cancel
Showing results for 
Search instead for 
Did you mean: 

Most OpenID criticisms are misguided

Most OpenID criticisms are misguided

Most OpenID criticisms are misguided

It's become quite fashionable to criticise OpenID these days and the latest tirade to come to my attention is from Kyle Neath. Although he raises some valid points, none of them are problems with OpenID. Rather they are general problems with proving identity on the internet. Like most critics of OpenID, Kyle seems to ignore the simple fact that we already have a single, centralised identity: email. Your email address is your identifier for most online services and shares many issues with OpenID. OpenID is not the be all and end all of online identity but it does offer many advantages over the currently favoured username/password system. Kyle breaks his argument into 5 main points:

[...] if I wanted, warpspire.com could start giving out OpenIDs to people. Let’s say I have 30,000 people signed up for a Warpspire.com OpenID, which they’ve used to register for 50,000 services. Then next month I decide to discontinue the service. As of right now, those people would mostly be locked out of their accounts.

This is the most valid of the concerns but it's nothing new. If your email provider ceases to exist (or, more likely, your Hotmail account gets terminated) then you have no way to reset your password and if you have no password then you have no way to prove your identity. But in the end how likely is it that an OpenID provider will simply cease to exist? At the very least they could offer the opportunity to delegate your identity URL to another OpenID provider.

OpenID sucks hardcore for mobile sites.

No. Perhaps most existing OpenID providers don't do a good job of supporting mobiles but there's nothing wrong with OpenID per se. And it will come. Chris Messina is on the case. Or what about using SMS to authenticate? Or why not build OpenID right into the phone browser?

It’s no lie that the internet is generally filled with a bunch of scam artists, thieves, and generally bad people. When I attended the SXSW panel on OpenID, the subject of phishing came up. Using OpenID means that you have one authentication method for all of your sites. It means that if someone malicious got ahold of said username and password, you’d be screwed pretty hardcore.

As I mentioned above, we already have email as a single point of failure. If one of the Bad People gets into your email account it's a simple matter for them to get into all your other accounts simply by requesting a password reset email. The subject of OpenID phishing is certainly not to be taken lightly but having a single identity provider can actually be a benefit. Better have one really secure id than 50 insecure ones.

The idea of OpenID is that you have one OpenID to rule them all. Right now I have six, only having purposefully registered one of them. Sure, it makes it easy for people to get on board. It also makes it damn confusing.

Six? I have a few because I've been actively going out and seeking them but I'm not aware of sites forcing OpenIDs onto people. Sure, sites like Wordpress.com, LiveJournal, AOL and Yahoo rolled out OpenIDs to all their users butthey're all pretty unobtrusive. In fact the AOL one is positively hidden away.

By utilizing OpenID, you add an entire step to the sign in process. What once was login -> done is now login -> open id login -> done. It’s slower. It’s more steps. It’s more typing.

But as OpenID gains wider use the single sign-on benefits start to emerge. The OpenID login happens once per session and then you're logged in to all your sites. That's faster, fewer steps, less typing.

And it’s an unknown experience. What if your user’s OpenID provider doesn’t show an error message for typing a wrong password in? Your users are frustrated and may not be able to log in to your service.

An unknown experience? Unknown to who? Site designers have to get their heads around the fact that by using OpenID they are relinquishing control of the authentication process from both a technical and user experience aspect. That may be hard for designers to accept but it's a good thing for users because from their perspective the user experience of logging in becomes consistent across all OpenID-enabled sites. I completely agree that the OpenID experience needs work before it can gain mass adoption but directed identity in OpenID 2 is a great step in the right direction and companies like Clickpass are trying hard to simplify the experience (although I don't think they've got it quite right yet). I believe OpenID can and will achieve mass market adoption.

0 Thanks
4 Comments
372 Views
4 Comments
Grafter
OpenID isn't something I've played with yet, and I haven't really made up my mind on it (fears harking back to Micro$oft's ill-fated Passport service) but that was an interesting read.
Tamlyn: great post! These current criticisms of OpenID are unfortunate, but getting the right information out there is going to help a lot. ak
Dabbler
People also seem to get hung up on the common misconception that OpenID means having one username and password. It's defining that split between identification and authentication that developers (and eventually users) will need to start adapting to. The key here is that your OpenID provider needs to be told which site is attempting to verify your identity. It's then down to the provider to decide what level of authentication is necessary. For example: if it was a request from Twitter, you're probably not overly concerned and password or cookie authentication would be fine. However, if the request was from the bank you might to use something like a keyfob. I guess, it could even go through to a human being who then phones your number and asks if you want to authenticate against the site. You might even argue that it's more secure, as an attacker does not necessarily know what kind of authentication method will be used, or even if the same one will be used each time.
N/A
[...] Most OpenID criticisms are misguided | Community Site News [...]