Article Stats
- Published on April 16th 2008
- Categorized under Features
- 56 comments and 20 Pingbacks
- 135 views in the past 24 hours
April 16th/ 5 reasons I won’t be getting on the open id train
If you’ve ever talked to me about my opinion on OpenID, you’ll know that I don’t exactly believe in it. Now it’s not that I think any part of the technical implementation of OpenID is flawed in any way: that part of it is rock solid. My problem is how OpenID full on assaults user experience. If you choose to implement OpenID on your site, I really don’t have a problem with it at all — what I do have a problem with are sites that force you to use OpenID. It’s a perfectly valid authentication option, but not a valid alternative. So this is my rant on OpenID.
1. 99% of implementations are naive
The basis of OpenID is the idea that anyone can become an OpenID provider. So that means if I wanted, warpspire.com could start giving out OpenIDs to people. Let’s say I have 30,000 people signed up for a Warpspire.com OpenID, which they’ve used to register for 50,000 services. Then next month I decide to discontinue the service.
As of right now, those people would mostly be locked out of their accounts. There’s a few services that let you add multiple OpenID’s (like ma.gnolia), but almost none that I’ve found that give you a way to recover your account in the event that your OpenID has become invalid.
With a distributed model, it should be assumed that at any given time any given node could be disconnected or go out of service. Most implementations today do not afford this luxury. You can’t enter your email address to recover your account. You can’t change which OpenID you registered with. And you simply can’t access your account should your provider be having some technical difficulties.
When I look at the currently implemented OpenID ecosystem, I just see a tightly coupled system that is going to fail at some point for a large amount of users.
2. OpenID just doesn’t work for the mobile web
OpenID sucks hardcore for mobile sites. It demands more typing (OpenID urls are generally much longer than usernames), and forces most users to load an entire new external non-mobile website. In many cases, the open id login website could be 3-4x the data transfer of your application’s page! There’s no caching since it’s another server, and you just have to hope that their site works on the mobile browser you’re targeting.
We don’t live in a desktop-only world, so why should your authentication method assume so?
3. OpenID assumes the internet is full of good-natured human beings
It’s no lie that the internet is generally filled with a bunch of scam artists, thieves, and generally bad people. When I attended the SXSW panel on OpenID, the subject of phishing came up. Using OpenID means that you have one authentication method for all of your sites. It means that if someone malicious got ahold of said username and password, you’d be screwed pretty hardcore. The panel’s response was more or less “well, let’s hope it doesn’t become a problem.”
PayPal is the closest example of how this is such an epic failure The sheer amount of paypal-specific phishing sites is astonishing. Users are generally lead to these phishing sites by “purchasing” products from fraudulent storefronts. The only real way to know whether you’re being phished or not is to check the URL and it’s associated security certificate.
With OpenID, we’re re-opening this giant can of worms. Each time someone logs into any one of their N sites that use OpenID, they’re thrown back to their OpenID provider. This already creates an illusion of phishing — the site’s design suddenly and abruptly changes without warning. At any point in time, this provider page could be phished and a malicious 3rd party could intercept your username and password.
4. One Two Three N OpenIDs to rule them all!
The idea of OpenID is that you have one OpenID to rule them all. Right now I have six, only having purposefully registered one of them. Sure, it makes it easy for people to get on board. It also makes it damn confusing. For people who aren’t tech geeks, if the idea of OpenID isn’t confusing enough, the idea of having multiple OpenIDs and which one to use definitely will be.
The appearance of OpenID 2.0 and extensions such as SREG can only lead to even more confusion. Which version does your OpenID provider support? Which does your consumer demand? Why are they both called OpenID? The entire OpenID ecosystem breeds confusion in my opinion, and I wouldn’t know how to explain it to my mother without writing out step by step instructions on how to use it for each time she wanted to use it on.
5. It’s less user friendly
I’m a designer by nature so I look at the experience first and foremost. By utilizing OpenID, you add an entire step to the sign in process. What once was login -> done is now login -> open id login -> done. It’s slower. It’s more steps. It’s more typing. And it’s an unknown experience. What if your user’s OpenID provider doesn’t show an error message for typing a wrong password in? Your users are frustrated and may not be able to log in to your service.
I don’t care how you argue it, it’s just less user friendly.
Don’t blame the protocol for the implementation
I know that many people will respond to this article saying that there’s X or Y workaround for Z problem, and that they’re solved if you use C provider. But that’s not really the point here — I know there are workarounds, but hell, what was so broken about the original model? (registering for sites) I like the freedom of having multiple passwords — it allows me to keep tiers of security around my accounts. Should someone gain access to one of my passwords, it’s only going to affect a small pool of my internet presence. Forcing me to have one authentication method is less secure.
OpenID only limits me, it doesn’t make my life any simpler. If I want my logins to be ubiquitous across sites, I will just do that. Instead of choosing kneath for a username, I could just as easily chose warpspirekneath which has about 0.1% chance of being taken on any given service.
And now I leave it to you to convince me why I’m so wrong.
