views:

524

answers:

5

Hello there, I'm new to this site but I've read the rules and also searched the questions section but not found any related question answered well.
anyway, the question: what's the Pros. & Cons. of using OpenID on a website instead of a regular login system? My customer wants me to use this kind of logins for a local sale system & I have no idea, why!? thanks in advance.

+17  A: 

OpenId is implemented by Stackoverflow. Since you just signed up you may have experienced the benefits yourself.

Basically, it can be used to allow users to log into the website without creating an account or sending you any of their personal information. As long as they have an account with an OpenId provider that your site supports (Google, for example), they can simply use their google username and password to log in through your site. This can increase customer retention and reduces the likelihood that users will leave due to forgetting their password.

Here is an overview by 37signals.com that explains the benefits of OpenId for their applications: http://www.37signals.com/openid/

And of course you can find lots more information at: http://openid.net/

Gdeglin
As google and yahoo users may have multiple accounts they may want to flood system using this easy login system, hm? but using regular process of registering might prevent 'em to do so. thanks for the answer George, that was a nice article.
Stephanie Luther
@Stephanie, I wouldn't worry about that scenario because automated account creation on your site would be easier vs Google which uses advanced CAPTCHA during account creation. In the long run, OpenID will be a lucrative target for spammers though.
aleemb
So OpenID rules, huh?:D thanks for the reply aleemb. I'm also using CAPTCHAs and I'm also logging the user's every suspicious movement. no way out!
Stephanie Luther
+10  A: 

I can't come up with any reasons not to use it but there are some things you ought to consider.

I would suggest offering OpenID as an alternate mechanism primarily due to lack of user awareness. A lot of developers are not familiar with it so users certainly won't be and it will confuse them when they see OpenID on the signup/login page requesting their Google or Yahoo login/password (What is OpenID? What does my Google login have to do with buying a toaster?). Consequently they will be taken to Google or other site to confirm they want to allow your site to access their login data which might confuse them even further (are these people getting access to my gmail?). From a security standpoint, for all I know, your site could be storing my google login data and I might abandon a login or purchase due to trust issues.

So putting a login/password system on front and openID on the side might be advisable depending on the nature of the site.

aleemb
Nice note, thanks ;)
Stephanie Luther
+3  A: 

Although for us, techies, OpenID benefits are pretty much obvious, regular users sometimes find it hard to grasp the idea of using one site's login to log on to another site. They're simply accustomed to creating an account for the site they're starting to use.

The primary problem was that users were not aware completely, what OpenID was. With the help of usability studies it's been solved by promoting the OpenID logon as a possibility to provide credentials of the account they already have, like Yahoo, GMail or MS Passport one, since their operators have become OpenID providers recently. Like Yahoo said, "Promote the utility, not the technology".

And of course it's important to stress that they don't have to have yet another account and yet another password to remember (or put on yet another post-it ;) ) and that the consuming site doesn't have any way to store the provider's credential data. That should be enough to have them convinced.

But due to varying nature of the sites providing the openid logon, I would be reluctant to log on with it to my bank account.

macbirdie
+1  A: 

You should be aware that openID can be more vulnerable to phishing because users know less about it. If a malicious site pretends to implement openID, but forwards the login attempt to a malicious site under its control (say imitating a Google login) it can then gain access to that phished user's account on all openID sites. So if you use openID, there may be a higher probability of bots and malicious users, or perhaps not.

How this will work out in practice and whether it will become a valid security concern is anybody's guess. I believe there are also some proposed changes to the openID standard to try and mitigate these attacks, though I don't know the details.

Soonil
+1  A: 

A reason NOT to use OpenID is security.

If a user utilizes a third party OpenID provider (Google, Yahoo, etc), then a malicious employee of the provider who had access could obtain the login info and exploit the user's account.

I ran into this scenario when designing an in-house application for managing a vital service for a client. OpenID was very attractive as the users were already familiar with the external services (everyone has a gmail or yahoo account, it seems). The downside was that any exploit could've resulted in hundreds of thousands of dollars of lost revenue.

The solution was to implement one additional layer of security that was transparent to the user and unexploitable by the OpenID provider: the application's login screen could only be accessed from within the company's network.

BryanH