tags:

views:

1115

answers:

16

I'm not asking about specific implementations, I'm not asking about the global world view of cross site single sign on mechanisms, I just want to know what the community thinks about the underlying usability of OpenID. Do you think using a URL issued by a (to the non-technical observer) random assortment of providers in place of an actual user name is something that people are going to prefer? If not, does anyone have a better mechanism? If there's enough interest, I'll follow up with a more general SSO question.

+1  A: 

Think it's better to get more specific rather than general with these kind of questions.

To your question, I don't think it is flawed but you are right that it may not appeal to some. However, once folk get it, as in understand it, then they may come to use it more. It is certainly a better thing to have to remember fewer passwords as one ends up making them weaker than they should be.

dove
+1  A: 

You need to have an unique UserID in such a szenario. An other option could be a valid email adress, but whats with spam then.

Therefore I prefer the URL-based UserID. And for me, the usability with OpenID (in my case myOpenId) is great.

danimajo
+3  A: 

Google seems to think so. Their recent entry into the OpenID space, and immediate subsequent fork of the protocol, has two things to say about the issue:

  1. OpenID is useful, especially when it's tied to sites with a very large number of users for use with sites that could support a large number of users and will probably not draw them. Why reinvent the wheel on an authentication system when someone like Google or those working on OID already have it covered?
  2. OpenID as it stands is messy, as people already have a large number of differing user names with many of the participating providers. However, many users had a great opportunity when GMail came around to get their own name as their email address, and have a rather infinite number of accounts they can create. Google seems to think that their account system by itself is sufficient for all Open ID users. I'd probably agree with this.
Robert Elwell
Google made some unprecedented implementation decisions, but they didn't fork the protocol. It's still to the OpenID 2.0 spec.
keturn
A: 

I think there are aspects of OpenID that pose usability problems for many users, but could probably be resolved via UI improvements. For instance, a URL is almost inherently unusable for most users. But there's no reason that can't be abstracted so the user simply chooses their provider and inputs the username they use at that provider. Moreover, having to go to a separate location to log in is a huge usability problem, and rightly sets off red flags to users about what data they're providing to whom. That will be much harder to resolve.

eyelidlessness
+6  A: 

I've said it before, and I'll probably say it again, but the URL idea is a fundamentally flawed idea. They should have gone with the e-mail address format or the Jabber format of [email protected]. This would allow existing email providers to offer an ID without requiring the user to remember some arcane URL.

Kyle Cronin
I completely agree. It's the one thing about OpenID I don't like. Fortunately, WebFinger may very well solve this particular problem by simply letting you delegate to your OpenID from a more memorable and recognizable identifier.
Bob Aman
+1  A: 

YES.

There are still multiple log-ins. I have to go and log in to my OpenID provider then I have to go to the site and log in again with the OpenID URL. No wants to do more work and OpenID is a lot more work.

I know of no one who is not in the computer field that uses OpenID. OpenID is still just too complex. The average user doesn't need to be confused by another layer of abstraction.

There is also the issue of tracking where The OpenID users go. I use VeriSign, a trusted name, but what about those who are using less trustworthy providers. No, I'm not going to name names and start a flame war.

There is a better answer, it is called RoboForm (or one of the many knock-offs). All of the users passwords and names are kept on their machine and is encrypted. It is easy to use, more secure, and FASTER.

WolfmanDragon
I've never used RoboForm... but if you lose your data, and you have tons of name-password pairs, you could easily forget them and you've lost access (if I understand correctly). OpenID is about remembering one thing.
Grundlefleck
Like any other file, make a backup. While if you work for some companies and many offices in the US Fed Gov, storing your password on RoboForm is enough to get one fired, or face legal action. It's not perfect, just better than OpenID.
WolfmanDragon
So backing up all your UIDs and passwords is a solution to a problem that doesn't exist with single sign-on?
Grundlefleck
Single sign-on with roboform, just set it to auto fill the signons. Agin Let me go bat to the "it's secure" (if you use a good primary password). There is no way to may a URL sign on secure. I don't want someone getting into one of my accounts and reading my mail or pretending to be me.
WolfmanDragon
Forgive me, but I don't get the point you're making. You provide the URL of your OpenID sign-on which then goes to your provider, which you must log in to, using a password, to allow access. Give your OpenID a good primary password and it's the same thing. Or am I missing something?
Grundlefleck
+14  A: 

Yes.