76 Comments
Make a Comment
don’t be afraid, it’s just text
Warpspire is the place that web professional Kyle Neath writes about the web. More →
A word from the sponsors. Advertise with Warpspire
Hot Topics
-
2006 / Spotting a fake: “New apple design”
105 comments
-
2005 / Introducing Hemingway
94 comments
-
May 12th / Top reasons your CSS columns are messed up
82 comments
-
2006 / (Re)introducing Hemingway
79 comments
-
April 16th / 5 reasons I won’t be getting on the open id train
76 comments
Feeds / Syndication
Choose your preferred method of syndication. All feeds are full-posts & ad-free. All feeds are protected under copyright and may not be redistributed without permission.
The Network
All my little projects that I leave scattered around the web. Some for profit, all for fun.
April 16th | #
Your best argument was the one about OpenID providers who discontinue their service. The only way to be sure your OpenID/email/web hosting/other service is continued is to be the provider yourself. I do not see you making your own electricity!? But the argument is still valid.
I disagree with your assessment of OpenIDs as less user friendly than other sign-in services. Look at .Net Passport/Windows Live ID partner sites! They have a five to seven steps before letting a user pass trough. (Depending on the security settings and Microsoft’s mood that day.)
April 16th | #
I like OpenID. It may not be for everyone, but it works for me.
With regard to providers disappearing, I think that OpenID delegation solves that potential issue. More info on OpenID Delegation @ http://www.windley.com/archives/2007/02/using_openid_delegation.shtml
@DanielAleksandersen: “More friendly than Windows Live / Passport” doesn’t exactly equate to “friendly”. Aim higher! ;)
April 16th | #
Totally agree with all your points. Especially the confusion thing. I work as a professional building sites, follow all the tech blogs, am online most of the time, etc. In other words you could qualify me as tech-savvy. Probably just like you. I have read a lot about openID lately.
I still don’t understand it exactly. Serious.
What about security (the phishing thing)? what if I loose my password? who should I pick as a provider? or did I already have one with my yahoo account? But maybe I don’t like Yahoo? how can I be sure my account is safe with the provider I choose? How does it work exactly? What should I pay attention to when I’m in the process of logging in? Etc etc the list of questions goes on.
Now imagine the other 99% of the population who is way less technical then I am.
April 16th | #
Daniel: Just because someone else’s shit stinks more doesn’t mean yours smells good ;)
Steve: I’ve heard of delegation, but what if you use delegation and decide to change domain names? No matter how it works, you should be able to change your OpenID on the site your’re using it on.
April 17th | #
@Matthijs: “Now imagine the other 99% of the population who is way less technical then I am.”
I think the barrier is a little lower for less technical users, actually. If the implementation is well designed, the user won’t be worrying about these issues. The way I see it being used by “mom” is that she will see a “Sign in via Yahoo!” link, provide her credentials, and not need to remember another password.
The phishing concern is real, but not exclusive to OpenID.
Solutions for preventing phishing exist, too. For example, my online banking page shows me an image that is unique to me every time I log on to the site. If the image is missing or incorrect, I don’t log onto the site.
I agree with all of your concerns, but I use OpenID anyways because it just works for me. I wish more sites would support it, though.
@Kyle: I agree. You /should/ be able to change your OpenID on the site you’re using. Blame the implementation, not OpenID. ;)
April 17th | #
I wanted to take a second to reflect on point #3. More specifically, this part of point #3:
“Using OpenID means that you have one authentication method for all of your sites. It means that if someone malicious got ahold of said username and password, you’d be screwed pretty hardcore. The panel’s response was more or less “well, let’s hope it doesn’t become a problem.””
Non-technical users tend to use the same password for every account they have on every site they have. You might do the same, too. OpenID offers an advantage for these types of users. Rather than every site admin having a copy of their user name and password (you have no guarantee that they has the password or anything), their credentials are only available to one party, their OpenID provider.
April 17th | #
Steve: While you’re very right about the one password thing, the thing is — people generally don’t use one username. They’ll pick something different all over the place (many times being forced). I know that I have a different username for my bank, my CC, ma.gnolia, facebook, flickr, bloglines, and my mint installs (each unique). It’s not by choice, but through forced restrictions. You might get one password, but you won’t get one username. Although I will concede this argument doesn’t really have any winners in either direction since there’s other caveats (such as the fact that very few services have adopted OpenID) — my point for #3 was primarily focused on phishing.
April 17th | #
@Steve:
But that’s exactly the problem. If “my mom” sees a “sign in with yahoo” sign, she doesn’t worry about it, clicks the links, fills in her credentials, … and bam! Phished. What she didn’t know was that that link was not a safe link.
Now all of her accounts have been compromised, instead of a limited set or a single one.
Even if there were technically or security wise no concerns at all, I just don’t see it taking off. Every non-technical person I have spoken to has something like “I just have one password for all my accounts” or “I don’t have to remember them, because my computer does” (they don’t even know why or how that works), etc.
If I had to explain to a person like that why they should sign up with some openID provider, that they should trust that party with all their account logins, and lastly how it all works, I think I will have a very hard time.
April 17th | #
Excellent article and thought provoking discussion. I’ve been reading quite a lot on openID and like Matthijs, it’s taken me a long time to grasp how it works and the fundamentals behind - and I am a nerd!
