I'm not asking about specific implementations, I'm not asking about the global world view of cross site single sign on mechanisms, I just want to know what the community thinks about the underlying usability of OpenID. Do you think using a URL issued by a (to the non-technical observer) random assortment of providers in place of an actual user name is something that people are going to prefer? If not, does anyone have a better mechanism? If there's enough interest, I'll follow up with a more general SSO question.
Think it's better to get more specific rather than general with these kind of questions.
To your question, I don't think it is flawed but you are right that it may not appeal to some. However, once folk get it, as in understand it, then they may come to use it more. It is certainly a better thing to have to remember fewer passwords as one ends up making them weaker than they should be.
You need to have an unique UserID in such a szenario. An other option could be a valid email adress, but whats with spam then.
Therefore I prefer the URL-based UserID. And for me, the usability with OpenID (in my case myOpenId) is great.
Google seems to think so. Their recent entry into the OpenID space, and immediate subsequent fork of the protocol, has two things to say about the issue:
- OpenID is useful, especially when it's tied to sites with a very large number of users for use with sites that could support a large number of users and will probably not draw them. Why reinvent the wheel on an authentication system when someone like Google or those working on OID already have it covered?
- OpenID as it stands is messy, as people already have a large number of differing user names with many of the participating providers. However, many users had a great opportunity when GMail came around to get their own name as their email address, and have a rather infinite number of accounts they can create. Google seems to think that their account system by itself is sufficient for all Open ID users. I'd probably agree with this.
I think there are aspects of OpenID that pose usability problems for many users, but could probably be resolved via UI improvements. For instance, a URL is almost inherently unusable for most users. But there's no reason that can't be abstracted so the user simply chooses their provider and inputs the username they use at that provider. Moreover, having to go to a separate location to log in is a huge usability problem, and rightly sets off red flags to users about what data they're providing to whom. That will be much harder to resolve.
I've said it before, and I'll probably say it again, but the URL idea is a fundamentally flawed idea. They should have gone with the e-mail address format or the Jabber format of [email protected]. This would allow existing email providers to offer an ID without requiring the user to remember some arcane URL.
YES.
There are still multiple log-ins. I have to go and log in to my OpenID provider then I have to go to the site and log in again with the OpenID URL. No wants to do more work and OpenID is a lot more work.
I know of no one who is not in the computer field that uses OpenID. OpenID is still just too complex. The average user doesn't need to be confused by another layer of abstraction.
There is also the issue of tracking where The OpenID users go. I use VeriSign, a trusted name, but what about those who are using less trustworthy providers. No, I'm not going to name names and start a flame war.
There is a better answer, it is called RoboForm (or one of the many knock-offs). All of the users passwords and names are kept on their machine and is encrypted. It is easy to use, more secure, and FASTER.
Yes.
First, choosing a provider is difficult. If I was a less experienced user, I would ask "why do I need to share my information with X to use a site run by Y?" And then, once you get over that, you have to choose who to trust with your information. I, personally, went with Verisign because I trust Verisign. But some people might never have heard of some of these providers and would not be in a position to make an informed decision.
Second, logging in is difficult. Rather than entering a user name, I have to enter a URL (although StackOverflow makes it easier where you choose a provider and your provider user name and it makes the URL for you).
Third, if my OpenID is compromised, then all of the accounts on sites that I use OpenID on are also compromised. Some people suggest having multiple OpenIDs to overcome this, but I think that defeats the entire purpose of OpenID.
I think that some of the OpenID implementations leave a lot to be desired.
I imagined Yahoo would get it right, but their OpenID micro-site (information and implementation) is rubbish in my opinion. The layout is confusing, they don't make it clear how open-id relates to a users standard yahoo-account.
Once I'd figured out which screen was needed to launch my log-in request, yahoo issued an OpenID signature which included a randomised string. This wasn't accepted by stackoverflow. I had to create a new alias, which also had to be made a default option. Without a similarly stubborn desire to work it out, I think a lot of users would give up.
In my opinion, stricter guidelines for implementation need to be produced, and the campaign needs to be heavily publicised to educate potential users.
Maybe the technology could be included in browser implementation?
Wouldn't it be better to have this kind of thing built into the browser?
For example, you enter your personal data in the browser's preferences. Then a site can request personal data with a JavaScript call, and the browser shows you a dialog asking for confirmation. Of course, the JavaScript API would have to be standardized.
That way the user doesn't have to sign up anywhere, and all his personal information is stored on his own machine. Plus the confirmation messages would look like the rest of your operating system, not just like some web site that you might not trust.
Would this not eventually compromise the identity of an individual if it's stolen or lost? This is my main concern. Anonymity has advantages as well as disadvantages. I believe in having both.I have close friends who fear joining the Facebook community on the fact that it's so open, it becomes an easy target if the database ever gets attacked.
I don't want some other system owning my IDs for my applications.
I get the concept of simpler for the user and more uniform.