First, choosing a provider is difficult. If I was a less experienced user, I would ask "why do I need to share my information with X to use a site run by Y?" And then, once you get over that, you have to choose who to trust with your information. I, personally, went with Verisign because I trust Verisign. But some people might never have heard of some of these providers and would not be in a position to make an informed decision.

Second, logging in is difficult. Rather than entering a user name, I have to enter a URL (although StackOverflow makes it easier where you choose a provider and your provider user name and it makes the URL for you).

Third, if my OpenID is compromised, then all of the accounts on sites that I use OpenID on are also compromised. Some people suggest having multiple OpenIDs to overcome this, but I think that defeats the entire purpose of OpenID.

Thomas Owens
To be fair, I don't think OpenID pretends to address the problem of account security, and is secure as an email inbox (think "forgot your username or password?" functions on many sites).
Grundlefleck
+1  A: 

I think that some of the OpenID implementations leave a lot to be desired.

I imagined Yahoo would get it right, but their OpenID micro-site (information and implementation) is rubbish in my opinion. The layout is confusing, they don't make it clear how open-id relates to a users standard yahoo-account.

Once I'd figured out which screen was needed to launch my log-in request, yahoo issued an OpenID signature which included a randomised string. This wasn't accepted by stackoverflow. I had to create a new alias, which also had to be made a default option. Without a similarly stubborn desire to work it out, I think a lot of users would give up.

In my opinion, stricter guidelines for implementation need to be produced, and the campaign needs to be heavily publicised to educate potential users.

Maybe the technology could be included in browser implementation?

codeinthehole
The biggest problem with OpenID is that the experience can be easily tainted by either side of the equation. In order to be effective, both the identity provider (Yahoo in this case) and the relying party (Stack Overflow) have to have gotten the user experience right. That's an exceedingly unlikely proposition, but when it does work, it's great.
Bob Aman
+2  A: 

Wouldn't it be better to have this kind of thing built into the browser?

For example, you enter your personal data in the browser's preferences. Then a site can request personal data with a JavaScript call, and the browser shows you a dialog asking for confirmation. Of course, the JavaScript API would have to be standardized.

That way the user doesn't have to sign up anywhere, and all his personal information is stored on his own machine. Plus the confirmation messages would look like the rest of your operating system, not just like some web site that you might not trust.

JW
That's a great idea, and it's likely that OpenID or something similar will offer that as an option in the future. The reason why it won't fly now is that it's hard enough to convince someone to use an OpenID provider without requiring they switch browsers or install a plugin.
Kyle Cronin
VeriSign offers a plugin to Firefox. You sign in with Verisign and it automatically populates and verifies you at all OpenID login forms. However, you have to login each time you open Firefox.
Thomas Owens
Seatbelt is the name of the plugin, the only thing that makes OpenID bearable.
WolfmanDragon
yeah and then you... use another computer.
dlamblin
A: 

Would this not eventually compromise the identity of an individual if it's stolen or lost? This is my main concern. Anonymity has advantages as well as disadvantages. I believe in having both.I have close friends who fear joining the Facebook community on the fact that it's so open, it becomes an easy target if the database ever gets attacked.

anon
And if your email account gets compromised and you are using your email address + password, then the same thing happens.
FryGuy
If anything, it's easier to compromise an email account. See for example the guy that gained access to Sarah Palin's email via the forgot password link.
Bob Aman
A: 

I don't want some other system owning my IDs for my applications.

