
The Killer App for OpenID  - buckpost
http://www.markevanstech.com/2008/02/15/the-killer-app-for-openid/
======
mechanical_fish
Somebody is wildly confused: a site which needs to aggregate login information
for several dozen other sites, each of which give it permission to use only
_some_ features and not others, is a killer app for _OAuth_ , not OpenID.

OpenID might play a role in the OAuth-enabled World of the Future, but I kind
of doubt it. I think OpenID will continue on its current trajectory to the
bottom of the sea. I'm still waiting for evidence to the contrary.

This suggested use case is not the evidence I'm looking for. It it touchingly
naive. It is a little _too_ retro. Like telnet and rlogin, this use case is
designed for the primordial world of the 1970s, when all users were brothers,
and the snake had not yet visited Eden, and Delirium was still Delight. You're
encouraged to put all your keys in one basket, and _then_ you're encouraged to
share that basket freely with sites like PageOnce. Presumably you should also
drop acid.

The funniest thing about this "killer app" is the implicit notion that
financial sites like banks will implement OpenID within the next decade. That
will be a cold day in hell. Even sites like _Blogger_ don't really support
OpenID logins yet, and who is trying to rob _Blogger_?

~~~
bct
You're probably right that this killer app isn't, but I don't think OpenID's
future is as bleak as you're making it out to be.

Your email address is already a single basket for all your keys, or at least
all the keys to locks with "I forgot my password" mechanisms.

That Blogger doesn't support OpenID suggests nothing about its security.

~~~
mechanical_fish
_Your email address is already a single basket for all your keys..._

Yes, painfully true, and if OpenID _solved_ this problem I would be marginally
more excited about it. However, "OpenID is no less secure than what we do now"
is an excuse, not a selling point.

 _That Blogger doesn't support OpenID suggests nothing about its security._

Well, I don't know why Blogger doesn't support it. But I have a guess. I don't
think it's merely about security; it's more fundamental than that. It's about
_control_.

Once you implement OpenID logins, the security, reliability, and
confidentiality of your site's authentication procedure is out of your hands.
You can't improve your login security: the provider controls that. You can't
improve your site's reliability beyond a certain point: when a provider goes
down, a certain percentage of your users go down, too. You can't protect your
traffic data: the OpenID providers are inevitably collecting samples of who
logs in to your site and when.

If the administrator of an OpenID provider goes rogue and sells the password
file to the Romanian mafia, you can't fire the guy. You probably can't even
sue him. You'll probably never even know there was a security breach. You
probably don't even know that your site depends on his. But when a user's
login on your system is compromised, who do you think is going to get the
phone calls, to say nothing of the lawsuits? Do you really think that you're
going to tell your angry users "I'm sorry; security is out of my hands; talk
to your OpenID provider" and expect them to go away happy?

And what's the payoff? You're adding moving parts to your system, decreasing
your reliability and increasing your tech-support costs, and for what? The
alternative -- using usernames and passwords -- is well understood, and well
established, and is something that you'll have to support _anyway_ for the
foreseeable future. How much additional money is OpenID _really_ going to
bring in?

If OpenID does become widespread I predict that it will be in the form of a
handful of "trusted" providers whose IDs are universally supported. On most
sites, you'll get to choose between using your Facebook ID, your Google ID,
your Microsoft ID, your Verisign ID, and an ID from the site's trusted network
of partners. (Of course, there will be dozens or hundreds of these partner
networks -- so much for "one universal ID"). In other words, it will be
Microsoft Passport 2.0, only with extra market confusion and the nice
reassuring word "Open" in the name.

~~~
bct
That it's no less secure than what we do now is not a mark against it, though.

Giving up control can be a good thing. I don't need to keep up to date on
password hashing techniques, or worry about sending passwords in the clear.

As a user, I can improve my login security unilaterally; I can use a hardware
token without every site I use needing to implement support for it. As a user,
sites that want as much control as you seem to scare me.

I think it's too early to say what the marketing/tech support/social effects
will be. Clearly nobody is going to use OpenID for Really Important Stuff in
the near future, but there are a lot of use cases between toys and RIS.

Your last paragraph coming true is a very real risk, and it would disappoint
me tremendously. In the meantime, I think that OpenID shows a lot of promise.

edit: We're coming at this from different angles. OpenID will first be adopted
by (is being adopted by) small sites that don't care about the things that you
do. Bug trackers, wikis, forums, blogs, sites like this one. Once it's well
established there, then we can start talking about the kind of sites you're
talking about.

------
Readmore
There is no killer app for OpenID, it's a tech looking for an audience, and
the audience doesn't care. The browser is your OpenID, you tell it to save
your logins and it keeps them all for you safely on your computer, not up on
some server owned by a company you don't know.

~~~
bct
The browser can be your SSO, but OpenID is more than that.

And if you're not comfortable using an OP run by somebody else, you can run
your own.

