My problems with OpenID

23 February, 2009 at 7:46 pm 39 comments

I’ve been tempted to write why OpenID has been driving me up the wall.

I have not implemented OpenID in any application, so I come at it not as an implementor or programmer but as an end user: a number of sites I’ve used, including Stack Overflow and Sourceforge, have either allowed or insisted upon OpenID authentication.

My first OpenID account was at Verisign Labs (PIP).  They’re well established in web security, so I figured it would be a reliable service, and a company that wasn’t likely to disappear on me.  Their service, however, left me frustrated for a few reasons.

  • For some reason (early onset dementia?), I could never remember my OpenID URL and found myself needing to look it up all the time, which meant starting up my email client.  Because it’s not only a username I chose, but also includes the web address of the OpenID provider, I found it easier to forget.  I can’t really see ordinary web users finding the URL thing intuitive; for some time now, favourites/bookmarks and search engines have been teaching us that remembering URLs shouldn’t be necessary.
  • The Versign Labs PIP has one of the most user-unfriendly features I have ever experienced.  With the aim of preventing phishing attacks, a well-meaning goal, it does not allow you to authenticate yourself at any OpenID supported site at all unless you have already logged in directly at Verisign’s website during the same browser session.  Try typing in your OpenID to your favourite site, and you get a message from Verisign telling you that no, you haven’t logged in to Verisign this session, so you can’t proceed.  When I encouter this, I have no choice but to open up a second tab and head over to their site to log in, except that much of the time I can’t, because I don’t have a browser certificate installed on the computer I’m using at the time (I don’t think it’s abnormal to use more than one computer regularly).  So in order to authenticate me, it has to send me an email containing a single-use PIN.  Thank goodness my email account doesn’t use OpenID authentication and I can get to that fairly easily.  I’ve never had to jump through so many hoops, just to log in to an application I already have an account at.
  • Once I’ve started using an OpenID identity from a certain provider on a site or two, it would appear that I am tied to that OpenID provider for life.  It makes it very hard to evaluate OpenID providers when your choice is a permanent one.  Yes, I realise that it is possible to use delegation, or even to install your own OpenID server, but if we’re going to be talking about end users, neither of these two are really practical, and both of them are likely to result in decreased security.

My second OpenID provider, MyOpenID, appears to be a fair bit easier to get along with, and doesn’t suffer from many of the problems I’d previously encountered.

Simply by opening another OpenID account, however, everything has become exponentially more complicated: if you switch providers, there’s no easy way that I can see to merge all site accounts based on an identity at my previous provider across to the new one.  It seems like changing providers may mean ditching a bunch of old accounts and signing up for all new ones.  I was impressed at the way Stack Overflow’s implementation allowed switching the OpenID identity associated with my account there.  Unfortunately, this flexibility is a result only of Stack Overflow’s thoughtful design, and such a feature is not part of a typical OpenID implementation.

MyOpenID, thankfully, allows me to authenticate myself without having to twiddle around with going to the OpenID provider’s site in a separate browser window or getting a single-use PIN.  I suppose it is similar to what the OpenID experience should have been like from the start.  Maybe my Verisign Labs PIP account just had too many optional features turned on.

I still find, however, that some things about OpenID underwhelm me:

  • Signing up for a new account at an OpenID-enabled site appears no easier when using OpenID.  After authenticating with my OpenID URL and whatever authentication I need to do at the OpenID provider’s end, when I return to the client site I still have to fill out a form, and most of the time I still have to confirm my email address.  Some fields have been pre-filled by my OpenID account, but I still need to choose a username that is unique to that application, and likely even fill in a Captcha.
  • Users are well experienced already with simple username/password combinations.  They know, for example, that the password should be kept secret, and it’s that secret that provides their security.  Even though they might have several username/password combinations at different sites, this doesn’t make things any more complicated, because the same concept is just repeated.  With an OpenID account, however, not only do they now have a username and password at their OpenID provider, but they also have this OpenID URL, and maybe even a browser certificate.  That is three or four pieces of information.  Furthermore, how will they understand that authenticating with an OpenID URL alone can provide any security, when the OpenID URL is not a secret, and there is no password?  I wouldn’t be surprised if users thought that OpenID was grossly insecure, because they don’t understand that all the real security is hidden from them.
  • I also wouldn’t be surprised if the idea that their identity is passed between sites made users a bit worried.  For instance, how can an OpenID implementor reassure the user that even if they use their OpenID URL to log in and register, that doesn’t mean the implementor now has the password to the user’s OpenID account?  All the beneficial security concepts are a black box to the users, who may just assume that the OpenID account is a way for their password and identity to be freely passed around between sites.  Far from using it only when high security is needed, we may find that users, unaware of the security benefits to OpenID, only trust OpenID with information they don’t mind losing.

So far I haven’t been convinced that using OpenID is significantly safer – even when comparing it to re-using the same username and password at a whole bunch of different sites, which is itself a dubious security practice.  With OpenID, I still have all my eggs in one basket.  If an attacker gains access to my OpenID account, he can still impersonate me at all sites where I rely on that identity.