I get the concept of simpler for the user and more uniform.

However, UserID is so key to the experience for site visitors, you don't want to put all your eggs into one basket (Microsoft Passport, OpenID, etc). If things change, you've messed up all your user accounts.

pearcewg
My response to that is that it's not your ID, it's your user's ID.
Bob Aman
+15  A: 

NO.

I don't think it is fundamentally flawed system. In terms of usability I'd say it is flawed as it is a departure from the norm, and harder to get used to, i.e. URL instead of a username, having to pick a provider. But I think they are the only problems, and things can be and are being done that improve them (usability tweaks on log-in pages, Yahoo and Google raising awareness to the idea).

Aside from that, I think it's a great system:

  • I remember one account ID password combination (I don't need to rely on software solutions to the many ID->password problem)
  • I don't need to fill out a form when I go to a new website, and wait for registration emails to confirm it.
  • If I don't trust an OpenID provider, I can become my own provider, relatively easily, which I personally think is a great achievement for a standard. Making something so versatile, and (AFAIK) easy is to me, really something.
  • It decouples the responsibility of building a website from password storage and security, when both jobs are becoming increasingly difficult.
  • I don't actually know much about this next point, but I think it's very easy to use one OpenID account to host multiple personas, which can be used for different websites e.g. "that's my work persona, that's what I present when I sign up for ilovemyjob.com. And this is my friend persona, I use that for facebook" and the different personas have different information tied to them. Like I say I don't know much about how this is done, or exactly why it would be useful... but I will find out what it could be good for.

That's about the main benefits I see with OpenID. In terms of disadvantages, there's the usability aspect, which I admit is a problem. The main other point that people use to criticise OpenID is that if the account is compromised, then many logins are compromised. In my opinion this is no worse than the current system of having emails tied to accounts, which could be similarly compromised, and used for that "forgot your username?" function on many websites. I'd also like to point out that OpenID is not meant to solve that problem - it's a solution to the multiple ID/password problem. However, having one password gives a greater license to keep updating it for added security - without having to rely on software remembering it for you, or forgetting all the time.

So, OpenID has it's problems, but I'd say it's a good solution to the multiple ID/password problem.

References:
Interesting Google Talk on the subject

Grundlefleck
But I, as a user, don't want a *single* identity to share across sites. I don't want to be tracked that way. I don't want to have to run around securing zillions of accounts if one is compromised. I want to know who gave away my email address by using a unique address for each site I deal with. I don't want to have to agree to two different terms of service with two different providers to use one site. Nor do I want to watch two different privacy policies evolve just because I opened one account.
Adrian McCarthy
There's no secure recovery system. SO recently lost the connection between my OpenID and my SO account. I was forced to create a new OpenID, and email SO to beg them to add it to my account. They did it (thanks SO Team!), but they really had no way to ensure I was really who I said I was.
Adrian McCarthy
@Adrian: I see your point about not wanting to be tracked with a single identity, and that may be valid. But IMO you're in the minority compared to people who don't want to pick yet another username/password combination that matches site X's validation policies. In this case, OpenID may not be for you. In terms of who gave away your email address - AFAIK, that's what personas are for: different details for different purposes, but shared authentication.
Grundlefleck
@Adrian: In regards to a secure recovery system, what would happen if SO didn't use OpenID, and lost a link between your SO account and an email address? What would be the secure recovery system for restoring the email address back to the account? From my experience, a lot of the criticism aimed at OpenID are because it doesn't do things it was never intended to do, instead focussing on doing one small thing well (which it's doing, if you ask me ;-p)
Grundlefleck
@Grundlefleck: The recovery was necessary *because* OpenID has too many moving parts. My OpenID provider changed a hash function, and that's what caused SO to lose the link between my credentials and my account. That wouldn't have happened if SO did their own credential management. How many users have been lost because an OpenID provider simply shut down? If I were SO, I couldn't imagine leaving such a vital part of the user experience to outside providers.
Adrian McCarthy
@Adrian: you're assuming that the SO team wouldn't make their own mistakes developing credential management. How much time has been saved, and how many errors avoided, because SO went for OpenID instead of doing it themselves? Who knows, but it's definitely not as simple as using OpenID == more problems.
Grundlefleck
+2  A: 

I don't think it's a flawed concept. I just think it's new, and people aren't used to it.

