
Coding Horror: Your Internet Driver's License - nicola
http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html
======
patio11
I am not sanguine on the idea, but the _marketing_ for the idea is beyond
terrible. The IDL is a leaky abstraction because the most salient features of
drivers licenses are a) you have to apply to the government to get one, b) the
government can take yours away with as much ease as they can do anything else,
and c) if you lose your license, you will be denied the ability to use one or
more critical goods/services (driving).

That is what your mother thinks of when she hears Driver's License. _Why on
earth_ would that be the branding you pick for OpenID or federated
authentication? You are practically trolling your own idea at that point!

Observe the kinds of things people are going to say about any federated
identity scheme which you call a License:

"Jeff Atwood thinks the government should be able to take away your Facebook
account! He's fascist!" "I didn't say that!"

"Jeff Atwood thinks your mom shouldn't be allowed on the Internet until she
stops calling it 'the Googles'! He's an elitist bastard!" "I didn't say that!"

"Jeff Atwood thinks that if you get kicked off a WoW server you should lose
your Gmail account. He's in bed with corporate interests!" "I didn't say
that!"

~~~
rmc
Perhaps a more accurate metaphore would be "Internet Passport". Government's
can't take it away and it has no real entitlements. However Jeff Atwood is
from the USA which has a strangley low number of passport holders. Perhaps
they are used to using a driving licence instead of passport as general ID.

~~~
anamax
> However Jeff Atwood is from the USA which has a strangley low number of
> passport holders.

It's not strangely low; Americans can travel to far more than the equivalent
of the EU without one. (We can go to all 50 plus Canada and Mexico.)

~~~
simonsarris
I am under the impression that we can no longer go to Canada without a
passport.

:(

Edit: Since June 2009.

~~~
WildUtah
You can't go to Mexico without a passport either. You can't come back without
one, anyway.

The US Gov does now issue passport cards which are a form of national ID card
that allows citizens back in at international LAND borders. You should ask for
one when you apply for your passport; they're nice to carry in your pocket
when you're abroad and the full passport is safely locked away.

------
necolas
I was hoping this article would touch on the issues raised in the "Open ID is
a nightmare" article - [http://blog.wekeroad.com/thoughts/open-id-is-a-party-
that-ha...](http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-
happened) \- rather than restating the conceptual basis for using Open ID
authentication systems

~~~
ghurlman
Or even _link_ to that article; it was clearly the motivation behind this
post.

------
waterhouse
> _It always pained me greatly that every rinky-dink website on the entire
> internet demanded that I create a special username and password just for
> them. ... For the vast, silent majority of normals, who know nothing of
> security but desire convenience above all, this means one thing: using the
> same username and password over and over. And it's probably a simple
> password, too._

> _This is the status quo of identity on the internet. It is deeply and
> fundamentally broken._

What I do is, I have a couple of hard passwords that I use for email and
Dropbox and important services like that, and then I have a couple of stupid
usernames and passwords that I use and re-use and re-use for services whose
security I don't care about. (I've arrived at this strategy after years of
using the internet.)

A couple of times, I have actually tried to register an account with my usual
username, found that the name was taken, wondered "Hmm, did I already create
that account?", tried logging in with the usual password, and found that the
login worked. "Oh, yeah, now I remember making that account..." I took this as
a good sign, that I wasn't wasting brainspace on that login.

I think my strategy works fine for dealing with "a dozen websites who all want
a username and password", given that only one or two of them are critical. And
therefore I'd question the need to change, as opposed to people figuring out a
strategy like mine and passing on the idea. Also, currently, anonymous
throwaway accounts are easy to create; would it be that way if sites required
something like OpenID? (I guess if the idea is just to reduce password
complexity for customers, then sites could just add OpenID as a secondary
means of logging in--rather than having it be the sole means--and you could
still make throwaway accounts. Note that I don't know anything about OpenID;
maybe there is a way to do anonymous throwaways within OpenID.)

~~~
city41
I do this too. This system fails pretty badly when you encounter a site that
insists on certain formats for their passwords. For example not allowing
special characters.

Generally that's a red flag and I just don't use the site, but I don't always
have that luxury. The service my company uses for performance evaluations has
this limitation. Hmmm, a website I go to at most 3 times a year, requires a
significantly complex password due to the site's nature, and yet won't let me
use special characters making all my memorized "hard" passwords impossible?
Yup, I have to request a new password everytime I visit it. Very annoying.

------
drdaeman
I miss the point why we really need some sort of "identity providers" when
it's _we_ who possess _our own_ identities.

