views:

1844

answers:

15

From my experience with OpenID, I see a number of significant downsides:

Adds a Single Point of Failure to the site
It is not a failure that can be fixed by the site even if detected. If the OpenID provider is down for three days, what recourse does the site have to allow its users to login and access the information they own?

Takes a user to another sites content and every time they logon to your site
Even if the OpenID provider does not have an error, the user is re-directed to their site to login. The login page has content and links. So there is a chance a user will actually be drawn away from the site to go down the Internet rabbit hole.

Why would I want to send my users to another company's website?
[ Note: my provider no longer does this and seems to have fixed this problem (for now).]

Adds a non-trivial amount of time to the signup
To sign up with the site a new user is forced to read a new standard, chose a provider, and signup. Standards are something that the technical people should agree to in order to make a user experience frictionless. They are not something that should be thrust on the users.

It is a Phisher's Dream
OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy. [ taken from David Arno's Answer below ]


For all of the downside, the one upside is to allow users to have fewer logins on the Internet. If a site has opt-in for OpenID then users who want that feature can use it.

What I would like to understand is:
What benefit does a site get for making OpenID mandatory?

+8  A: 

It's a good way to outsource a part of your infrastructure. You don't have to worry about lost passwords etc., someone else does it for you.

I'm not sure I'd use it exclusively, though. I haven't used OpenID enough to entirely trust it, and the sign up process needs to be streamlined until > 90% of users have an OpenID.

MattW.
+1  A: 

Adds critical point to failure to the site

That critical point of failure could be the confirmation email you send out, but the user's mailbox is a) unavailable due to a typo, b) full or c) provider is 'down'.

Takes a user to another sites content and every time they logon to your site

I can see that, but IMHO - this is not so bad. I mean, Y! seems to be one of the most cluttered logins and it also never works for me. ;) Aside, most OpenID providers don't look so bad (yet).

Also, keep your audience in mind. If mom and pop are your users, OpenID is probably confusing as hell. But so is probably a lot on the Internet. In SO's case, the people are somewhat savvy users and know what they want.

Adds a non-trial amount of time to the signup

This is a non-issue. Look at the list of providers: http://openid.net/get/

So many people have at least a Yahoo! account, so if it actually worked. It wouldn't be so bad. I agree though that if a user doesn't have OpenID, and doesn't know what it's for. It's not so easy to educate them.

And think about the implication - "to register for site A, you need to register at site B". And we all know that registering per se is a pain in the ass. But in the long run, this is also exactly what OpenID tries to address.

In mainstream, I currently see no value for making OpenID mandatory. I like it as an add-on though. Just how people provide links to "login with your Facebook", etc.. Then people who don't get it (or don't care) don't need to bother. But others can still use it.

Till
On your point about roll your own logins that: "...the user's mailbox is a) unavailable due to a typo, b) full or c) provider is 'down'."This is true, but if there email account does not work, they can also not signup for open id.
Peter
It's a non issue if you have OpenID. ;) And as I said, the chances are not too bad. Aside from the ones advertised on the link I gave you, there are many, many more.
Till
The email problems are only a one-time signup issue. My Technorati open-id has had problems 2-3 times in the last few days and I have not been able to sign in to Stack Overflow. The failure point is there everytime you logon.
Peter
I am my own openid provider. If there's a problem _I_ can fix it. But even then, if you choose a reliable provider (just like choosing a reliable web host) then you shouldn't have problems. Until there's wide acceptance, though, providers who do it on the side aren't going to work at reliability.
Adam Davis
+19  A: 

The benefit of making OpenID mandatory is simply that login code for the website does not need to be written (beyond the OpenID integration), and no precautions need to be taken around storing user passwords etc.

Not having your own login code also means not having to deal with a lot of support issues like resetting of lost passwords etc.

Certainly most of your downsides are valid, so I guess it becomes a trade off.

What surprises me is that there are not more sites forming a close relationship with a particular OpenID provider to simply the account signup phase - i.e. some sort of 'You can use any OpenID you like, but you can also create one right now by entering a username and password etc' login page, which automatically creates a new account with the selected provider for you.