The five points you raise Kyle, seem really valid to me. I’m sure there are answers and workarounds to them, and I’m sure there are just as many valid strengths to the system, but the fact that there are ANY usability and security concerns, coupled with the fact that it is so damn confusing, makes me feel that as it stands now the system is doomed.
April 17th | #
My first reaction to this post was to cry foul on number 1 because of delegation, but Steve S. did it first, thanks Steve! To challenge Kyle’s response, I can understand that warpspire.com may not last forever, but I doubt you’ll be changing your real name, why not create a delegation page on something like KyleNeath.com? At ~$10 a year a personal identity domain is pretty practical for a situation like this, and in the least anything other than your identity page can simply redirect to wherever you’re currently blogging.
Honestly I think the biggest problem is point number four, other than ma.gnolia I haven’t found any other site that provides an OpenID that will accept one as a login to an existing account, which is very frustrating!
April 17th | #
Good article, and well reasoned points. I have to agree with the confusion point - I’ve found it to be exactly that. And it doesn’t work some of the time either. Magnolia refuses to let me log in with my OpenID, despite the fact that I know the details are correct.
April 17th | #
Eric: Alright, here’s a real-world scenario then. Let’s say I’ve already signed up with some services using my non-delegated account credentials. How do I change those services? Again, really no matter the workaround, services need to provide the ability to change your OpenID that you registered with.
April 17th | #
[...] I read an article today by Kyle Neath on five reasons why he wont be getting on the OpenID train. Each of Kyle’s concerns are very valid concerns but fundamentally there is one issue that I [...]
April 17th | #
I have to agree with Kyle on this. There’s another problem here too that i see, as more and more people use the internet for doing serious transactions, we should be trying to make them more aware of the potential problems not less aware
Yes it’s annoying to have to remember all the passwords, but once you’ve forgotten a few you realize the importance of writing stuff down. All of this reminds you of why you use passwords in the first place. And the more you have to come up with new ones, the more likely you will make a good one
if everyone switched to OpenID tommorrow then joe-idiot user who’s never made a password for anything will make his username his real name, and his password will be “password” and never think twice about it.
The point i’m trying to make here is that keeping yourself safe and secure on the internet is an active and on-going process, OpenID threatens to lull people into a false sense of security
April 20 | #
[...] — Marshall asks if your PR person know how to make an OPML file; welcome skepticism regarding OpenID; observe that your control addict organization is a densely networked soup of socially constructed [...]
April 21st | #
1) Freedom of choice can be hard sometimes, but that’s the cost of having a decentralized system. Large ISPs, banks, governments … these reliable and trustworthy partys could and will provide OpenIDs and they will educate their users on why they should choose them as their identity provider.
2) Designing a mobile-friendly identity provider with a small site is not too difficult, and a future spec should include this as a must. The the long URL can be saved on the phone. I don’t see a huge problem here.
3) I believe that OpenID while seeming to support phishing is also the answer to the phising problem. It’s the provider’s sole business to provide a safe authentication experience, so they can put much more effort on this issue. Providers that use certificate login (where you don’t even have a password so this can’t be phished) do exist today, combine this with external security tokens, biometric devices etc. and you make OpenID secure.
4) Who said “one OpenID to rule them all”? Having 3-4 OpenIDs is still better than 30-40 accounts and I don’t see this as too confusing, because most people are aware that they have different personas on the web, and if it’s only their real personality and a fake identity.
5) The first time you login in to a site with OpenID it’s login > openid > done, but the next time you have already set trust settings on your provider so it’s login > done - the step in between is invisible). On the other hand, when you first register for a site it is register > enter a whole bunch of data > choose password > confirm email > login > done, while with openid it’s mostly register > confirm sreg data > done.
April 21st | #
I think many of your points are valid, but I have some counter arguments. This is all according to my understanding, so if I am inaccurate about some of these facts, feel free to correct me.
OpenID relies on the assumption that everyone has some sort of web identity, specifically in the form of a URL that they control (warpspire.com in your case). This is the URL they would be expected to choose as their identity; the provider’s URLs are only in the case that a user does not own their own domain name. Most, if not all providers support this feature, so you can make your warpspire.com OpenID the “One” OpenID to rule them all. The other five can probably be linked with warpspire as well.
Once again, assuming you are using your domain name, OpenIDs are not tied to any provider. They are meant to be movable between providers in the event that you want a change or your provider discontinues.
With regards to your comment about changing domains, would you change your blog domain as often as you implied in the comment? If you did, you would have probably be the same amount of trouble. The hope is that you would stick with the domain you delegate as you would with your blog’s domain.
Your points about phishing and laggy OpenID login pages are dead on.
OpenID will be important to the future of the web as we move into a more people centric Internet, especially when combined with OpenSocial, DataPortability and all the other emerging technologies. I wouldn’t avoid the train if I were you.
April 21st | #
Lukas Rosenstock: Please read my article in full.
Rosano: In the same way that everyone is currently being left in the dust because they’re not using microformats? ;) (Sorry, had to do it).