It's the login-password pairs which are inconvenient (and, a lot of time,
insecure) part out there. So, logically, the straight answer seem to be to get
rid of this part in favor of something more usable, users can possess to prove
their identities. For example, improving browser support for public-key crypto
and key storage (think HTML5 <keygen> element). However, world has gone in a
completely different direction, created "identity providers", who now actually
_possess_ users' identities (so you don't own your identity anymore), and, as
a result, introduced more failure points to the auth process.

OpenID is neat and convenient when done right, but it was just a protocol
invented to sign comments at other persons' blogs. It was never meant for
personal identity management and architecturally lacks a lot of important
points for that. XRIs may be considered some sort of solution for that
(I-numbers are guaranteed to be persistent), but still feel somehow wrong.

~~~
wvenable
> However, world has gone in a completely different direction, created
> "identity providers"

That's because the question answered wasn't: "How do we solve the problem of
user identity on the web?" The actual question answered was: "How do we solve
the problem of user identity on the web _using web services_?" Once you define
the problem that way, OpenID becomes the logical best solution. However, it's
hardly the best way to do it in any general sense.

------
mechanical_fish
If I went to a party or a meetup where they asked to check my ID at the door
I'd probably just walk out and never come back. I don't like parties run by
the socially inept. Who asks their friends for an ID card?

I'm willing to show my ID at bars and airports, to cops, and when opening bank
accounts, because it's the law. And at least most of these venues have excuses
-- banks want to link large amounts of your money to your ID, so they need to
make sure they've got it right; cars are deadly weapons; alcohol is a
potentially deadly drug. (The airlines? They really love nontransferable
tickets with big change fees. And security theater. And, uh, did we mention
that it's the law?)

But in general nobody asks for your ID unless they have a good reason. And I
just don't see a good reason why my as-yet-nonexistent Stack Overflow karma
needs to be linked to any other aspect of my identity.

At least I have a straightforward answer to my question: No, the Stack
Overflowers will not give me the simple username and password that I want.
It's against their religion. Good to know. I'll ask again five years from now.

~~~
codinghorror
No need to log in; it is possible, and always has been possible, to
participate as a cookie-based user indefinitely.

We have some users that juggle cookie based accounts for as long as a year.
And as of about 6 months ago we can reinstate your cookie on the "forgot my
login" form, provided you gave us a valid email address to start with (we
don't validate emails).

------
jasonkester
Driver's License is the wrong metaphor for OpenID. If you had an Internet
Driver's License, it would be your email address. You always have that with
you at all times.

OpenID is more like a Von's Club card. An inconvenient scrap of plastic that
would just take up space in my wallet so it gets left at home. Every time I go
into a Vons, I have to ask the cashier for a new one and it pisses me off that
little bit, just like every time I go to StackOverflow I need to dig though my
email to figure out what OpenID provider I used to sign up for my account
there.

Just like the Grocery Store Discount card, where I find myself more driving
out of my way to go to a store that doesn't make me use one, I generally don't
bother with sites that want me to dig out my OpenID just to use them.

~~~
WesleyJohnson
Just curious: why use more than one OpenID account in the first place? I've
genuinely never understood why people would do that. Am I missing something?

~~~
nborgo
With all the little icons, I generally forget which one I clicked in the first
place. Then I remember that I used Google's, but forget which email address.
It's not so much forgetting because I have a bunch of OpenID accounts, it's
that I don't use it enough to remember the one that I do use.

Just give me the "Save username and password" option in Firefox and I'm happy.

~~~
wvenable
Have your saved username and passwords sync to the cloud, and you'll be even
happier. Jeff is still beating a still-born horse here -- yes, a problem
exists, but OpenID is the wrong solution.

------
forgotAgain
If you want to have freedom then you have to accept that a free life is a
messy life.

I don't support centralized internet ID systems for the same reasons I don't
support a national identity card: it's a central point of control that will
inevitably be used by the government against its citizens and corporations for
profiling and targeting all of us.

As much as it may appeal to the tech mind to have things in nice little boxes
this is a terrible and dangerous idea.

~~~
akmiller
That's why, in theory, I like OpenID. It's decentralized, anyone can be a
provider, and I still choose when logging into your site which provider you
should use to validate my credentials.

------
jarin
I'm not sure he's talking about a _separate_ "Internet ID" that should exist.
I think he's talking about websites adopting OpenID and/or OAuth as
authentication methods, with a smaller number of trusted entities as
authorities (Facebook, Twitter, Google, MyOpenID, Verisign, etc).

