It's become quite fashionable to criticise OpenID these days and the latest tirade to come to my attention is from Kyle Neath. Although he raises some valid points, none of them are problems with OpenID. Rather they are general problems with proving identity on the internet. Like most critics of OpenID, Kyle seems to ignore the simple fact that we already have a single, centralised identity: email. Your email address is your identifier for most online services and shares many issues with OpenID. OpenID is not the be all and end all of online identity but it does offer many advantages over the currently favoured username/password system. Kyle breaks his argument into 5 main points:
[...] if I wanted, warpspire.com could start giving out OpenIDs to people. Let’s say I have 30,000 people signed up for a Warpspire.com OpenID, which they’ve used to register for 50,000 services. Then next month I decide to discontinue the service. As of right now, those people would mostly be locked out of their accounts.
This is the most valid of the concerns but it's nothing new. If your email provider ceases to exist (or, more likely, your Hotmail account gets terminated) then you have no way to reset your password and if you have no password then you have no way to prove your identity. But in the end how likely is it that an OpenID provider will simply cease to exist? At the very least they could offer the opportunity to delegate your identity URL to another OpenID provider.
It’s no lie that the internet is generally filled with a bunch of scam artists, thieves, and generally bad people. When I attended the SXSW panel on OpenID, the subject of phishing came up. Using OpenID means that you have one authentication method for all of your sites. It means that if someone malicious got ahold of said username and password, you’d be screwed pretty hardcore.
As I mentioned above, we already have email as a single point of failure. If one of the Bad People gets into your email account it's a simple matter for them to get into all your other accounts simply by requesting a password reset email. The subject of OpenID phishing is certainly not to be taken lightly but having a single identity provider can actually be a benefit. Better have one really secure id than 50 insecure ones.
The idea of OpenID is that you have one OpenID to rule them all. Right now I have six, only having purposefully registered one of them. Sure, it makes it easy for people to get on board. It also makes it damn confusing.
Six? I have a few because I've been actively going out and seeking them but I'm not aware of sites forcing OpenIDs onto people. Sure, sites like Wordpress.com, LiveJournal, AOL and Yahoo rolled out OpenIDs to all their users butthey're all pretty unobtrusive. In fact the AOL one is positively hidden away.
By utilizing OpenID, you add an entire step to the sign in process. What once was login -> done is now login -> open id login -> done. It’s slower. It’s more steps. It’s more typing.
But as OpenID gains wider use the single sign-on benefits start to emerge. The OpenID login happens once per session and then you're logged in to all your sites. That's faster, fewer steps, less typing.
And it’s an unknown experience. What if your user’s OpenID provider doesn’t show an error message for typing a wrong password in? Your users are frustrated and may not be able to log in to your service.
An unknown experience? Unknown to who? Site designers have to get their heads around the fact that by using OpenID they are relinquishing control of the authentication process from both a technical and user experience aspect. That may be hard for designers to accept but it's a good thing for users because from their perspective the user experience of logging in becomes consistent across all OpenID-enabled sites. I completely agree that the OpenID experience needs work before it can gain mass adoption but directed identity in OpenID 2 is a great step in the right direction and companies like Clickpass are trying hard to simplify the experience (although I don't think they've got it quite right yet). I believe OpenID can and will achieve mass market adoption.