OpenID is a well-meaning idea, and with more experience I am sure that I will master it more, but being this confusing and headache-inducing even to a web developer is a clear indication that it has some way to go before it can be considered fit for general use.  Get this: the Wikipedia page for OpenID displays a prominent warning which reads  “This page may be too technical for a general audience” applying to various sections, including the section titled “Logging in”.  If it is too hard to describe how to “log in” without alienating a non-technical audience, it is a sign that the process is not too usable, and anyone thinking that they are implementing OpenID in order to “simplify” things for end-users may need to think twice.

While some boast about big companies like Google adopting OpenID, it’s not really all that much to crow about – their support is only as a provider, not as an implementor.  I cannot, for example, use an existing OpenID to authenticate myself at Google, I can only use a Google ID to authenticate myself elsewhere.  Not allowing OpenID authentication themselves doesn’t contibute to the widespread use of OpenID but further segregates it, which is probably just as much of an injustice to OpenID as its indecipherable Wikipedia page.


Entry filed under: Practical web security. Tags: , , .

Is Gmail suitable for use as your main email box? Thumbs up/down, the simplest form of user feedback

39 Comments Add your own

  • 1. legalsounds  |  21 August, 2016 at 5:37 am

    Hello, its pleasant paragraph concerning media print, we all be aware of media is
    a impressive source of information.

  • 2. concurso publico professor santo andre  |  2 June, 2016 at 1:21 am

    TORRES, C.Para.; ‘CADIZ, M.D.P.; WONG,P.L. Instrução e Democracia:
    essa práxis com Paulo Freire em São Paulo.

  • 3. Chany Ali  |  30 November, 2015 at 4:27 am

    Thanks for the ideas you have shared here. One more thing I would like to convey is that personal computer memory specifications generally increase along with other advancements in the know-how. For instance, any time new generations of cpus are made in the market, there is usually an equivalent increase in the dimensions demands of both the computer system memory as well as hard drive room. This is because the program operated by simply these processor chips will inevitably rise in power to leverage the new technological know-how.

  • 4. website design usa  |  26 November, 2015 at 8:30 pm

    This piece of writing is genuinely a good one it helps new
    the web viewers, who are wishing in favor of blogging.

  • 5. this page  |  21 September, 2014 at 5:49 am

    Otherwise, however, by making Lysander’s demetrius transformation the result.I hope
    everyone can catch demetrius all that debt. Then we have a care the honey-bag
    break not; I, may I marry thee; Foor I am marvelous hairy about the stupidity of most Writers Markets are examples.
    Feel free to set the outer reaches of the Bookbuild to be on one
    hell of a turkey leg on Qiao Corp around. I don’t think Qiaoo Jin Fan?
    Come participate in demetrius a trance off devotional service.

    In order to protect the root of everything?

  • 6. How to Find a Reliable Tradesman  |  16 September, 2014 at 8:11 am

    When I originally commented I appear to have clicked
    on the -Notify me when new comments are added- checkbox and now whenever
    a comment is added I get four emails with
    the same comment. Is there a means you can remove me from that service?


  • 7.  |  10 September, 2014 at 5:09 pm

    Hi, after reading this remarkable paragraph i
    am too delighted to share my know-how here with

  • 8. Imogene  |  30 August, 2014 at 3:28 pm

    I read a lot of interesting articles here. Probably you spend a
    lot of time writing, i know how to save you a lot of work, there is an online tool that creates
    unique, SEO friendly posts in minutes, just type in google – laranitas free content source

  • 9.  |  24 May, 2014 at 12:25 pm

    Un post vraiment rempli de conseils

  • 10. meuf asiate  |  17 May, 2014 at 4:21 am

    Je publie ce petit commentaire uniquement pour féliciter l’auteur

  • 11. Major  |  23 January, 2014 at 11:09 am

    “My problems with OpenID | The Bit Depth Blog” ended
    up being a extremely awesome blog post, . Continue authoring and I’ll keep following!
    Thanks ,Otis

  • 12. Immobilienlexikon  |  31 August, 2013 at 8:49 pm

    My developer is trying to convince me to move to .net from PHP.

    I have always disliked the idea because of the costs. But he’s tryiong none the less. I’ve
    been using Movable-type on various websites for about a year and am anxious about switching to another platform.
    I have heard excellent things about Is there a way I can import
    all my wordpress content into it? Any help would be greatly appreciated!

  • 13. Purchase Zithromax Online  |  5 August, 2013 at 2:49 am

    I think this is one of the such a lot important info
    for me. And i’m satisfied studying your article. But should observation on some basic issues, The web site taste is ideal, the articles is in point of fact nice : D. Good process, cheers

  • 14.  |  14 July, 2013 at 2:04 pm

    Punjabi ellwood speech is grounded on Punjab because Punjabi Punjabi citizenries comparison by other faith citizenries.
    Name and address ellwood of pharmaceutics hold many vendees the chance to
    buy! But this ellwoodpaper is said in many s Sears
    and United Arabe Emirate s Dubai tugboats.

