

OpenID: A Contrarian View - pbnaidu
http://webworkerdaily.com/2008/05/21/openid-a-contrarian-view/

======
justindz
I recently ripped standard accounts out of my web app and put in OpenID
support with the ability to assign a password optionally in case all your
OpenID providers magically go down at once. I'm very sold on some kind of
login/password non-proliferation treaty and the general idea behind stopping
the DRY nonsense around avatars, favorite books, favorite movies, quotes, yada
yada.

I have two problems with OpenID. First, big service providers seem to be
offering OpenID but not allowing you to use it on their site. I know the
market reason behind this, but that's just disrespectful to users. Until they
change this, I don't see it getting enough exposure to convince non-early-
adopting mid-tier or low-end sites that they should support it as well.

Second, OpenID doesn't seem to really carry any of that other repetitive
profile data with it and only solves the username/password situation. Until
more value can be achieved, it seems like finding a good username and trying
to sign up for new services before someone takes it isn't that bad.

I just don't see OpenID making it yet. I was hoping Clickpass would make some
headway, but that definitely hasn't made it out of the technical circle and I
don't see their list of supported sites increasing these past few months which
makes me nervous. I also find OpenID hard to explain to people who are
actually smart and fairly technical. It seems to fill people with low-level
dread and confusion. I try explaining it as "a way to log in to a site using
an account you already have at another site." That's the most condensed I can
get the explanation.

~~~
tlrobinson
OpenID does have support for other profile data:
<http://openid.net/specs/openid-attribute-exchange-1_0.html>

Also, for simple avatar sharing, check out <http://gravatar.com>

~~~
bct
Or more in the spirit of decentralization, <http://pavatar.com/>

~~~
justindz
I'm planning to switch from local avatars to something else. Thanks for the
link. I'll check it out.

Regarding OpenID, all the services I've tested with so far don't even return
email, let alone anything else. Is this a heavily under-used aspect of the
protocol on the provider side?

------
tdavis
I don't understand most of the arguments centering around "single point of
failure."

Not too long ago I was a victim of partial Identity Theft; somebody gained
access to my credit card information and started making random charges. My
credit card was a single point of failure for my finances. It took me a long
time to figure this out and to fix it considering I was stuck in Afghanistan
at the time, but a phone call and explanation to American Express is all it
took to get my card reissued and the charges removed.

 _You can't do this when you're using passwords._ If somebody compromises your
"strong" password and changes the password at important sites before you find
out, you're pretty much screwed. You could use "I forgot my password," but
that same password is likely on your e-mail, so forget that.

 _With OpenID, there are fixes for this._ Say, for instance, the ability to
completely disable it if you've used it recently and have the browser cookie.
Okay, so now you can't get to your bank account, but neither can the person
using your OpenID. You could then use some sort of other verification method
to ensure you're the actual owner and reset it.

 _But forget all this; consider probability!_ A SSN is basically a single
point of failure for your identity; it identifies you specifically and could
not possibly represent somebody else. That doesn't mean that the military
actually _worries_ about the fact that your SSN is used for _everything_ ,
including signing into chow. I can't even fathom how many thousands of
documents out there have my Social on them. The reason they don't care is
because being a victim of identity theft is pretty rare, even when hundreds or
thousands of people see your SSN every single day.

~~~
mechanical_fish
_I don't understand most of the arguments centering around "single point of
failure."_

Part of the problem is that the terminology is misleading. You can, in fact,
have _multiple_ "single points of failure".

A better term is "central point of failure". Your email account is a central
point of failure -- once it is compromised, an energetic black hat can use
"forgotten password" links all over the web to compromise many other things.
(Assuming that your usernames are guessable, which they often are.)

If you only have one central point of failure, it's also a "single" point of
failure. Unfortunately, once you link a bunch of logins to your OpenID
provider it becomes a _second_ central point of failure. The black hat can
compromise a slew of accounts by _either_ getting your OpenID password _or_
your email password.

Now, at some point, mud is mud, and you can't make it muddier by dumping mud
on it. And, at some point, insecure is insecure, so it really may be silly to
object to OpenID on central-point-of-failure grounds, because you've already
got an even bigger problem with email. But I think it depends on the details.
And, at best, you're playing for a tie: "OpenID -- at least as secure as the
insecure thing you're using now." is not a great rallying cry.

------
pg
I use Clickpass all the time to log into News.YC now. I didn't think I was
going to, but it's so much easier just to click on the orange button.

------
extantproject
I don't use OpenID because multiple accounts would be compromised if my single
set of OpenID credentials were compromised. This seems like a bad idea.

~~~
brlewis
I don't know your specific situation, but most people use password-based sites
that have an "I forgot my password" feature that authenticates based on email.
Thus most people have a single point of failure already: their email account.

~~~
extantproject
If there's a security question I use a string of random characters as the
answer and don't record it (which effectively disables the feature on most
sites).

You're right about email being central to authentication on the Web. This
makes it important to protect.

------
redorb
I would say "a typical web user" uses the same passwords or slight variations
on at least 3 different sites... that being said I wouldn't want my openID
hacked...(single point of failure) are the at least demanding strong
passwords?

------
bct
One aspect that's been overlooked is that single sign-on is only the beginning
of what OpenID makes possible. Once you've got an identity that you can use
across website boundaries, all kinds of network effects open up.

~~~
brlewis
A common identity would be powerful, but also dangerous, for the same reasons
people oppose national ID systems. I notice that by default Clickpass creates
separate OpenID URLs for the different sites you authenticate to.

~~~
bct
You're still free to have multiple identities though, which is very different
from a national ID.