I don’t think OpenID will bear any significance on the internet as a whole. The techhy internet, yes, it already does bear huge significance, but the general side of the internet — myspaces, google search, ebay, etc, no — it won’t bear anything for the average user.
April 25th | #
[...] or go out of service. Most implementations today do not afford this luxury. — Kyle Neath - 5 reasons I won’t be getting on the open id train April 25th, 2008 / 0 Comments / [...]
April 27th | #
[...] 5 reasons I won’t be getting on the open id train - Warpspire [...]
April 27th | #
What if the whole service worked as DNS. The information somehow propogates, so you don’t have to worry about redundancy.
Not sure how it stays secure at that point. IP/domains aren’t secret, passwords are.
(it’d be great if I could to the post comment button)
April 28th | #
[...] 5 reasons I won’t be getting on the open id train - Warpspire. some interesting points. i think a lot of these problems can be addressed by building identity controls into the browser (like sxipper does). [...]
April 28th | #
Solid post.
I agree that #1 is a real problem but that same risk exists with lots of services you use (banks, brokerages, etc). You choose a provider that is more likely to be around for a long time (for example, choosing google over hotornot). If it actually shuts down for good, you’ll survive.
I feel like the other problems can largely be addressed by having authentication cooked into the browser. It would let you manage your identities, address classic phishing scams, etc. An app like sxipper is a great example of where browser identity functionality could head.
May 8th | #
[...] 5 reasons I won’t be getting on the open id train, by Kyle Neath. Animated comment thread. (0) PreviousPost [...]
May 8th | #
No matter how fashionable it is to bash Microsoft, with its Passport system you usually have to do:
* one thing: your password
* two things: username and password
if you don’t just let it remember you. What is this 5 to 7 steps nonsense?
May 8th | #
Excellent argument and well put. I’ve had the same thoughts on my mind recently, too.
If only OpenID was a WordPress product, not a SixApart product - we might have one, large, free, secure and simple server to use as the sole place to get and manage your OpenID. Instead, it’s a mess and I can barely even remember which openIDs I do and don’t have.
May 8th | #
[...] Kyle Neath: “5 reasons I won’t be getting on the open id train.” [...]
May 8th | #
I agree that it should be optional. Forcing users to use OpenID is just asking for a smaller user base. I recently added OpenID support to one of my sites and probably will add it to others. I like the idea of being able to link in multiple IDs. With AOL and Yahoo jumping on board, even non technical users can be led to the trough.
Phishing is a problem anywhere and I hope some effort is made to make it easier to prevent and identify. But lets be realistic - most users would (hopefully) use this for basic registration sites. I really could care less if my account on Jacks Blatherings About Life blog were compromised along with 10 other blogs I comment on. But NFW am I using OpenID for banking or anything else super critical. Not that I don’t trust it - I just like layered security as was mentioned for the really important stuff. But for all the sites that want/like accounts to read, comment, and particiapte in a normal user manner - OpenID brings a lot of benefit for me.
May 8th | #
[...] Means of Access by filosofo. Posted on May 8, 2008 at 10:43 am That’s the lesson I take from Kyle Neath’s critique of OpenID (HT: Ma.tt), from his first point, the one that I think has the most traction. OpenID servers [...]
May 8th | #
you make a few good arguments. But I’d bet that anyone who took an equally hard look at the current email/password solution could find just as many holes.
Identity online just sucks in general.
May 8th | #
You’re right. When I read about OpenID I think it was a great idea until I began to use it.
May 8th | #
[...] the user-experience. I guess it depends on how efficient servers communicate with each other. Kyle Neath points out 5 reasons why he would not be implementing OpenID. From what I’ve read, I think he simply disagrees with sites requiring an OpenID, not the ones [...]
May 8th | #
The one useful thing it does for me is reduce the need to enter contact details on every site that uses it. Entering Name, email, website, on every site is just a little tedious. Of course, if this trivial usage were all that people get out of OpenID, I can’t see there being much developer interest.
May 8th | #
[...] a third party website and used it a whole one time because it took more steps to log into things. Warpspire has a detailed account of the general feelings I have about the current state of [...]
May 8th | #
I think that the only valid point against using OpenID is no.1, although the problems you are describing are more related to the nature of authentication system in general, and from that perspective OpenID is no worse than any of the traditional system. Think of GMail or Facebook closing down their service. How is it any different from an OpenID provider terminating their service?
Reliability of a 3rd party OpenID provider is irrelevant to the reliability of OpenID in general.
Any authentication mechanism has to have something to authenticate against, and OpenID is unique because it makes the process totally decentralized.
I couldn’t think of anything more reliable than using your own domain name for authentication. Even the hosting providers can come and go, but as long as you keep the domain — the identity is yours.
And the other argument that it requires more typing is also false, because OpenID servers can make use of cookies, which means that all three (OpenID URL, username and password) will have to be supplied only once. On all other websites you’ll be able to use only the URL. It all boils down to the simplicity and length of domain names that are still left.
May 8th | #
p.s. there is also an idea to integrate OpenID authentication input windows/screen/popup in browser instead of using IdP supplied one. This would possibly eliminate phishing attempts as browser could verify the IdP which is requesting the credentials.