Matt Sheppard
It is code that most people have written multiple times, but I agree it is a benefit.
Peter
Dealing with support questions related to OpenID might be worse than dealing with username / password related questions. Not only because it's something most users never experienced before, but also because there's more things that could go wrong.
ionut bizau
Beyond letting you sign up with an OpenID provider at account signup, I think it would speed adoption if sites would become OpenID providers themselves. So SO, for example, could say, "Log in here with your OpenID, or create account" (and your account becomes an OpenID which can later be delegated)
skiphoppy
I 100% agree with skiphoppy. But... then you loose the advantage of not having to deal with username/password yourself.
GvS
If you don't store personal data like passwords yourself, it is much easier to comply with privacy regulations. Just one more point.
ypnos
skiphoppy, the problem on the web with OpenID IMO is that we have too many providers and not enough RPs
Andrew Arnott
+2  A: 

It encourages users to sign-up to OpenID, find out more about it and hopefully to evangelise it themselves.

Stack Overflow proves just supporting OpenID can work.

"Adds critical point to failure to the site"

In the event of an OpenID provider failing to work, the site should have a mechanism to allow users to login and add/change OpenID providers. Perhaps the site could email a temporary link to bypass security so users can access their account.

"Takes a user to another sites content and every time they logon to your site"

My OpenID provider allows me a trust a given website so I do not need to even view their website.

"Adds a non-trial amount of time to the signup"

This becomes less of an issue the more sites that support OpenID.

andyuk
"It encourages users to sign-up to OpenID... ...and hopefully to evangelise it themselves."I agree that this is a way to push a particular technology (which is interesting given StackOverflows goal of being technology agnostic in content). The fact is that it does not "encourage", it forces.
Peter
So the reason to make OpenID mandatory is to force more people to use it? Wow, what shitty reasoning. There should at least be a 'pro' in there somewhere.
thesmallprint
+6  A: 

Adds a critical point to failure to the site

The third highest idea on uservoice for Stackoverflow is to allow changing the OpenID provider. And in the comments there is the suggestion to allow associating more than on OpenID. On sites where multiple OpenIDs can be associated with an account if your usual OpenID provider is down you can still log in with another provider (assuming you've already associated it with the site).

Also, it's only a critical point of failure for users of the OpenID provider that isn't working. All the other users on other OpenID providers can continue to log it. Over time you'd expect that users would migrate to the most reliable providers.

Takes a user to another sites content and every time they logon to your site

If you've set up your OpenID provider to always trust a site (or OpenID consumer in the nomenclature) and you are already logged into your OpenID provider then they will redirect you straight back to the site without you even seeing your OpenID providers site.

Adds a non-trial amount of time to the signup

Currently that may be true, but as andyuk said, "This becomes less of an issue the more sites that support OpenID". I'd expect that in a few years time most users will already have an OpenID and know what it is.

Sam Hasler
I really don't think that's true. I've known about OpenID since its release, and only got an account with it a few weeks ago to access this site. I won't be using it anywhere else. And I'm a pretty techy type; they're going to have a much harder type convincing newbies.
thesmallprint
"I won't be using it anywhere else" do you mean there are other places you could use it but you choose not to, or that there isn't another site where you would use it. I'm guessing it's the latter. Once there are 10 sites that you use that accept OpenID it will make more sense to have and use one.
Sam Hasler
@thesmallprint: I created an OpenID login about a year ago. Once you have one, you're surprised at how many sites allow OpenID login; I think you just don't notice it most of the times if you don't have one.
LKM
I've had mine for quite some time, and never used it, when SO started with it, I became my own provider, and with all the sites that I go to, I already have normal accounts with them so using openID is not working for me I have 1 login for SO its my openID and nothing else shares that.
Unkwntech
+2  A: 

As a web developer, I'm a big fan of the idea of OpenID. Writing Auth code is a pain in the ass. As a web user, I'm a big fan of OpenID - for non-critical uses like SO, forums, etc - because once you have the ID, it's a very simple way to join a site.

I think, outside of a few exceptions - like a community for developers - at this time, you can't force OpenID only. The "average" web user (whatever that means) doesn't get it. However, promoting it in a site like this raises awareness among developers, and the idea will eventually trickle down. As OpenID appears on more and more sites, people will look in to it, realize they have one, and then start using it. In order for OpenID - which is a great idea - to catch on, there needs to be a critical mass of users and sites supporting it.

