views:

2918

answers:

16

You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I'm developing a website that will be targeted at a somewhat less geeky audience (but not quite Mom and Pops either) so I have to wonder if OpenID is going to be "too hard" for some audiences.

What do you think? That aside, are there any other technical or non-technical reasons NOT to use OpenID?

+10  A: 

Yeah security. Using OpenId puts you at the mercy of them administrating their accounts. You have no control over password security and user ids. You are trusting some other organization to verify that the people coming to your site are who they say they are. If you need to really verify that someone is who they say they are. You won't get that with open id without doing some sort of secondary verification yourself. in which case you might as well just not use OpenId.

http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions

Kevin
Using 3rd-party verification is a valid form of security. For example we trust and pay for SSL certificates issued by third-party companies, which is considered more desirable than a self-issued cert.
null
Right, but this is different. OpenId doesn't verify who you are beyond what the person signing up for the account told them. If they did background checks etc., that would be different and then it all depends on how much you trust a third party like OpenId.
Kevin
You don't have to verify yourself if you use a whitelist of trusted providers.
Andrew Arnott
While this is true, I trust Yahoo and Google to build a better authentication schema than I can. A large provider like that is more likely to have better password protection than I can provide, so I don't know how much weight this holds.
rwmnau
-1 this is just FUD. I agree with @rwmnau. What Kevin says *looks like* it makes sense, but is actually just wrong.
Lo'oris
Yep, totally wrong on that one....not like they just found a hole in the openid standards or anything...
Kevin
+3  A: 

OpenID is good if all sites use it. But to register to OpenID just to use ONE site, it's a bit too much. Registering to OpenID is not as straightforward as directly registering in a site(from a consumer point of view).

luiscubal
Well, kind of true. Everyone with a Google, AOL, Yahoo, Livejournal or Flickr account (and in the near future Hotmail/MSN) has an OpenID account. However, they might not *know* it yet
Gareth
I use Google to log in using my gmail account information.
Thorbjørn Ravn Andersen
It's just a matter of critical mass. As the "big players" begin adoption of standards like this, it'll begin to make more and more sense. Bootstrapping it is of course the most difficult hurdle, which I think in the case of OpenID is happening fairly quickly, all things considered.
Chris
A: 

Everyone can connect the things I do on one site to the things I do on other sites when using an OpenID, because it's the same everywhere. So I wouldn't use the same ID I use here for a porn site, for example.

Bob
There's nothing stopping you having more than one OpenID, just like there's nothing stopping you having more than one email address. The benefit of OpenID is that the *user* gets to decide who stores their password rather than the site.
Gareth
There are still plenty of trust issues associated with OpenID, obviously if an account *is* compromised then there are still big problems (and therefore OID isn't necessarily right for widespread use yet) but cross-site tracking isn't one of those reasons.
Gareth
Bear in mind that unless you're really careful to delete/block them, there are already ad cookies that track pretty much everything you do but it's even worse: it's on a page-level rather than the less informative site-level.
cletus
A: 

there are a lot of reasons thats one account which makes access to all. if this is compromised you get in trouble.

if you are setting up a page which uses openid, then you should know everybody can setup a one openid server (also spammers can do that).

--

but openid has good ideas and i like to use it!

Bernd Ott
It's for this reason I like well-known providers like AOL or Verisign.
cletus
+28  A: 

Average users still don't understand what OpenId is, what it's for, or how to use it. My parents would not be able to login to Stack Overflow, for instance.

That being said, this is largely about user interface. There's nothing inherently preventing them from using OpenId - they just need a user interface that abstracts away OpenId from them, and just lets them login with their Google account (for instance).

Scotty Allen
see https://rpxnow.com/ for one example of a better UI wrapped on top. This variant also supports OAuth which picks up Facebook, etc.
Jeff Atwood
I concur - I like open ID quite a bit. But it is way to complex and hard to explain.
Foredecker
I totally agree. In fact, I'm implementing a pure OpenID login solution for my site with a simplified login/registration process. It's based loosely on the examples provided in the DotNetOpenID project ( http://dotnetopenauth.net ) which is very well done, by the way.
Steve Wortham
I just finished up my implementation... http://regexhero.net/user/
Steve Wortham
Agreed. In fact, my first contact with OpenID as a user was Stack Overflow and it took me the better part of an hour to figure out what exactly I was supposed to do or use and how it works. I noticed I already had an account somewhere that allowed me to use it as OpenID (Technorati) but that one started becoming flaky a few months later and then dropped support completely, making the experience even less fun. Generally, anything you need to explain *to a geek* in more than a minute is seriously overcomplicated to use for a normal person. Or maybe I'm just a sub-average geek.
Joey
+2  A: 

It is good as an addition to normal registration, but is not very easy to use if it is the only way to log into your site. Look at registration on stackoverflow - all sites are specially mentioned to help people understand what is this all about. And this site is for geeks :) So the minus is complexity.

Also see this link

Malx
Not Offensive. Clicked by accident.
Timur Fanshteyn
+13  A: 

OpenID is spectacularly susceptible to phishing attempts. If you run an OpenID site, try changing the login page one day to request the identifier and password, instead of the normal approach of only requesting the identifier and redirecting to the OpenID provider to request the user's password. I bet you can get over a fourth of your user's passwords this way.

