
OpenID: The Web’s Most Successful Failure - marilyn
http://www.webmonkey.com/2011/01/openid-the-webs-most-successful-failure/
======
Splines
The top response on Quora is enlightening: <http://www.quora.com/What-s-wrong-
with-OpenID> (also, it's annoying that I can't directly link to a response on
Quora).

I really agree with the breakdown there. It's an over-engineered solution to a
problem that doesn't really solve it all that well. I also use it to log into
SO and the related sites, but frankly it's a PITA. I don't use OpenID to log
into HN, and I _never_ have to type in my credentials here, since my browser
has the cookie saved.

I also use a password manager, so OpenID doesn't offer any additional security
to me. As for privacy, the potential problems are too abstract for me to
understand. I'm technical, but I don't understand OpenID on a deep level. I'd
hardly expect your casual home user to know this either.

OpenID seems like a product that was designed in a vacuum, and should have had
a stronger vision behind it. It's put together well, but the thing as a whole
just doesn't do what it needs to do.

~~~
pixelcort
Sure you can link to a response:

<http://www.quora.com/What-s-wrong-with-OpenID#ans24870>

~~~
Splines
Thanks. Care to explain how you did that?

I just hovered over everything on that comment, and found out that the date
(of all things!) is permalink-ish.

~~~
pixelcort
I looked at the page using Safari's Web Inspector to find an id that looked
like it represented an answer.

------
lulin
I love OpenID and use it as much as possible. The only problem I have with it
is the URL-as-username approach it takes. When a site asks me for the URL, I
don't use OpenID as I always forget it. If the site asks me to "log in with
Google using OpenID" or something similar I will use it. I don't see how
people say that OpenID is a solution in search of a problem: I DO have the
problem that I don't want to create a new account for every site I use. The
problem is there, and some uses of OpenID really do solve it.

~~~
AndrewDucker
The reason for the URL as username is that OpenID originated on Livejournal,
where users have their own URL (i.e. mine is andrewducker.livejournal.com)

It therefore made sense to use URL endpoints as identifiers, as you could
bounce people to their authorising server incredibly easily. Doing it via
email address would be much harder (where would my email,
andrew@ducker.org.uk, be authorised by?).

It's caught on amongst people who have URLs (bloggers, journallers, etc.. It
hasn't caught on amongst people who don't (everyone else).

------
angdis
OpenID isn't "done" yet. There very much is a market for 3rd party
identification and I think that people will really want some level of
neutrality from their identification provider.

Unfortunately, it seems that facebook is filling that market-- albeit without
the neutrality. I don't like that. It just feels "icky" when I sign-on
anywhere other than facebook using my facebook identity. I might NOT want my
facebook picture to be seen on the sidebar of random websites by my friends. I
don't particularly feel good about facebook monetizing my preferences even if
it is done in an anonymous statistical fashion. Nor do I like that sometimes I
have to worry about what exactly facebook is going to broadcast about me to
the rest of the world or to my friends.

This might be nothing deeper than a superficial perception, but I simply don't
trust facebook with my identity as much as I do OpenID participants.

------
AndrewDucker
Both Livejournal and Dreamwidth use OpenID to allow commentors to claim an
identity. I also use it to log in to Disqus, Hacker News, Slashdot, Stack
Overflow, and a bunch of other sites. Oh, and to leave comments on a bunch of
different blogs.

It's not the answer to everything - but it still works remarkably well for
many.

------
Kilimanjaro
Somebody said it days ago, we should use our email address as openID and every
big email provider should comply with openid standards. Problem solved.

~~~
Kilimanjaro
In the case of google and stackoverflow, instead of using this:

<http://www.google.com/accounts/o8/id>

or <http://www.google.com/profile/kilimanjaro>

which I never remember, how about just providing

username@gmail.com and let gmail.com/openid/username do the magic?

Never put the burden on the user...

------
r00fus
So the real reason it failed is because it was a purely technical solution and
didn't have a canonical usability example?

Or maybe that big sites like Facebook decided it would remove the monetization
opportunities by creating their own universal login?

------
beaumartinez
There's been a lot of talk on OpenID recently; it's nice to see one that
doesn't simply bash it.

TL;DR: OpenID wasn't revolutionary in itself but the idea behind it is.

------
tzs
Here's how I had hoped that OpenID was going to work, when I first heard about
it, but did not know many details. Initial conditions: I have an account at
some OpenID provider, and I do not have accounts at Hacker News, Reddit, or
StackOverflow, and all three of these take OpenID.

1\. I decide to sign up for HN. I enter the URL of my OpenID provider. HN
sends me to my OpenID provider, along with something that uniquely identifies
HN.

2\. I authenticate to my OpenID provider. It tells me I have not associated an
ID with HN yet. I tell it to create a new one. It creates an ID for me, which
I can name for my convenience, and it assigns a UUID to that ID, say
5F29ADF6-132A-43D0-889E-AD38A48D2419.

3\. I'm returned to HN, and HN is given that UUID,
5F29ADF6-132A-43D0-889E-AD38A48D2419, and told that I've been authenticated.
HN sees there is no HN account associated with that, and lets me create one. I
get to pick a name to use on HN. I pick "tzs". HN remembers that "tzs" is
associated with 5F29ADF6-132A-43D0-889E-AD38A48D2419.

4\. Next time I come to HN, assuming my cookies have been deleted so I need to
login again, the steps are similar. I tell HN my OpenID provider and go
authenticate there. It sees that I already have associated
5F29ADF6-132A-43D0-889E-AD38A48D2419 with HN, so provides a one click way to
send that ID to HN.

5\. Now I decide to sign up at SO. Similar to signing up at HN. When the
OpenID provider says I have no identity associated with SO, I tell it use the
same identity I use with HN, so 5F29ADF6-132A-43D0-889E-AD38A48D2419 gets sent
to SO. I create my account there, again getting the name "tzs".

6\. Finally, I sign up for Reddit. I decide I'll probably not be able to
refrain from staying out of the technical groups there, and will end up in the
politics groups, and will probably make a lot of enemies. I think I want to
keep that identity separate from my more professional/respectable personas at
HN and SO, so I have my OpenID provider generate a new UUID for use with
Reddit: DE982C60-3164-4399-B8E5-C9F84FCE2B21.

7\. With each identity I can associate personal information, if I wish, such
as real name, address, phone number, email address, even credit card
information if I dare. When a site sends me to OpenID to login, it can send a
list of what personal information it would like. At my OpenID provider, it
shows me what is being asked for, and I can decide what actually gets sent. It
would have a reasonable system for managing defaults to make this unobtrusive
most of the time.

With this kind of OpenID, I can easily solve the problem that is most
important to me: having one good password to control access to a bunch of
sites, without having to actually give that password to the sites. It is up to
me if I want to use the same identity on multiple sites or not. It is up to me
how much information for an identity I wish to share.

(The low level details in the above are simplified to get the ideas across. In
a real implementation, there would be some kind of public/private key system
involved to identify the user, rather than a simple UUID system, so that one
could reasonably implement a way to let someone move their identities to a
different OpenID provider without having to have HN, SO, and so on all update
things on their end to recognize the new provider).