But OpenID should be used in conjunction with a local registration system so the user has a choice. Telling the user to go to X.com to register and then come back to your site after -- that's just stupid and confusing. But if the user already has a GMail/AOL/YMail/etc account then letting them use it is very very handy.

I think we as developers should be using specialized login forms though. That is, instead of "Enter your OpenID URL" it should be a standard "enter your username" and they can select Gmail/AOL/YMail/etc and behind the scenes we construct the URL. The idea of a URL being a login name is a bit backwards, so helping people with the transition is welcome.

Christopher Nadeau
+9  A: 

I fail to understand the angst against OpenID.

My experience with signin into this site (admittedly the only open ID I have had to deal with) was simple. I saw the OpenID required thing and I had a vague understanding the my signing into the site would be delegated to someone else who I trusted and already had an id with. Low an behold, there was a link to the provider of my current online email provider. Click, follow a process that was simple enough that I do not even remember doing it.

Now that the open id connection is set up, it is no more difficult than any other site I deal with and the magic is that I did not have to add yet another account to a site that I had no idea I was going to use ever again and would probably forget the username or password for.

I like it, the concept and the execution.

Nat
+4  A: 

No, I don't believe that OpenID is a flawed concept.

If you look at the history of OpenID it was originally meant to allow people to correlate themselves via a URL they owned across blogs. This idea was expanded upon and became the single sign-on system it is today.

I would say that OpenID is perfect for websites that don't have user accounts to keep basic information, which is not considered vital to the end user. Thus a comic book site that helps with valuations of your comic book collection might be a good example. Because as an OpenID end user you can login to the site (without creating another username/password --which may be different than any other one you created because of existing users on the system) and check out how they work. If you like it, then you can continue to use the system as normal. Or, if you aren't totally enamored with the site but decide to check them out later, then instead of trying to remember which username and password combination you used for a site that you thought you might not otherwise return to, could be frustrating. OpenID addresses that type of situation perfectly.

That being said, I wouldn't personally use OpenID to login into my bank account, because of many things that have been stated about the security of the redirects. However much of that is changing and there is great progress in advancing the security of OpenID through attribute exchange (especially in Japan).

Another note that many folks don't know is that you don't need to use a URL to have an OpenID, there is a technology called i-names that looks more like a username, i.e my i-name is "=true", this may be much easier than typing in something like "http://true.myopenid.com". There is a cost of $12 per year for individual i-names, so that may initially be a barrier for some people, however free alternatives exist if you would like to play around with them.

On a last note OpenID is promoting the idea of discoverability (if that's a word). It's a concept that seemed to be sitting just below the surface. Discoverability is like social networking at the protocol level if you might :). There's tonnes of work going on in that area, which I think will lead to better implementations of OpenID or at least the idea of OpenID. Which hopefully will lead to a better internet for us all.

Disclaimer I'm on the XRI TC committee and run a startup focusing on selling and providing services around XRI.

FreeXRI is not the startup I am involved with.

null
Very interesting answer thanks you! I'd gave you +2 if it were possible!
Davide
A: 

The concept is fine however the design allows for gaping security exploits...

jm04469
This is FUD. The main security problem with OpenID is phishing, and that's a well-known problem on non-OpenID sites as well. You wouldn't use OpenID to secure a bank account, but for most sites on the Internet, the level of security it provides is a step up from alternatives.
Bob Aman
An OpenID can also look like a sql injection attack since there is no governance over format.
jm04469