I’ve been tempted to write why OpenID has been driving me up the wall.
I have not implemented OpenID in any application, so I come at it not as an implementor or programmer but as an end user: a number of sites I’ve used, including Stack Overflow and Sourceforge, have either allowed or insisted upon OpenID authentication.
My first OpenID account was at Verisign Labs (PIP). They’re well established in web security, so I figured it would be a reliable service, and a company that wasn’t likely to disappear on me. Their service, however, left me frustrated for a few reasons.
- For some reason (early onset dementia?), I could never remember my OpenID URL and found myself needing to look it up all the time, which meant starting up my email client. Because it’s not only a username I chose, but also includes the web address of the OpenID provider, I found it easier to forget. I can’t really see ordinary web users finding the URL thing intuitive; for some time now, favourites/bookmarks and search engines have been teaching us that remembering URLs shouldn’t be necessary.
- The Versign Labs PIP has one of the most user-unfriendly features I have ever experienced. With the aim of preventing phishing attacks, a well-meaning goal, it does not allow you to authenticate yourself at any OpenID supported site at all unless you have already logged in directly at Verisign’s website during the same browser session. Try typing in your OpenID to your favourite site, and you get a message from Verisign telling you that no, you haven’t logged in to Verisign this session, so you can’t proceed. When I encouter this, I have no choice but to open up a second tab and head over to their site to log in, except that much of the time I can’t, because I don’t have a browser certificate installed on the computer I’m using at the time (I don’t think it’s abnormal to use more than one computer regularly). So in order to authenticate me, it has to send me an email containing a single-use PIN. Thank goodness my email account doesn’t use OpenID authentication and I can get to that fairly easily. I’ve never had to jump through so many hoops, just to log in to an application I already have an account at.
- Once I’ve started using an OpenID identity from a certain provider on a site or two, it would appear that I am tied to that OpenID provider for life. It makes it very hard to evaluate OpenID providers when your choice is a permanent one. Yes, I realise that it is possible to use delegation, or even to install your own OpenID server, but if we’re going to be talking about end users, neither of these two are really practical, and both of them are likely to result in decreased security.
My second OpenID provider, MyOpenID, appears to be a fair bit easier to get along with, and doesn’t suffer from many of the problems I’d previously encountered.
Simply by opening another OpenID account, however, everything has become exponentially more complicated: if you switch providers, there’s no easy way that I can see to merge all site accounts based on an identity at my previous provider across to the new one. It seems like changing providers may mean ditching a bunch of old accounts and signing up for all new ones. I was impressed at the way Stack Overflow’s implementation allowed switching the OpenID identity associated with my account there. Unfortunately, this flexibility is a result only of Stack Overflow’s thoughtful design, and such a feature is not part of a typical OpenID implementation.
MyOpenID, thankfully, allows me to authenticate myself without having to twiddle around with going to the OpenID provider’s site in a separate browser window or getting a single-use PIN. I suppose it is similar to what the OpenID experience should have been like from the start. Maybe my Verisign Labs PIP account just had too many optional features turned on.
I still find, however, that some things about OpenID underwhelm me:
- Signing up for a new account at an OpenID-enabled site appears no easier when using OpenID. After authenticating with my OpenID URL and whatever authentication I need to do at the OpenID provider’s end, when I return to the client site I still have to fill out a form, and most of the time I still have to confirm my email address. Some fields have been pre-filled by my OpenID account, but I still need to choose a username that is unique to that application, and likely even fill in a Captcha.
- Users are well experienced already with simple username/password combinations. They know, for example, that the password should be kept secret, and it’s that secret that provides their security. Even though they might have several username/password combinations at different sites, this doesn’t make things any more complicated, because the same concept is just repeated. With an OpenID account, however, not only do they now have a username and password at their OpenID provider, but they also have this OpenID URL, and maybe even a browser certificate. That is three or four pieces of information. Furthermore, how will they understand that authenticating with an OpenID URL alone can provide any security, when the OpenID URL is not a secret, and there is no password? I wouldn’t be surprised if users thought that OpenID was grossly insecure, because they don’t understand that all the real security is hidden from them.
- I also wouldn’t be surprised if the idea that their identity is passed between sites made users a bit worried. For instance, how can an OpenID implementor reassure the user that even if they use their OpenID URL to log in and register, that doesn’t mean the implementor now has the password to the user’s OpenID account? All the beneficial security concepts are a black box to the users, who may just assume that the OpenID account is a way for their password and identity to be freely passed around between sites. Far from using it only when high security is needed, we may find that users, unaware of the security benefits to OpenID, only trust OpenID with information they don’t mind losing.
So far I haven’t been convinced that using OpenID is significantly safer – even when comparing it to re-using the same username and password at a whole bunch of different sites, which is itself a dubious security practice. With OpenID, I still have all my eggs in one basket. If an attacker gains access to my OpenID account, he can still impersonate me at all sites where I rely on that identity.
OpenID is a well-meaning idea, and with more experience I am sure that I will master it more, but being this confusing and headache-inducing even to a web developer is a clear indication that it has some way to go before it can be considered fit for general use. Get this: the Wikipedia page for OpenID displays a prominent warning which reads “This page may be too technical for a general audience” applying to various sections, including the section titled “Logging in”. If it is too hard to describe how to “log in” without alienating a non-technical audience, it is a sign that the process is not too usable, and anyone thinking that they are implementing OpenID in order to “simplify” things for end-users may need to think twice.
While some boast about big companies like Google adopting OpenID, it’s not really all that much to crow about – their support is only as a provider, not as an implementor. I cannot, for example, use an existing OpenID to authenticate myself at Google, I can only use a Google ID to authenticate myself elsewhere. Not allowing OpenID authentication themselves doesn’t contibute to the widespread use of OpenID but further segregates it, which is probably just as much of an injustice to OpenID as its indecipherable Wikipedia page.