Wow, did a few searches, and it turns out there is a Firefox plugin for that already… made by Verisign, called OpenID SeatBelt.
May 8th | #
Josh: The difference between one service going down and OpenID going down is that one OpenID account ties to several registrations on many services. So one node goes down, you lose N services. if one services goes down, you lose one service.
You’re also wrong about other authentication methods having the same problems. Mobile login? Super easy to create your own mobile login screen (m.twitter.com anyone?). Anti phishing? You’re only staying on one site. User experience? Completely customizable by you. Other third party authentication methods have the same downfalls, but then again, that’s pretty much the core of my argument (that I don’t like 3rd party auth methods).
May 8th | #
“At ~$10 a year a personal identity domain is pretty practical for a situation like this, and in the least anything other than your identity page can simply redirect to wherever you’re currently blogging.”
So everyone on the planet buys a personal identity domain, because they weren’t technically knowledgeable enough to know that the first website they create an OpenID on might not be the most stable?
I think that, with the exception of the web-savvy who are going to use their own domains, their own authentication stores, or what have you, we’re going to see OpenID tend toward very large, monolithic providers that provide the anti-phishing style plugins and packaging (like Verisign) that Josh mentioned. Frankly, most smaller sites using OpenID will probably have a dropdown of the most common stores (Microsoft, Google, Yahoo, LiveJournal/Six Apart) and possibly allow additional providers if they’re kind enough to agree to it. And among those large sites, they might be kind enough to offer each other as options, instead of locking you in to their service and insisting on using them as your primary OpenID.
So big companies save us from lock-in? Not really. OpenID is going to have the same traps as any other system, it just lets the smaller sites piggyback.
May 8th | #
OpenId might be for me after all these issues are sifted through. Right now, I rely on keeping information for each ridiculous login logon logit id stored in my Secure Login or my Wand. It’s a pain, but I feel safe. Should I be worried?
Unpersonally, would my site benefit from allowing OpenID; is there enough following and enough folks craving it?
May 8th | #
Although I believe that the proliferation of usernames and passwords is a major problem, I have to agree that the openid implementations I have seen are incredibly unfriendly. You can see my blogpost on the topic here: http://texvc.com/?p=15
May 8th | #
I get around the disappearing provider problem by being my own provider… but clearly that’s not a very user friendly solution.
I wouldn’t be comfortable using OpenID for something serious, like a page that holds my financial information, but as a king of signature it’s good. Blogs generally don’t require registration for commenting because its a pain and nobody would bother, but I like it when blogs allow you to sign your comments with your OpenID—so much so that I installed that option at my own.
May 8th | #
Mike, with that Verisign plugin you can use OpenID issued by any of the providers. I am currently using it with a modified version of self-hosted phpMyID.
Kyle, you are definitely right about about the unreliability of 3rd party OpenID providers and the fact that loosing one such service has much greater consequences than loosing only an email provider for example. I would never use a 3rd party OpenID myself and would not encourage anybody else to use them as well, the reason being your very 1st point of this article.
I think that the advantage of using OpenID over traditional usernames and passwords becomes apparent only when it is used on your own domain. Lets hope that in a near future we see hosting companies offering “OpenID domain names” as currently they are offering e-mail hosting for those who want only email.
With regards to mobile login, the scenario could be the following: (1) open the browser (2) choose to authenticate from a menu inside the browser (3) supply OpenID URL, username, password (4) your OpenID URL is filled in automatically on every website that supports OpenID.
However, the final point is valid only if the OpenID input form is marked-up correctly using
openid_urlfor input fieldidand/ornameattributes. And of course, there are currently no browsers that handle OpenID management.Single login seems to be something from the perfect internet where everybody follows standards and doesn’t want to trick or misuse them. Therefore I would definitely agree that OpenID is not ready yet, but if (1) browsers add support for identity management (solving the spam issue), (2) hosting companies offer OpenID domain names (for non-savvy), and (3) more websites accept OpenID, we can actually accept that OpenID is the appropriate solution for the ultimate login which is both secure and easy to use.
May 8th | #
[...] looked before I lept, because as Kyle Neath points out in a blog post he wrote in April, he has 5 reasons to give us pause before we jump onto the OpenID [...]
May 8th | #
[...] razones para no subirse al tren de OpenID 5 reasons I won’t be getting on the open id train es un muy buen post, para no irse ciegamente por las ventajas que ofrece OpenID; detrás de este [...]
May 9th | #
[...] solution but there are critics of the service, I recently came across a blog post by a guy called Kyle Neath, he makes some interesting points, some I agree with some I don’t. For example he points out [...]
May 9th | #
The geek factor on a comment like that is impressive. I think this and other elements of your logic come from a homo-logicus perspective.*
*From ‘The inmates are running the asylum’
May 10th | #
[...] 5 reasons I won’t be getting on the open id train - Warpspire Quote from the comments: "When I read about OpenID I think it was a great idea until I began to use it." I totally agree. (categories: openid usability experience ux ui security ) [...]