Eventually, it will just be "the way it is", and we'll wonder why we ever created authentication code for every single website we made, or why we would create a unique identity everywhere we went on the Web

mabwi
A: 

One thing to mention also. You already have a userbase with OpenID, they just need to login.

Ólafur Waage
This is a reason to have OpenId, not a reason to make it mandatory.
Peter
+1  A: 

OpenID may be the greatest thing since sliced bread, but I have been given no reason to trust "them" with my identity - other than Jeff Atwood/Joel Spolsky made me do it in order to be here complaining about it ;-)

Steven A. Lowe
Who is "them"? Are you talking about a specific OpenId provider?
LKM
@[LKM]: "them" = any OpenId provider. Who are these people? Can I trust them? What is their motivation? What do they do with my identifying info? Is it secure? How well do they protect their site? Etc.
Steven A. Lowe
+4  A: 

The list of downsides misses the most obvious one: it is a phisher's dream. OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy.

Matt Sheppard hits the nail on the head as to the answer though:the benefit of only using OpenID is that it involves less hassle for the site creator as there are no usernames and passwords to handle and no user account creation code required.

David Arno
Although I take your point, if anyone ever asks me for a credit card number from StackOverflow I'll suspect something is wrong anyway. :-)
Onorio Catenacci
@Onorio Catenacci, I have started a new question on the topic to give more details of why it is insecure. There is far more to ID theft than just asking for credit card numbers. http://stackoverflow.com/questions/182258/are-there-any-security-risks-associated-with-me-using-openid-as-the-authenticat
David Arno
Surely the ease of use(once an ID is setup) is a definite benefit to OpenID?
Sam Murray-Sutton
@Sam, yes it is a benefit to offering OpenID as an option. The question though was what benefit is there in ONLY using OpenID.
David Arno
OpenID is phishable ONLY when the Provider takes a username/password. There are many providers out there that use phishing-resistant credentials. This makes OpenID much MORE secure than standard username/password on any RP site.
Andrew Arnott
@Andrew, can you give some examples of these phishing-resistant credentials please? This is a new one on me and could completely change my view on open ID if they really work.
David Arno
@David Arno: Client certificates, hardware tokens and OTPs to name a few.
troethom
A: 

The main benefit of having an OpenID will be seen in the long term. Instead of having to apply to different sites for an identity, you do that once and then use it on all the sites that require a unique identity. Of course for secure sites like banking and trading it will need a different kind of thinking altogether. But for social networking sites and the like you can use it easily.

Mom and Dad will find it easy too because now they have to remember only one username/password. A lot of times it gets hard for us to remember what login we have at which site, and end up using the correct username/password of Site A on Site B. OpenID will solve that. Plus it's a good revenue model for an OpenID provider and user. I can enter to one such provider all the details I am willing to give and every such detail I give I can earn money.

Maybe the provider can coax me to tell it more about myself using that as an incentive, which it can then sell to the sites I register with. So Site A pays OpenID for my information. OpenID then passes a cut of that on to me. Site A doesn't have to manage users, OpenID gets money, user gets money, everybody is happy :)

This way you won't have to make OpenID mandatory. People themselves will want it. OpenID providers will then compete amongst themselves to provide better services, and where there is competition there will be better value provided to all concerned. I think it's a fabulous idea.

Edit: Regarding downtimes at one particular provider; if OpenID provider A is not confident of providing 100% uptime, it can take the help of another provider B, and the user on Provider A can choose from the options provider A gives. The site which goes to provider A to authenticate a user will know which other providers to go to in case provider A is not working. This will be stored in its database on first login automatically. Anybody want to brainstorm the implementation details ? :)

This is not a benefit for mandating OpenID, just a benefit to providing support for it.
David Arno
Agree. I do not oppose OpenID, I just believe that it is not good development to make it mandatory. Offer OpenID, advocate for OpenID, but just do not force it on your users.
Peter
I wasn't saying make it mandatory either. I was saying users will prefer it over a non paying registration form. Also,the question was what benefit will the site get by mandating it, not whether it was good practice or not...
I do agree there should be a choice though. However, I think over a period of time, people wont care. The regular practice on first visting a new site would be to search for an open id login box or perhaps just expect it to be there by default just M.H.O. :)
+2  A: 

One of the big benefits of going OpenID-only from an engineering perspective is that abstracting out the credentials-authentication piece lets users pick authentication methods that are much more sophisticated than whatever you would bother to build for your site. Yes, some OpenID providers are easily phished. On the other hand, other OpenID users log in with Information Cards, hardware tokens, or telephone verification, and these are credentials which cannot be captured and replayed by a phisher.