However, UserID is so key to the experience for site visitors, you don't want to put all your eggs into one basket (Microsoft Passport, OpenID, etc). If things change, you've messed up all your user accounts.
NO.
I don't think it is fundamentally flawed system. In terms of usability I'd say it is flawed as it is a departure from the norm, and harder to get used to, i.e. URL instead of a username, having to pick a provider. But I think they are the only problems, and things can be and are being done that improve them (usability tweaks on log-in pages, Yahoo and Google raising awareness to the idea).
Aside from that, I think it's a great system:
- I remember one account ID password combination (I don't need to rely on software solutions to the many ID->password problem)
- I don't need to fill out a form when I go to a new website, and wait for registration emails to confirm it.
- If I don't trust an OpenID provider, I can become my own provider, relatively easily, which I personally think is a great achievement for a standard. Making something so versatile, and (AFAIK) easy is to me, really something.
- It decouples the responsibility of building a website from password storage and security, when both jobs are becoming increasingly difficult.
- I don't actually know much about this next point, but I think it's very easy to use one OpenID account to host multiple personas, which can be used for different websites e.g. "that's my work persona, that's what I present when I sign up for ilovemyjob.com. And this is my friend persona, I use that for facebook" and the different personas have different information tied to them. Like I say I don't know much about how this is done, or exactly why it would be useful... but I will find out what it could be good for.
That's about the main benefits I see with OpenID. In terms of disadvantages, there's the usability aspect, which I admit is a problem. The main other point that people use to criticise OpenID is that if the account is compromised, then many logins are compromised. In my opinion this is no worse than the current system of having emails tied to accounts, which could be similarly compromised, and used for that "forgot your username?" function on many websites. I'd also like to point out that OpenID is not meant to solve that problem - it's a solution to the multiple ID/password problem. However, having one password gives a greater license to keep updating it for added security - without having to rely on software remembering it for you, or forgetting all the time.
So, OpenID has it's problems, but I'd say it's a good solution to the multiple ID/password problem.
References:
Interesting Google Talk on the subject
I don't think it's a flawed concept. I just think it's new, and people aren't used to it.
But OpenID should be used in conjunction with a local registration system so the user has a choice. Telling the user to go to X.com to register and then come back to your site after -- that's just stupid and confusing. But if the user already has a GMail/AOL/YMail/etc account then letting them use it is very very handy.
I think we as developers should be using specialized login forms though. That is, instead of "Enter your OpenID URL" it should be a standard "enter your username" and they can select Gmail/AOL/YMail/etc and behind the scenes we construct the URL. The idea of a URL being a login name is a bit backwards, so helping people with the transition is welcome.
I fail to understand the angst against OpenID.
My experience with signin into this site (admittedly the only open ID I have had to deal with) was simple. I saw the OpenID required thing and I had a vague understanding the my signing into the site would be delegated to someone else who I trusted and already had an id with. Low an behold, there was a link to the provider of my current online email provider. Click, follow a process that was simple enough that I do not even remember doing it.
Now that the open id connection is set up, it is no more difficult than any other site I deal with and the magic is that I did not have to add yet another account to a site that I had no idea I was going to use ever again and would probably forget the username or password for.
I like it, the concept and the execution.
No, I don't believe that OpenID is a flawed concept.
If you look at the history of OpenID it was originally meant to allow people to correlate themselves via a URL they owned across blogs. This idea was expanded upon and became the single sign-on system it is today.
I would say that OpenID is perfect for websites that don't have user accounts to keep basic information, which is not considered vital to the end user. Thus a comic book site that helps with valuations of your comic book collection might be a good example. Because as an OpenID end user you can login to the site (without creating another username/password --which may be different than any other one you created because of existing users on the system) and check out how they work. If you like it, then you can continue to use the system as normal. Or, if you aren't totally enamored with the site but decide to check them out later, then instead of trying to remember which username and password combination you used for a site that you thought you might not otherwise return to, could be frustrating. OpenID addresses that type of situation perfectly.
That being said, I wouldn't personally use OpenID to login into my bank account, because of many things that have been stated about the security of the redirects. However much of that is changing and there is great progress in advancing the security of OpenID through attribute exchange (especially in Japan).
Another note that many folks don't know is that you don't need to use a URL to have an OpenID, there is a technology called i-names that looks more like a username, i.e my i-name is "=true", this may be much easier than typing in something like "http://true.myopenid.com". There is a cost of $12 per year for individual i-names, so that may initially be a barrier for some people, however free alternatives exist if you would like to play around with them.
On a last note OpenID is promoting the idea of discoverability (if that's a word). It's a concept that seemed to be sitting just below the surface. Discoverability is like social networking at the protocol level if you might :). There's tonnes of work going on in that area, which I think will lead to better implementations of OpenID or at least the idea of OpenID. Which hopefully will lead to a better internet for us all.
Disclaimer I'm on the XRI TC committee and run a startup focusing on selling and providing services around XRI.
FreeXRI is not the startup I am involved with.
The concept is fine however the design allows for gaping security exploits...