May 11th | #
As I pointed out in my response at billso.com, multifactor authentication might make OpenID more secure and more widely accepted.
May 11th | #
[...] finally! A recent post from somebody outside of the OpenID devsphere about [...]
May 11th | #
Kyle, I agree with you. OpenID is not going to solve the problems it thinks it will, since it introduces more problems than it will solve. It neither bolsters a user’s security nor makes registering/logging into sites more convenient.
But hey, at least it almost looks good on paper.
May 11th | #
These are valid points that you raise. In fact I did give the option for the users to register using OpenID at my blog, but then the plugin itself was flawed and kept giving error when activated and I ended up removing OpenID altogether from my blog. Until the system works flawlessly it should not be implemented. Come to think of it I use Wordpress so implementing it should be done on a priority basis considering so many blogs run on Wordpress. Anyway I do agree with you on the points raised. Security is indeed a big loop hole with OpenID. Thanks for sharing your thoughts.
May 12th | #
[...] 5 reasons I won’t be getting on the open id train - Warpspire (tags: openid article security identity webdev programming criticism) [...]
May 13th | #
While I actually agree with your conclusion (OpenID as supplement, not the only solution), I believe your discussion of the problems is weak. Security must be considered in a comparative perspective, and security must always be discussed alongside convenience. Username/password solutions on the internet are either inherently insecure (due to using the same username/password for all accounts or saving all passwords behind one easily breakable master password) or incredibly inconvenient (remembering 20+ strong passwords).
OpenID is not a perfect solution to these issues, but it does for sure make it easier to train people into being conscient of where they enter their passwords. You shall only enter your password one place - your openid-provider’s - and you should always check for the lock icon and correct domain.
In fact, myopenid.com has made an even safer solution which is ridiculously convenient for people who use only a few computers: with SSL certificates, (optionally) eliminating the possibility of using passwords. It’s meaningless to phish, but it is possible to break by getting hold of the SSL certificate, which amounts to breaking into the home computer. This is, hopefully, much harder than breaking into online accounts. (And you’re majorly fucked anyway if malicious people have access to your home computer).
And others have mentioned delegation.
While this only solves 1, 3, 4 and 5, mobile device providers will very likely solve no. 2 if OpenID catches on, by for instance using an in-browser openid login solution (or through SSL certificates).
And why does everyone have to use OpenID for it to be a successful tech?
May 13th | #
[...] open ID? Well, some bloggers out there do other don’t and many of us just don’t yet know. Now imagine that every website out there can not only use [...]
May 14th | #
[...] OK idea, bad implementation Posted in News by Austin Burbridge on May 14th, 2008 Kyle Neath explains why he does not like OpenID: It’s not that I think any part of the technical implementation of OpenID is flawed in any way: [...]
May 14th | #
Thanks for writing this — it articulates the concerns which are raised by pretty much every instance of OpenID.
Shortly I will remove OpenID login from Cinema Minima’s sites. I think it will be too confusing for users.
Current implementations actually introduce Fear, Uncertainty, and Doubt (FUD) into the very places where clarity and certainty are most desired. I am amazed that the salient thing the many implementations of OpenID have in common, is poor execution — mostly, as far as I have observed, poor user-experience design.
Yahoo offers OpenID but with these terrible alternatives: use a URI which is long and incomprehensible and safe, or a short and easy-to-remember URI which Yahoo cheerfully warn you is unsafe. What were they thinking?!
OpenID.com had a security certificate that failed in common browsers (maybe they have fixed it by now?). Didn’t anyone bother to test? Or at least provide some error-trapping so that the hapless user wouldn’t find herself in a neverland of error messages?
The WordPress plugin has some flaws: the first version’s acknowledging, but not coping with the OpenID.com bad-certificate problem; the reliance upon a math library — GMP for PHP — which many, if not most, WordPress users would not have, nor have any way of installing since the majority of WordPress instances run on hosted sites which do not permit root access (GMP is not required but without which, a strain upon the server’s CPU ).
User login ought to be overflowing with simplicity, safety, and certainty.
May 14th | #
Indregard: I would disagree that your points even come close to solving 1, 3, 4, 5.
#1 can only be solved by consumers (as in, products like ma.gnolia, blogs, etc). There is absolutely nothing OpenID, OpenID providers, or OpenID users can do to fix this problem.
#3, #5 can only be solved by using a “you should have” tone with users (i.e. well you should have registered with X provider (myopenid.com in your case) instead of Z provider. This is the absolute worst case solution for experience design. If you ever experience yourself uttering “you should have” your design has failed.
#4 is again, something that just can’t be fixed. I have an OpenID account, but it works only about half the places I’ve tried. Why? It doesn’t have SREG support — which many newer OpenID implementations demand. How in the hell do I know I even need this? Because I spent half a day bugging a developer why I kept getting strange errors. This is not user friendly.
I think the core of your arguments is that OpenID technically is good — which I fully agree (and even note in the first paragraph). However, in reality it is not a good experience. There are ways to fix many of the problems, but just because solutions exist does not mean that they’re implemented across the board. Since OpenID can be implemented by anyone, it’s up to the providers/consumers to implement the solutions. Since almost no one does, it means that most of the OpenID experiences are sub-par.