I'm not sure where people are getting this idea that he's talking about
creating a new concept called an Internet Driver's License. He's just trying
to encourage service providers to adopt OpenID/OAuth instead of traditional
logins.

~~~
pbhjpbhj
Oauth .. I just went to check it out,
<http://alicious.com/img/OAuth_1290599253386.png>

Ironic.

------
dionysiac
IMO, A big danger of implementing centralized authentication across multiple
sites is that will make social engineering schemes aimed at stealing a user's
credentials more plausible and effective.

I know that systems such as OpenID and others perform authentication directly
between the user and thetrusted provider (google, facebook, twitter, etc), and
that the site ends up with a one-time token that confirms the user's identity.
The site requesting authentication never gets the actual password to the
openID account, which makes this approach viable in a technical security
sense.

But here's the thing: _general users are getting used to entering their
centralized credentials to perform actions on untrusted sites_. Technical
users understand the design. We can confirm that, yes, TwitScoop does indeed
direct us to twitter.com/oauth/... (no HTTPS, but that's another story).

Regular users posting a comment on a blog, though, don't see any difference
between giving their credentials to a trusted Google login site and entering
their credentials into some form on a blog.

If, for example, logging in with Facebook credentials becomes common, it would
be trivial to create a rogue blog which collects login information. Fill it
with a few incendiary posts, possibly create an official-looking Facebook
login page that doesn't display its URL, and it would be possible to capture
quite a few sets of credentials.

~~~
codinghorror
I think phishing is a more generalized problem; blaming OpenID or OAuth 2.0
for that is like blaming the weather.

------
HaloZero
Isn't one of the main benefits and best things about the internet is
anonymity? Obviously FB and Twitter have information about my real identity,
but why would Instapaper, or Reddit? Having a global login takes away that
anonymity.

~~~
AndrewDucker
Anonymity (or pseudonymity) is fine, but it's not even in my top ten favourite
things about the internet.

------
gregschlom
tl;dr: Jeff Atwood says websites should offer OpenID or OAuth authentication.

edit: ok, the sarcasm in this comment may justify it being downvoted, but can
someone kindly explain what is being said in this article apart from: "having
many logins/passwords for each site is not nice, we should all support
OpenID/OAuth"? Because I really don't see any other piece of information.

~~~
mooism2
Take this with a pinch of salt, because I didn't downvote your comment, but
your comment doesn't add anything to the article. It's just noise and doesn't
advance discussion.

~~~
gregschlom
Fair enough. I guess the merit of this article is to create the opportunity
for this discussion.

Reminds me of someone (can't really find who now) who said a few months ago
that HN is like going out for a movie and a dinner. The value of it isn't
really the movie and the dinner, but the opportunity of discussions it
creates.

So... yeah :)

------
fbcocq
I have all my logins saved in Firefox and there's not one site I'm using where
Firefox is able to autocomplete OpenID details, it forces me to enter my ID,
leave the page, authenticate with OpenID, go back and submit. It needs to
either die or get way more convenient than this.

------
stoney
The problem is, a lot of the time I _don't want_ my various internet IDs
linked together - I want something more like the coffee club loyalty card for
each website I visit. I definitely don't want facebook knowing which sites I
use (frankly I don't trust them enough) and I'm not too keen on Google knowing
either.

The crucial difference between a drivers license and some kind of centralised
internet ID is that anyone can verify a drivers licence with a reasonable
degree of accuracy - they don't need to contact the government each time to
see if it's genuine.

With an internet ID the provider gets to collect a lot of information about me
and what I'm doing (not saying they would, just saying they could), which
makes me nervous.

------
sayemm
I love the title "Internet Driver's License" - it's an analogy that I'm very
fond of, but Open ID won't be the solution for this for the same reason the
semantic web has never really gained any serious traction.

It takes private companies w/ consumer interests in mind to achieve that sort
of global scale and user adoption. In this case, namely Facebook.

------
lwhi
I don't like the idea of having one identifier which can be used to tie
together all information about me - because linked data provides an
unwarranted amount of power to people who have access to it.

I think 'an internet drivers license' would basically become an ID card.

~~~
jomohke
Your email address probably already links all of your online accounts.