As Gabe Wachob put it:

People who want to innovate in authentication methods [...] do NOT have to be the same people who innovate in offering services on the web (any one of a million folks running Mediawiki, Drupal, etc). That "delinking" of authentication innovation and service innovation is what is valuable in OpenID.

So by using OpenID, you can offer your users stronger authentication methods. The abstraction lets you implement one interface, and then you can pick any provider to work with, whether they use eight-character passwords in cleartext or challenge-response neural implants.

keturn
+2  A: 

As discussed in one of the podcasts, it adds a barrier to entry to the wanderer happening by wondering if this might be where they should post their Yahoo! Answers question.

It's somewhat elitist, but given the focus of this website in particular it is fairly acceptable to turn away any who can't figure out the Open ID process, and anyone who really has a real question they need answered can be bothered to work through any slight hardship.

davebug
A: 

I am in favour of OpenID, mainly from an ease of use perspective. I remain to be convinced about it's safety, but it has a lot of potential. There are lots of things that could be said on this, but I just wanted to respond to the following two points:

Adds a non-trivial amount of time to the signup

Only the first time it's setup. Also, with companies like Yahoo providing support now, many people won't even have to bother setting up an OpenID if they don't want to. If you used Google or someone similar as your OpenID provider, would you see them as inherently insecure? And how often would you expect them to have downtime?

It is a Phisher's Dream

I do accept that this might be partly true. But is phishing not more of a social problem than a technological one? OpenID could make it easier, but that doesn't eliminate the fact that the real problem is the user. It's far more important to make users aware of how phishers operate than trying to safe guard them through technology.

Sam Murray-Sutton
A: 

At least OpenID sends you to your OpenID provider to login.
I was reading a blog on blogspot and there is a link to follow this blog (presumably tell me when there are newposts) to do this it pops up a box asking for my Gmail username and password.

Even assuming that this is genuine and not a phishing site - they now (potentailly) have the login to my Gmail, my Google documents, my Google applications - everything!

Martin Beckett
A: 

From my experience with OpenID, I see a number of significant upsides :

If you choose to log in with your trusted OpenID provider, eg. Verisign PIP+VIP you can enjoy the benefit of out of band SecureID authentication mechanisms. This should be seen as the major benefit the outweighs ALL others. You are no longer trusting whatever crappy form based authentication is on the site you access, you are trusting Verisign VIP or whatever your choice of OpenID provider may be.

Internet rabbit hole? Sounds like bad implementation and I for one do not know what you are referring to.

You cannot steal authentication detail easily, it can be made closer to impossible than what we already have! You may be able to trick to me into thinking I am contacting my provider, but Verisign for one has an option to not allow or accept redirections. I see these phishing issues as something trivial also, especially again if you weigh it against the benefits of out of band authentication mechanisms that you can gain through your OpenID authentication provider. So say you phished RSA key detail one time, it would not be valid the next time or maybe just totally useless if you were to say use a browser certificate.

In conclusion, OpenID is just the evolution of the current system, an Email address to verify against. If your email account is your current single point of failure then yes, your OpenID could be your new single point of failure in the case where the OpenID you control is no longer under your control. So, if you trust only your email server then simply host your own OpenID URL. If you trust Gmail, use a gmail URL for your OpenID because by the same token, you already trust Gmail as your SSO as your gmail account can ultimately retrieve your account passwords.

It's a no brainer, but I can see that some people may have difficulty understanding the basic concepts of authentication mechanisms. If I CAN login with my SecureID card (via my OpenID provider) to a site that I have an account on, I WOULD. So if it was the only option, I'll take it!