May 15th | #
Hi,
I could agree more with the points you raise. I think that the design of the openid system is not very good and far too complicated. I also hate having uber long usernames. I just love to be able to enter user, password, hit enter!
Also, perhaps you should be advertising Lighthouse on this post. I click it to see what the product was and on their homepage it read:
“Open ID is the way forward”
Kinda ironic :)
Cheers
Stephen
May 16th | #
Hi,
I wholeheartedly agree with most of your rant. Except one thing. The technical side of OpenID is far from perfect and there ARE problems:
http://storm.alert.sk/blog//identity/king-of-fools.html
May 28th | #
[...] ?? ?? ?? ??? ?????? ?? ????????? ?????? ??? OpenId ???? ?????? ??????, ?????? ?? ?? ???? ???? ????? ?????? ??? ??? ????, ?? ??? ??? ?5 ?????? ?????? ?? ?????? ?OpenId. [...]
May 29th | #
I just don’t get why I can’t stay logged into anything. Ever. I close the browser, come back 20 minutes later, and it’s freakin OpenID typing time…lame.
June 2nd | #
The whole idea of OpenID is probably good, but the implementation - sucks.
I agree with all Kyle’s points, that’s why I rarely use OpenID.
However, personally I don’t want always to have the same username/login information on all services. As a result you have more than one username/password.
That’s why I think the solution is to use secure password storage services, like http://www.PassPack.com (I would say that this is the only one which is both - secure and user friendly).
June 2nd | #
[...] 5 reasons I won’t be getting on the open id train - Warpspire (tags: openid) [...]
June 5th | #
Clearly a lot of passionate perspectives being shared here, which is a great thing. OpenID is not a panacea for all registration and login requirements and it will boil down to personal choice since its unlikely that most sites will ever go exclusively OpenID.
Some people will be comfortable managing multiple username/passwords for various websites. Some will use password management tools or browser plug-ins. Some will choose OpenID. Many will use a combination of all three.
The good news is that there is more personal choice available to users as a result of OpenID. As with many online experiences, it’s often a balance between convenience, privacy, and security. You choose whether to store your credit card info and the mailing addresses of all your gift recipients online with Amazon. You choose whether to let your browser remember your passwords and run the risk that someone steals your computer.
Of the 14,000 sites that are OpenID enabled today (http://janrain.com/blog/2008/06/02/relying-party-stats-as-of-june-1st/), most are user generated content sites (blogs, discussion groups, wikis, social networks, etc.). In these environments, convenience is often important to the user and site operator, security and privacy are less critical, so these are the logical early adopters of OpenID.
The next logical adopters of OpenID would appear to be media sites (newspapers, radio, TV, magazines, movies, sports, etc.) and affinity groups (college alumni associations, PTAs, little league teams, homeowner associations, etc.), and possibly the customer community sections of commerce sites (Dell, HP, etc.) where members can help each other with tech support or purchase decisions. Not much highly sensitive information or financial transactions occurring on these sites.
Longer term, commerce sites will likely adopt OpenID.
As this evolution progresses, OpenID will evolve to meet the needs of the various stakeholders: individual users, website operators, affinity group administrators, OpenID providers, etc.
Already many OpenID providers such as myOpenID.com support anti-phishing and security enhancements such as website verification (per the earlier reference to what banks are doing), SSL Certificate authentication, InfoCard integration, phone-based authentication, password strength indicators, etc. These security features can be deployed globally, or longer term by specific activities (financial transactions, password resets, change of personal preferences, time of day, specific computers, by geography, etc.). Again, the balance between convenience and security will be the driving factor.
Additionally, as OpenID evolves, the convenience aspects will also increase. SREG and Attribute Exchange make it easier for users to, at their discretion, share personal data with website operators to expedite the registration process and keep that data current and accurate. User login enhancements such as ID Selector (www.idselector.com) make it easier for users to login without having to remember the full syntax of their OpenID URL, just pick a provider and enter your account name. Once you’ve registered with ID Selector, it remembers your preference and for every subsequent visit, you get “single click” login with no text to enter at all - what could be easier than that?
As more websites accept OpenIDs, the benefits to users goes up, and the pressure on remaining sites to accept OpenID increases. As more sites and users adopt OpenID, OpenID evolves and improves to meet the market needs. Since its an open source platform, lots of individuals and companies can contribute to the rapid innovation and enhancements.
Rather than citing all the reasons why OpenID will never work, why not focus the discussion on what the OpenID community can do to enhance the ecosystem and leverage the promise of this exciting new technology?
Cheers, Brian
June 5th | #
Brian: It’s very easy to look at my article as just a big rant hating on OpenID, but I think if you realign your viewpoint you’ll see I’m citing problems that cannot be fixed by championing the technology.
My problem is that I see these problems as all being “should-have” problems. I did not use myopenid.com, nor delegation when I started using OpenID myself. Because of that, I am now in a horrible situation of being unable to fix my mistakes without removing and re-creating my accounts. This is a “should-have” problem that can only be fixed by doing actions differently in the past — or by forcing my provider and all of my consumers to change their ways.
Just because myopenid.com may excel in some particular facet — mobiile login, phishing prevention, SREG implementation — it does not mean that all providers excel in the same facet. The ground is only as strong as the piece you’re standing on, and if your piece isn’t set on myopenid.com, your innovation is unfortunately of no use.
You’ve made an excellent case for the technology but little case for the practical use and implementation.
June 23rd | #
Not only do I think Kyle is dead-on, but I would even take it a step further and ask why we need OpenID in the first place. Don’t modern browsers [offer to] remember your Usernames and passwords for you anyway?
For Users that already use autocomplete, OpenID is needlessly redundant. For Users that don’t trust their own computers to keep their information secure, why would they trust someone else’s?
June 25th | #
You Would Love this one., canadian free online dating services, canadian free online dating services, 8DDD,
June 26th | #
You Should try this too!, canadian free online dating services, canadian free online dating services, >:-DD,
June 26th | #
BrilliantPleasure Looking At Your Site Guys, caning clip free, caning clip free, 083485,
July 5th | #
[...] OK idea, bad implementation Posted in News by Austin Burbridge on May 14th, 2008 Kyle Neath explains why he does not like OpenID: It’s not that I think any part of the technical implementation of OpenID is flawed in any way: [...]
August 7th | #
Hi there,
I think your arguments mostly make sense. You mentioned your point about workaround, yet I think good workarounds can lead overall improvements, and openid will keep evolving.
I agree that openid cannot replace the classical login/password. Forcing people to have openid is silly IMHO. It’s just a lifestyle, some people like log cabins, others like hotel rooms, who can blame either one?
back to your points, since you offer to give our point of view, here is mine
1) Yes indeed the openid provider could change, and I agree that delegation does not solve this problem. However, you do trust your mail provider for continuation of service as well, why is that not a problem to you? Nevertheless, OpenID consumers should provide a means to account for that sort of situation. After all, in most cases your account is still associated with an email, so you could have a functionality similar to the current “lost password” that would enable you to change your openid provider.
2) Regarding the mobile thing, did it occur to you that the phone includes a smartcard, and that the later contains a certificate? Openid providers could (and IMO will) use this certificate as a means to authenticate the user. It will be completely transparent for the user, maybe he’ll be just required to enter his PIN code. Also, if you combine inames with openid you will end up typing about as many characters as a login/password scheme.
3) This argument sorta smells, the thing is: openid does not bring a solution for all current problems. You’re pinpointing issues that exist with the standard system. Openid has its flaws, but it’s just not new flaws. Good thing about it though is that there are third-party solutions to those flaws, like verisign’s seatbelt plugin, which prevents phishing. Also, in the near future people will progressively be equiped with smart card readers (some countries, like Belgium and Estonia have electronic citizen ID) and it will more and more become a means to authenticate yourself on the web with those certificates.
4) I’m not quite sure I understood the point you’re trying to make here. What is more complicated: having a few openid, or having tons of login/passwords? There is no necessity to have N openid, but it’s possible to do so, well great taht’s fine by me. Regarding SREG, I’m not familiar with it so I’ll pass, but your grandma sure belongs in point 5 rather than point 4
5) Well there I don’t agree. For the first site you’ll visit, yeah you’ll have to go through 2 authentication pages, but once you’re logged into your provider, you’ll never see that page again for the duration of your session. You can also have your openid provider as start page, and login once and for all. Of course it’s a different way of thinking than what we are currently used to, but that’s just a question of working habit.
You want to bury openid, but it sounds just like you made yourself an opinion and try as best as you can to prove yourself that you are right rather than questioning your judgement.
August 7th | #
Sorry for the double post, but I think I need to clarify something:
I agree that the current state of openid has issues. The point I’m trying to make is that openid should and will evolve towards a safer, easier web experience. Saying “it’s no good so I don’t hop on the train” is just denying the idea of progress. Openid brings something new on the table, it’s not perfect, but it has potential. And THAT’s what makes me want to hop on the train. And yet it moves, as said galileo.
August 7th | #
ok triple post then ;-)
I just read your comment on brian’s reaction and I understand that I took your article the wrong way.
Actually your title is misleading, since you say you “won’t be getting on the opnid train”. Truth is, you’re already on it, only you’re in the smoker’s wagon. Your title is actually “stepping off the openid train” which is another story.
I understand the frustration of not having a good provider, as many people also were frustrated because they had a bad ISP, bought a bad computer, installed a crappy OS. Did that stop people from buying computers, and going on the internet? The price to pay for those was equally annoying as for you to switch openid accounts for a better provider.
August 20 | #
I just don’t get why I can’t stay logged into anything. Ever. I close the browser, come back 20 minutes later, and it’s freakin OpenID typing time
August 20 | #
I generally agree with your article. However think openID is a good attempt at tackling the problems of multiple user accounts. The implementations might not be perfect, but it seems that this types of applications will become more and essential as the net becomes a more pervasive environment.
September 7th | #
pujmh jrynqfl rczipgvt gerqzs bzuwo okhjsy wmkczga