Unlike an ID card you can have as many OpenID accounts as you wish – they can
be freely created just as easily as email addresses. The solution is the same
as for email: Give a different account to each site.

~~~
lwhi
That's true - and the identifier token sent as verification can vary as well
iirc.

------
brandnewlow
Isn't the point of asking you to provide some credentials for a new site
usually so they can use that contact info to push products at you in the
future? An internet driver's license (and OpenID) defeat those purposes.

------
misterm
Wow, something from coding horror where he isn't trying to sell us something?

------
maxklein
You really have to be behind the times to still be advocating OpenID.
Technology is made up of alternatives, and one wins. No matter how much you
love something, if it's dead, it's dead, now move on.

Every hyped technological product has a a short window in which to dominate,
and if it does not, it will remain confined to a nice. That's the case with
OpenID. It's over, the battle is lost. Same goes for RSS, DRMed music, Django,
etc.

The coding horror guys made a poor technological decision. Instead of just
giving up, they are doubling down on it. That's not very clever.

~~~
mcantor
Huh? I'm confused. I still log in to all sorts of places with my Google
account, including Hacker News. And... RSS is dead? _Django_ is dead? I'm
getting the sinking feeling that I'm being trolled right now, but...

Source?

~~~
rbanffy
Must be a new Slashdottism... The "BSD is dead" joke would, someday, get
old...

------
hardik988
"The whole online identity situation may seem as impossible as peace in the
Middle East at this point."

I hardly expect such comments from guys like Jeff.

------
jpr
Something about using one set of credentials for a bunch of unrelated sites
rubs me the wrong way.

I think it has something to do with what commenter Kevdog said:

> Here's where the driver license analogy breaks down: I have physical control
> over my license, it stays with me. No one can lose my license for me.

~~~
jomohke
You can be fully in control of your own OpenID if you want. Just host it on
your own domain/server.

Or even easier: use delegation. Add some meta tags to the header of your blog
(or any HTML page under your control), and sign up for sites using your blog
URL as your OpenId.

See an example at my domain (the content is currently blank, but the meta tags
are in the source code): <http://jmh.id.au>

I can sign up anywhere by typing in 'jmh.id.au', and it uses myopenid.com for
login. If for some reason I didn't trust myopenid.com I can change providers
by editing that page. So I'm not tied to any one provider.

~~~
patio11
I have multiple problems with this answer.

The first is practical: you are not qualified to run OpenID on your server.
Really, you're not. I'm not and I have actually implemented both OpenID
providers and Relying Parties for clients before, at the old day job. If you
run OpenID, you are exposed to every threat your OpenID provider is currently
vulnerable to _in perpetuity_ , unless you make it your mission in life to
stay up to date on OpenID security. The people who actually _do_ that missed a
timing attack which compromised the security of nearly every OpenID-using
system on the Internet. You will _not_ do better than they did.

The second reason this is bad advice is because OpenID has a feature which
should make it unnecessary: delegation, which lets you nominate any OpenID
provider on the Internet as "your" provider. You are theoretically able to
change that after having done it, so if you want to move your identity from
Google to Yahoo you can. _Delegation is a misfeature_. It makes the OpenID
spec roughly ten times more difficult to understand than it already was. Very
few people implement delegation correctly -- of particular notice, very few
_relying parties_ implement it correctly, which means that when you come back
in a few years with the same OpenID but a different underlying provider they
have _no recollection of you at all_. That is a pretty bad failure mode for a
federated authentication system, and many relying parties coded by smart
people walk straight into it.

Then we come to the real meat of the matter: for an authentication system to
be useful, you have to be able to use it without being able to implement it.
OpenID is a user experience _nightmare_ for non-technical users. Just the
experience of actually logging in is bad enough. It also teaches your users to
fall for phishing attacks against their holiest of holy credential, because
every sane person uses OpenID through their email provider and OpenID teaches
you that you can go to any random site, the screen is going to flash, and then
you should type in your email address and password. This is phishing heaven,
and losing one's email account means you lose practically your entire online
identity (banks accounts, domain names, Google AdWords accounts, etc etc) even
before OpenID explicitly makes your email king of all credentials.

~~~
Robin_Message
I'm getting some cognitive dissonance here, since the grandparent says _[I]
use delegation_ and you say not to run your own server and to use
delegation...

Anyway, is delegation going to get better, or should I not bother setting it
up and just stick to using the same password for all my non-interesting sites?
In particular, is it the site I delegate to, or the site I am authenticating
myself to, or both, that can screw it up?

~~~
jomohke
Sorry, that confusion was my fault: I posted the first line of my reply, and
then realised I should mention delegation, so I edited it in. He must have
loaded the page between the two.

