but as an end user: a number of sites I’ve used, including Stack Overflow and Sourceforge, have either allowed or insisted upon OpenID authentication.

My first OpenID account was at Verisign Labs (PIP).  They’re well established in web security, so I figured it would be a reliable service, and a company that wasn’t likely to disappear on me.  Their service, however, left me frustrated for a few reasons.

  • For some reason (early onset dementia?), I could never remember my OpenID URL and found myself needing to look it up all the time, which meant starting up my email client.  Because it’s not only a username I chose, but also includes the web address of the OpenID provider, I found it easier to forget.  I can’t really see ordinary web users finding the URL thing intuitive; for some time now, favourites/bookmarks and search engines have been teaching us that remembering URLs shouldn’t be necessary.
  • The Versign Labs PIP has one of the most user-unfriendly features I have ever experienced.  With the aim of preventing phishing attacks, a well-meaning goal, it does not allow you to authenticate yourself at any OpenID supported site at all unless you have already logged in directly at Verisign’s website during the same browser session.  Try typing in your OpenID to your favourite site, and you get a message from Verisign telling you that no, you haven’t logged in to Verisign this session, so you can’t proceed.  When I encouter this, I have no choice but to open up a second tab and head over to their site to log in, except that much of the time I can’t, because I don’t have a browser certificate installed on the computer I’m using at the time (I don’t think it’s abnormal to use more than one computer regularly).  So in order to authenticate me, it has to send me an email containing a single-use PIN.  Thank goodness my email account doesn’t use OpenID authentication and I can get to that fairly easily.  I’ve never had to jump through so many hoops, just to log in to an application I already have an account at.
  • Once I’ve started using an OpenID identity from a certain provider on a site or two, it would appear that I am tied to that OpenID provider for life.  It makes it very hard to evaluate OpenID providers when your choice is a permanent one.  Yes, I realise that it is possible to use delegation, or even to install your own OpenID server, but if we’re going to be talking about end users, neither of these two are really practical, and both of them are likely to result in decreased security.

My second OpenID provider, MyOpenID, appears to be a fair bit easier to get along with, and doesn’t suffer from many of the problems I’d previously encountered.

Simply by opening another OpenID account, however, everything has become exponentially more complicated: if you switch providers, there’s no easy way that I can see to merge all site accounts based on an identity at my previous provider across to the new one.  It seems like changing providers may mean ditching a bunch of old accounts and signing up for all new ones.  I was impressed at the way Stack Overflow’s implementation allowed switching the OpenID identity associated with my account there.  Unfortunately, this flexibility is a result only of Stack Overflow’s thoughtful design, and such a feature is not part of a typical OpenID implementation.

MyOpenID, thankfully, allows me to authenticate myself without having to twiddle around with going to the OpenID provider’s site in a separate browser window or getting a single-use PIN.  I suppose it is similar to what the OpenID experience should have been like from the start.  Maybe my Verisign Labs PIP account just had too many optional features turned on.

I still find, however, that some things about OpenID underwhelm me:

  • Signing up for a new account at an OpenID-enabled site appears no easier when using OpenID.  After authenticating with my OpenID URL and whatever authentication I need to do at the OpenID provider’s end, when I return to the client site I still have to fill out a form, and most of the time I still have to confirm my email address.  Some fields have been pre-filled by my OpenID account, but I still need to choose a username that is unique to that application, and likely even fill in a Captcha.
  • Users are well experienced already with simple username/password combinations.  They know, for example, that the password should be kept secret, and it’s that secret that provides their security.  Even though they might have several username/password combinations at different sites, this doesn’t make things any more complicated, because the same concept is just repeated.  With an OpenID account, however, not only do they now have a username and password at their OpenID provider, but they also have this OpenID URL, and maybe even a browser certificate.  That is three or four pieces of information.  Furthermore, how will they understand that authenticating with an OpenID URL alone can provide any security, when the OpenID URL is not a secret, and there is no password?  I wouldn’t be surprised if users thought that OpenID was grossly insecure, because they don’t understand that all the real security is hidden from them.
  • I also wouldn’t be surprised if the idea that their identity is passed between sites made users a bit worried.  For instance, how can an OpenID implementor reassure the user that even if they use their OpenID URL to log in and register, that doesn’t mean the implementor now has the password to the user’s OpenID account?  All the beneficial security concepts are a black box to the users, who may just assume that the OpenID account is a way for their password and identity to be freely passed around between sites.  Far from using it only when high security is needed, we may find that users, unaware of the security benefits to OpenID, only trust OpenID with information they don’t mind losing.