  • 15. Used Commercial Washers and Dryers For Sale  |  5 July, 2013 at 1:54 pm

    You’ve made some decent points there. I checked on the net for more info about the issue and found most individuals will go along with your views on this site.

  • 16. Alejandra  |  28 June, 2013 at 3:55 pm

    The citric acid in the lemon juice does the trick by lightening up the spot.
    In reality it is the substances of a fat burner pill that must be your main worry not just no matter whether it essentially burns extra
    fat. While Phen375 has several benefits, there are few side
    effects as well.

  • 17. internet history  |  25 May, 2013 at 5:50 am

    Hi there! I just wish to offer you a huge thumbs up for your excellent info you have got right here on this post.
    I’ll be returning to your web site for more soon.

  • 18. website design in raipur  |  5 February, 2013 at 7:29 pm

    Genuinely when someone doesn’t understand then its up to other users that they will help, so here it happens.

  • 19. appstar scam  |  17 July, 2012 at 6:32 am

    This blog has lots of extremely useful information on it. Thank you for informing me!

  • 20. sponsor  |  17 July, 2012 at 4:34 am

    I Will have to come back again whenever my course load lets up – nevertheless I am taking your Rss feed so i could read your blog offline. Thanks.

  • 21. like  |  15 July, 2012 at 12:21 pm

    Have you given any consideration at all with translating your current website in to Chinese? I know a couple of of translaters right here which might help you do it for free if you want to make contact with me personally.

  • 22. webaddress  |  14 July, 2012 at 4:35 pm

    If you dont mind, exactly where do you host your website? I am looking for a good quality web host and your webpage seams to be fast and up most the time

  • 23. powered by  |  14 July, 2012 at 1:41 pm

    The look for the web site is a little bit off in Epiphany. Nevertheless I like your weblog. I may have to install a normal browser just to enjoy it.

  • 24. arbonne article  |  14 July, 2012 at 1:31 pm

    A lot of of the responses on this blog site dont make sense.

  • 25. learn about the earth dog story  |  13 July, 2012 at 12:34 pm

    I adore the blog site layout ! How was it made? It is rather sweet.

  • 26. spinach recipe  |  13 July, 2012 at 5:57 am

    Can you email me with some tips about how you made this website look like this , Id appreciate it!

  • 27. cosmetic dentists manhattan  |  12 July, 2012 at 6:40 pm

    I was curious about if you ever considered adjusting the page layout of your web site? Its well written; I love what youve got to state. But maybe you can include a little more in the way of written content so people might connect to it better. You have got an awful lot of text for only having one or two pictures. Maybe you can space it out better?

  • 28. san diego electrician  |  12 July, 2012 at 2:51 pm

    Is it fine to insert a portion of this in my personal web site if perhaps I publish a reference point to this web-site?

  • 29. customer feedback questions  |  11 July, 2012 at 2:23 pm

    Great Stuff, do you have a bebo profile?

  • 30. cosmetic dentistry nyc  |  10 July, 2012 at 6:38 pm

    Whenever I initially left a comment I clicked the Notify me when new comments are added checkbox and currently each time a remark is added I receive 4 emails with the same comment.

  • 31. montel payday loans  |  9 July, 2012 at 12:06 pm

    An cool blog post right there mate . Cheers for it .

  • 32. best cigarette  |  9 July, 2012 at 5:43 am

    Strange , your site turns up with a black hue to it, what color is the primary color on your site?

  • 33. athens weddings  |  8 July, 2012 at 6:11 am

    Wanted to drop a comment and let you know your Feed is not functioning today. I tried including it to my Google reader account and got absolutely nothing.

  • 34. this month  |  7 July, 2012 at 10:56 pm

    I believe one of your ads caused my web browser to resize, you might well need to put that on your blacklist.

  • 35. what is ibs  |  7 July, 2012 at 3:16 pm

    I believe one of your current ads triggered my internet browser to resize, you may well need to get that on your blacklist.

  • 36. personalisation agenda  |  6 July, 2012 at 9:49 pm

    As soon as I initially commented I clicked on the Notify me whenever new comments are added checkbox and currently every time a remark is added I receive four emails with the exact same comment.

  • 37. wholesale  |  6 July, 2012 at 1:23 pm

    Have you given any kind of thought at all with translating your main web site in to French? I know a several of translaters here which would certainly help you do it for free if you wanna make contact with me personally.

  • 38. get more info  |  6 July, 2012 at 8:35 am

    I tried looking at your blog in my iphone and the design does not seem to be correct. Might want to check it out on WAP as well as it seems most smartphone layouts are not really working with your web site.

  • 39. Michael  |  26 February, 2009 at 1:23 pm

    One comment with regards to your last paragraph:

    Google becoming an OpenID provider is a pretty big deal when you consider SaaS solutions out there like JanRain’s RPX. RPX allows site visitors to register and login to a website using their existing Google, Yahoo, Facebook, MySpace or AOL accounts. This dramatically simplifies the registration and login process for end users.

    Check out to see RPX in action.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


%d bloggers like this: