What's wrong with OpenID?


News: What's wrong with OpenID?

  1. What's wrong with OpenID? (8 messages)

    Asked on quora.com, "What's wrong with OpenID?" resulted in a one-line answer: "It hasn't taken over the world." That's true - and for such a general solution you'd want it to. But why hasn't it?

    Answers from the commenters could have been trolls, but weren't.

    The first comment contained these two paragraphs:

    "These are all perfectly valid solutions that a regular user finds acceptable.  A nerd will wrinkle up his nose at these solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways.  On the security angle, no one is going to adopt a product to solve a problem they don't care about (or in many cases, even understand).

    "Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site.  This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?"

    Other commenters pointed out the "url" used to login, saying that it was largely a feature of the past, and that the usability was flawed, adding steps to the login process.

    Another pointed out the lack of a single openid database - saying "I have four OpenIDs and I have lost track of which company I signed up with. I should be able to go to any one provider and be able to recover my username and password."

    Another comment: "OpenID adds complexity to solve a complex problem. It also assumes that the complexity of internet identity is fully negative. There are positive effects generated by the complexity. OpenID + Oauth will ultimately fully mimic SAML and be used as a connector between large internet players."

    Very cool, to imitate SAML.

    What do you think of OpenID, and why?

  2. What's wrong with OpenID?[ Go to top ]

    OpenID + OAuth is SAML without cryptographic trust validation.  For posting blog comments and basic personalization its fine.  For use with anything that requires a pre-established trust that can't be spoofed, reverse engineered or subject to brute force attacks (ie ecommerce) its not useful.

  3. Basically there are only three choices on the web when it comes to identity:

    1) roll your own solution, usually involves complex signup and password recovery procedures and a significant amount of risk. Most sites still do this and many users decline to sign up. Especially for long tail type sites this is increasingly an obstacle. Email + password is at this point not a smart solution any more.

    2) partner with Facebook or one of the select few other proprietary solutions with a large enough user base. Facebook has been very successful here, but only for small and unimportant sites. To the best of my knowledge, no other provider is succeeding here without OpenID.

    3) Use openid. There's a rapidly declining amount of identity providers that do not support OpenID. Facebook is a reluctant endorser at this point but they have not gone all the way yet. OpenID, without doubt, gives you access to the largest amount of users around. Pretty much all of them really, even if they don't know it.

    There's really nothing else that has any amount of user adoption worth mentioning here. Including SAML, which is fine as a standard but useless as a means of hooking up major idenity providers to third party web sites since it requires elaborate deals, whitelisting, auditing to be in place and crucially lacks meaningful support from any of the major identity providers on the web.

    Therefore, number 3 has been gaining some quiet backing from e.g. Google and other major identity providers since there is no other option. Although it has to be noted that they apply lots of constraints and generally work with whitelists of providers.


    So, what's in it for the user? Answer: ease of use. Nothing else really. But it is significant. The most successful approach seems to be to combine OpenID plus select proprietary solutions. E.g. sign in with your FB, Twitter, Google, Yahoo, or MS account here. If implemented properly, very easy for the user and there are various components that make this really straightforward to implement. I'm expecting major usability improvements here in the next few years.

    So, what's in it for the service provider? Answer: more users sign up. If you are a small service provider, you need to have a really good value proposition for users to give up their email + default password. Mostly, users walk away instead. The amount of service providers that think they can get away with this is amazing. Most of them fail to ever attract a critical mass of users. Really, if you are a start up and doing this: quit now and give the money back to your investors.

    So, what's in it for the identity provider? Answer: more users depend on their identities in more use cases; detailed and fine grained info on where users use their identity. Identity is big business. These days being an idenity provider pretty much implies being an OpenID provider as well. Unless you lack ambition in that area of course (cough, Facebook).

    So, what's holding OpenID back? Answer: complexity of implementation + reluctant identity providers that continue to insist that third parties go the proprietary way + service providers that continue to run in a brick wall doing traditional email + password type sign ups.

    Why is the the lack of OpenId tacktion a bad thing? Answer: it nullifies the advantage for the service provider since it drastically reduces the number of users it can reach and on top of that requires a lot of identity provider specific complexity to be added. Basically it means stagnation and a lot of resources wasted on services that will never succeed.

    So, what happens next? Answer: major identity providers that already are OpenId providers start becoming OpenID identity consumers as well. Case in point here is Google that recently started accepting Yahoo users via openid. It's a small start but a significant one since these are two of the largest identity providers around. Google has been very consistent here with leading the pack. They understand that failure is not an option for them here.

    Is there anything else on the horizon? Answer: no. OpenID is basically the only usable and interoperable standard for this kind of thing at this point. Anything else has a long standardization + endorsement road ahead of it or a long track record of not being adequate enough. Think half a decade+. The only proprietary thing that has been successfully keeping OpenID at arms length has been Facebook. If you want reach beyond the Facebook community, you have no other choice than to support OpenID at this point. Anything else you try is insignificant and lacks the hundreds of millions of readily available user base.

  4. SAML Deployment:

    1.  Exchange SSL Meta Data

    2.  Import SSL Meta Data from trusted Identity Provider

    3.  Done

    Discussion of SAML being too "dificult" generally revolves around:

    1.  Developers who want a library to do integration with.  There are libraries to do SAML but they aren't well documented and they often are part of comercial systems

    2.  Sites don't want to pay for a commercial federation system

    Case in point that OpenID+Oauth is moving towards adopting saml tokens for higher level of assurance transactions with integrated encryption and signatures.  OpenID is "successful" for now in the same way that Windows 2000 was successful prior to code-red.  Each protocol has its place.  If you don't need cryptographic verification use OpenID.  Its fine for sharing links, and commenting on blogs.  If you are doing anything that requires some level of assurance then OpenID+OAuth (as it exists today) is not viable.  Right now federation is not a common attack vector, but as it becomes more popular that will change.

  5. I think the following comment really makes me wonder whether the commenter is trolling:

    "... This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?"

    After all, it is one single registration instead of dozens of individual registrations, which is a very sensible reason to do one more registration. Of course, if he likes to remember dozens of different passwords, or likes to use the same password everywhere such that one black sheep can crack his accounts everywhere, he is welcome to avoid OpenID. 8-)

    On the other hand, he is right about the bad usability of the OpenID login. But for instance, Verisigns OpenID SeatBelt plugin for firefox goes a long way to make this easier, so we will probably see more usability advances in the future.


  6. On second thought, I wonder why this user and at least another one in the cited comments felt the need to use multiple OpenID providers. Why? Didn't they understand that exactly one is sufficient, or is there another reason I fail to see?

  7. I don't know much about OpenID, but what if you don't want a single ID for all your forum posting habits? What if you don't want your programming forum ID tied to your political forum ID?

    Even if you don't care about this, some people do.

  8. Its a good point and one that the SSO industry has been working on for a while.  Its called "User Centric Identity" and its covers by the "Laws of Identity" by Kim Cameron.  Unfortunatly technology has not been very effective at managing this.  Ultimately the points brought up are some of the main reasons why B2C SSO has never been popular.

  9. OK, I see. Still this does not explain the annoyance of the commenter, does it? After all, if you manage 2 or 3 identities corresponding to 2 or 3 OpenID accounts, thats *much much* better than managing dozens or maybe even hundreds of individual forum accounts, isn't it? Why would there even be a need to "manage" multiple identities, if it is just a few?