Ross
Surely you mean a quarter...
Jeff Yates
While what you say is true, Ross, it's not at all unique to OpenID. If your web site takes an "email address and password" combination, as many sites do, I bet more than 50% of accounts give you the same password they use for their email account. OpenID at least gets you to not even take paswords!
Andrew Arnott
And their bank account ...
rpflo
+4  A: 

OpenID is still as insecure as every other password-based authentication method out there. In fact, it is even worse because if someone gets access to your OpenID, they have more than just that one account now. Of course there's also phishing attacks, but we're all savvy programmers, database and system administrators, so we wouldn't fall for such things, right?

Authentication security is based on trust. As others pointed out, why would you trust a third party to potentially sensitive information? Sure, you can set up an OpenID server yourself, but how much hassle is that vs. maintaining separate passwords on multiple systems? Sure, you can create secure passwords that are long and full of non-alphanumeric characters, and even store them all in a password manager (I do), but some sites are flawed in that a simple password recovery form can be filled out to gain access to reset the password.

I would probably be inclined to support and even evangelise OpenID if it did secure private key-based authentication, a la SSH or PGP. Maybe that's a matter of a provider offering such a method - I haven't looked into it [yet].

Finally, while we all trust OpenID enough to use it to authenticate on Stack Overflow, my OpenID is a "throwaway", and its not like I'm using this as a professional reputation building tool (ie, my real name isn't involved ;-)). I'm sure I'm not the only one (as cool and awesome as this site is!).

jtimberman
"Maybe that's a matter of a provider offering such a method" Verisign's OpenID can do this. The value of different providers..
Jeff Atwood
Apparently so can myopenid.com, which has a better "rating" than Verisign here: http://openidexplained.com/get
jtimberman
This is also actively being talked about being "included" in the next phase XRDS discovery http://lists.oasis-open.org/archives/xri/200812/msg00027.html -just a random email to get started with.
null
OpenID is NOT as insecure as every other password-based authentication. My OpenID account is protected with InfoCard, which makes it phishing-proof.
Andrew Arnott
Andrew: but most OpenIDs are not protected by InfoCard. OpenIDs can be really secure, or really insecure -- which is exactly the same as every other password-based authentication. Beyond a low threshold, technology is simply not the limiting factor.
Ken
A: 

I'm surprised that somebody that has used Stack Overflow couldn't think of a reason to NOT use OpenId - because it's annoying as hell?!

Ted Dziuba did a much better job of ripping into OpenId than I would, so just read what he wrote.

Another good reason - Facebook Connect already seems to be doing very well. As Facebook's membership continues to grow, it's going to make Facebook Connect support that much more valuable.

At some point I suppose Facebook could make Connect an OpenId provider... but really, why would they want to?

bpapa
Yes I have to admit that I'm leaning more and more agsinst OpenID and more and more for Facebook Connect.
cletus
Facebook Connect is one of the most phishable auth schemes I've ever seen! I can't believe anyone is using it! Way worse than OpenID due to its iframe popup based auth mechanism. Plus, what if I hate facebook?! With OpenID, at least I get to choose which web site manages my identity.
Andrew Arnott
Andrew, OK cool, glad you feel that your choice is important. But as Ted Outlines, most people don't give a hoot. And, at this point it seems more and more like "most people" would be equivalent to "people who use Facebook."
bpapa
Just some fun trivia, most of my tech-savvy friends do not use Facebook and proclaim they will never use Facebook... I seem to be an exception but Facebook Connect seems like a good alternative scheme but only if the site has some other mechanism in place as well.
Oskar Duveborn
+28  A: 

It may be slightly inaccurate to say that the average person doesn't understand OpenID.

In most cases, with a little persuasive marketing (ie "USE ONE LOGIN ON ALL SITES!!!11!) they can understand that it allows them to log in at sites using one login rather than having a bunch of different usernames and passwords at different sites.

The problem, however, is that to an average user, the whole OpenID experience goes against what they believe online security to be.

  • Users won't automatically trust it

    With normal username/password logins, users understand that a password should be kept secret, and that's what protects their privacy when they log in at a site. How are they to understand the exchange that goes on between an OpenID client site and their OpenID provider? All they know is they didn't have to put in a password (assuming they're "always logged in" at their OpenID provider) - so it's not secure, right? I mean, in the eyes of a user, how can it be secure if they didn't give a password?

  • It opens the door for phishing

    (Many) users know that it is wrong to use the same password for different accounts, yet this appears to be precisely what OpenID is doing. They would be right to be suspicious, since if someone gains access to their OpenID provider they gain access to their identity at all sites. But what if a user simply assumes that all their OpenID provider is doing is sharing their password with all participating sites? I mean, how else could OpenID be 'logging in for them' on all these sites? If the user assumes that through OpenID, their password becomes known to all participating OpenID sites, they may assume that it is quite reasonable to give out this password to any of those sites. It's a phishing nightmare. Imagine putting this phrase on your site: "Please enter your OpenID address [ ] and password [ ]". You're phishing people already.