37 Replies to “My problems with OpenID”
One comment with regards to your last paragraph:
Google becoming an OpenID provider is a pretty big deal when you consider SaaS solutions out there like JanRain’s RPX. RPX allows site visitors to register and login to a website using their existing Google, Yahoo, Facebook, MySpace or AOL accounts. This dramatically simplifies the registration and login process for end users.
Check out http://uservoice.com/session/new to see RPX in action.
I tried looking at your blog in my iphone and the design does not seem to be correct. Might want to check it out on WAP as well as it seems most smartphone layouts are not really working with your web site.
Have you given any kind of thought at all with translating your main web site in to French? I know a several of translaters here which would certainly help you do it for free if you wanna make contact with me personally.
As soon as I initially commented I clicked on the Notify me whenever new comments are added checkbox and currently every time a remark is added I receive four emails with the exact same comment.
I believe one of your current ads triggered my internet browser to resize, you may well need to get that on your blacklist.
I believe one of your ads caused my web browser to resize, you might well need to put that on your blacklist.
Wanted to drop a comment and let you know your Feed is not functioning today. I tried including it to my Google reader account and got absolutely nothing.
Strange , your site turns up with a black hue to it, what color is the primary color on your site?
An cool blog post right there mate . Cheers for it .
Whenever I initially left a comment I clicked the Notify me when new comments are added checkbox and currently each time a remark is added I receive 4 emails with the same comment.
Great Stuff, do you have a bebo profile?
Is it fine to insert a portion of this in my personal web site if perhaps I publish a reference point to this web-site?
I was curious about if you ever considered adjusting the page layout of your web site? Its well written; I love what youve got to state. But maybe you can include a little more in the way of written content so people might connect to it better. You have got an awful lot of text for only having one or two pictures. Maybe you can space it out better?
Can you email me with some tips about how you made this website look like this , Id appreciate it!
I adore the blog site layout ! How was it made? It is rather sweet.
A lot of of the responses on this blog site dont make sense.
The look for the web site is a little bit off in Epiphany. Nevertheless I like your weblog. I may have to install a normal browser just to enjoy it.
If you dont mind, exactly where do you host your website? I am looking for a good quality web host and your webpage seams to be fast and up most the time
Have you given any consideration at all with translating your current website in to Chinese? I know a couple of of translaters right here which might help you do it for free if you want to make contact with me personally.
I Will have to come back again whenever my course load lets up – nevertheless I am taking your Rss feed so i could read your blog offline. Thanks.
This blog has lots of extremely useful information on it. Thank you for informing me!
Genuinely when someone doesn’t understand then its up to other users that they will help, so here it happens.
Hi there! I just wish to offer you a huge thumbs up for your excellent info you have got right here on this post.
I’ll be returning to your web site for more soon.
The citric acid in the lemon juice does the trick by lightening up the spot.
In reality it is the substances of a fat burner pill that must be your main worry not just no matter whether it essentially burns extra
fat. While Phen375 has several benefits, there are few side
effects as well.
You’ve made some decent points there. I checked on the net for more info about the issue and found most individuals will go along with your views on this site.
Punjabi ellwood speech is grounded on Punjab because Punjabi Punjabi citizenries comparison by other faith citizenries.
Name and address ellwood of pharmaceutics hold many vendees the chance to
buy! But this ellwoodpaper is said in many s Sears
and United Arabe Emirate s Dubai tugboats.
I think this is one of the such a lot important info
for me. And i’m satisfied studying your article. But should observation on some basic issues, The web site taste is ideal, the articles is in point of fact nice : D. Good process, cheers
My developer is trying to convince me to move to .net from PHP.
I have always disliked the idea because of the costs. But he’s tryiong none the less. I’ve
been using Movable-type on various websites for about a year and am anxious about switching to another platform.
I have heard excellent things about blogengine.net. Is there a way I can import
all my wordpress content into it? Any help would be greatly appreciated!
â€śMy problems with OpenID | The Bit Depth Blogâ€ť ended
up being a extremely awesome blog post, . Continue authoring and I’ll keep following!
Je publie ce petit commentaire uniquement pour fĂ©liciter l’auteur
Un post vraiment rempli de conseils
I read a lot of interesting articles here. Probably you spend a
lot of time writing, i know how to save you a lot of work, there is an online tool that creates
unique, SEO friendly posts in minutes, just type in google – laranitas free content source
Hi, after reading this remarkable paragraph i
am too delighted to share my know-how here with
When I originally commented I appear to have clicked
on the -Notify me when new comments are added- checkbox and now whenever
a comment is added I get four emails with
the same comment. Is there a means you can remove me from that service?
Otherwise, however, by making Lysander’s demetrius transformation the result.I hope
everyone can catch demetrius all that debt. Then we have a care the honey-bag
break not; I, may I marry thee; Foor I am marvelous hairy about the stupidity of most Writers Markets are examples.
Feel free to set the outer reaches of the Bookbuild to be on one
hell of a turkey leg on Qiao Corp around. I don’t think Qiaoo Jin Fan?
Come participate in demetrius a trance off devotional service.
In order to protect the root of everything?
This piece of writing is genuinely a good one it helps new
the web viewers, who are wishing in favor of blogging.
Thanks for the ideas you have shared here. One more thing I would like to convey is that personal computer memory specifications generally increase along with other advancements in the know-how. For instance, any time new generations of cpus are made in the market, there is usually an equivalent increase in the dimensions demands of both the computer system memory as well as hard drive room. This is because the program operated by simply these processor chips will inevitably rise in power to leverage the new technological know-how.