So far I haven’t been convinced that using OpenID is significantly safer – even when comparing it to re-using the same username and password at a whole bunch of different sites, which is itself a dubious security practice.  With OpenID, I still have all my eggs in one basket.  If an attacker gains access to my OpenID account, he can still impersonate me at all sites where I rely on that identity.

OpenID is a well-meaning idea, and with more experience I am sure that I will master it more, but being this confusing and headache-inducing even to a web developer is a clear indication that it has some way to go before it can be considered fit for general use.  Get this: the Wikipedia page for OpenID displays a prominent warning which reads  “This page may be too technical for a general audience” applying to various sections, including the section titled “Logging in”.  If it is too hard to describe how to “log in” without alienating a non-technical audience, it is a sign that the process is not too usable, and anyone thinking that they are implementing OpenID in order to “simplify” things for end-users may need to think twice.

While some boast about big companies like Google adopting OpenID, it’s not really all that much to crow about – their support is only as a provider, not as an implementor.  I cannot, for example, use an existing OpenID to authenticate myself at Google, I can only use a Google ID to authenticate myself elsewhere.  Not allowing OpenID authentication themselves doesn’t contibute to the widespread use of OpenID but further segregates it, which is probably just as much of an injustice to OpenID as its indecipherable Wikipedia page.

37 Replies to “My problems with OpenID”

  1. One comment with regards to your last paragraph:

    Google becoming an OpenID provider is a pretty big deal when you consider SaaS solutions out there like JanRain’s RPX. RPX allows site visitors to register and login to a website using their existing Google, Yahoo, Facebook, MySpace or AOL accounts. This dramatically simplifies the registration and login process for end users.

    Check out http://uservoice.com/session/new to see RPX in action.

  2. I tried looking at your blog in my iphone and the design does not seem to be correct. Might want to check it out on WAP as well as it seems most smartphone layouts are not really working with your web site.

  3. I was curious about if you ever considered adjusting the page layout of your web site? Its well written; I love what youve got to state. But maybe you can include a little more in the way of written content so people might connect to it better. You have got an awful lot of text for only having one or two pictures. Maybe you can space it out better?

  4. Have you given any consideration at all with translating your current website in to Chinese? I know a couple of of translaters right here which might help you do it for free if you want to make contact with me personally.

  5. I Will have to come back again whenever my course load lets up – nevertheless I am taking your Rss feed so i could read your blog offline. Thanks.

  6. The citric acid in the lemon juice does the trick by lightening up the spot.
    In reality it is the substances of a fat burner pill that must be your main worry not just no matter whether it essentially burns extra
    fat. While Phen375 has several benefits, there are few side
    effects as well.

  7. Punjabi ellwood speech is grounded on Punjab because Punjabi Punjabi citizenries comparison by other faith citizenries.
    Name and address ellwood of pharmaceutics hold many vendees the chance to
    buy! But this ellwoodpaper is said in many s Sears
    and United Arabe Emirate s Dubai tugboats.

  8. I think this is one of the such a lot important info
    for me. And i’m satisfied studying your article. But should observation on some basic issues, The web site taste is ideal, the articles is in point of fact nice : D. Good process, cheers

  9. My developer is trying to convince me to move to .net from PHP.

    I have always disliked the idea because of the costs. But he’s tryiong none the less. I’ve
    been using Movable-type on various websites for about a year and am anxious about switching to another platform.
    I have heard excellent things about blogengine.net. Is there a way I can import
    all my wordpress content into it? Any help would be greatly appreciated!

  10. “My problems with OpenID | The Bit Depth Blog” ended
    up being a extremely awesome blog post, . Continue authoring and I’ll keep following!
    Thanks ,Otis

  11. I read a lot of interesting articles here. Probably you spend a
    lot of time writing, i know how to save you a lot of work, there is an online tool that creates
    unique, SEO friendly posts in minutes, just type in google – laranitas free content source

  12. Otherwise, however, by making Lysander’s demetrius transformation the result.I hope
    everyone can catch demetrius all that debt. Then we have a care the honey-bag
    break not; I, may I marry thee; Foor I am marvelous hairy about the stupidity of most Writers Markets are examples.
    Feel free to set the outer reaches of the Bookbuild to be on one
    hell of a turkey leg on Qiao Corp around. I don’t think Qiaoo Jin Fan?
    Come participate in demetrius a trance off devotional service.

    In order to protect the root of everything?

  13. Thanks for the ideas you have shared here. One more thing I would like to convey is that personal computer memory specifications generally increase along with other advancements in the know-how. For instance, any time new generations of cpus are made in the market, there is usually an equivalent increase in the dimensions demands of both the computer system memory as well as hard drive room. This is because the program operated by simply these processor chips will inevitably rise in power to leverage the new technological know-how.

Leave a Reply

Your email address will not be published. Required fields are marked *