  • It deviates too much from what users understand

    Having multiple usernames/passwords at different sites is not difficult for users to understand. Users understand the concept of a usernames and passwords well, because they are used to them, and the point of security (the fact that the password is a secret) is really obvious to them. It's really clear how a password works. Having multiple username and password combinations does not make this any more confusing or complicated - it is just the same thing, but more than one of them. While remembering multiple passwords can be difficult, users at least know how to do it, and how it works.

    OpenID tries to solve the problem of remembering multiple passwords, but in the process it creates an entirely new paradigm, one which is completely opaque to the users. Unlike a password, whose security is obvious (it just has to be secret), all of the security of OpenID goes on behind the scenes, with sites communicating with each other, browser certificates, etc. The user no longer knows how their privacy is being protected or what is to be kept secret from whom, without a greater understanding of how the system works. So, in an attempt to solve a problem of remembering multiple passwords, OpenID has created a mystical system of key-exchanges that violates the user's whole understanding of how authentication works and why it's secure.

thomasrutter
This is a wonderful and thorough answer!
Todd Owen
A: 

If you have a site which requires a high level of security, you do not want to leave handling of your login credentials to an outside provider, where you have no control over access. If the OpenID provider gets hacked, you're leaving your security up to them.

mabwi
yeah, sure. As if the site *you* build could be more secure than, say, google.
Lo'oris
@Lo'oris - That's not what I said at all. The question is, what are some good reasons not to use OpenID. The dangers of passing off your authentication IS a good reason, even if it's not applicable to the average site. Would you use OpenID if you were developing a banking system? Why not? And that's exactly my point.
mabwi
+5  A: 

This comes up a lot.

A good rule:

If you need to collect and keep private personally identifiable information, don't use OpenID.

If you do not need to collect and keep private personally identifiable information, go ahead and offer OpenID as a method to login.

For e-commerce, or anywhere else that you need to comply with PCI/DSS certification, I would not use OpenID.

I don't mind that SO is exclusively OpenID, however I would not make a site that used it exclusively.

Tim Post
+1 @Tim - Thanks. You nailed my question.
Bob Kaufman
A: 

From what I can tell, it looks like an OpenID provider is not required to give out an account holder's email address, although some do.

If your service requires an email address to communicate with its users (for example, to send out a newsletter - which the many people who have never heard of RSS prefer), then you may have to capture an OpenID AND verify an email address.

A system in which just an email address and password are required and which employs an activation email message would be less work for users.

Rich Apodaca
+5  A: 
  1. The interface is terrible.

    a. Registering with OpenID takes more time and savvy. Normal registration takes very little time or savvy. Registration happens once, but it's a large upfront investment, so the site has to be very compelling.

    b. Signing in involves: three pieces of data instead of two; two web pages instead of one (three at StackOverflow, actually); and an external web site. EVERY TIME.

    c. There are better interfaces for this kind of solution. I use KeePass, for example.

  2. Name collisions. There's no way to ensure unique names.

  3. Security is terrible.

    a. It encourages phish-like behavior. It's not as bad as "Verified by Visa," but it's close.

    b. Single point of failure: If you lose anything, you lose everything. KeePass at least allows me to physically protect the password (you must have the hard drive with the encrypted database on it).

    c. Cross-site tracking. Credit card companies actually have rules in place governing how much tracking their allowed to do. Cookies can be selectively disabled or prevented in modern browsers. OpenID has no rules and no governors.

  4. It isn't actually universal. Google provides OpenID... but doesn't use them. Same for Yahoo. And for AOL. There's no incentive for an OpenID provider to allow the use of OpenIDs from other providers.

  5. OpenID is useful for authentication, but not for authorization, particularly for anything sensitive (credit cards, for example).

For me personally, I use one login/password per site, and I use KeePass (which I can protect physically and with two layers of passwords that must be cracked) to maintain the one-login-for-everywhere abstraction.

That includes StackOverflow: I created an OpenID specially for you guys, and I won't ever use it anywhere else. I did this, and I put up with the login pain because the content is compelling.

But if a real auth method were ever provided for StackOverflow, I'd jump on it in a heartbeat, just for the ease of use gains.

Thomas Weigel
+2  A: 

It's funny for me to read this topic, it reflects exactly my experience with OpenID:

StackOverflow.com was for me the reason to get an OpenID.
Many Google searches led me to this website, and I were never able to leave comments.
I thought about registering many times, but I didn't because of OpenID. It was not clear to me what it was exactly.
But one day, I took the decision to register and it took me a while, but I don't regret it because I use it every day. It gives me a more secure feeling although I'm aware that it's only one account which would lead to many problems if it gets phished.

So for me, OpenID is a really nice way to quickly login on sites I don't know, but also on bigger websites such as StackOverflow.com
The main problem is that new users need to be pushed into the registration process then discover how great OpenID actually is.

Daan
A: 

The number of OpenID account provider you have (google, yahoo, twitter, etc...) equals the number of accounts you can automatically use to login to an OpenID powered website. This is certainly not an advantage but it can be a big disadvantage.

mdm414