I recently ripped standard accounts out of my web app and put in OpenID support with the ability to assign a password optionally in case all your OpenID providers magically go down at once. I'm very sold on some kind of login/password non-proliferation treaty and the general idea behind stopping the DRY nonsense around avatars, favorite books, favorite movies, quotes, yada yada.
I have two problems with OpenID. First, big service providers seem to be offering OpenID but not allowing you to use it on their site. I know the market reason behind this, but that's just disrespectful to users. Until they change this, I don't see it getting enough exposure to convince non-early-adopting mid-tier or low-end sites that they should support it as well.
Second, OpenID doesn't seem to really carry any of that other repetitive profile data with it and only solves the username/password situation. Until more value can be achieved, it seems like finding a good username and trying to sign up for new services before someone takes it isn't that bad.
I just don't see OpenID making it yet. I was hoping Clickpass would make some headway, but that definitely hasn't made it out of the technical circle and I don't see their list of supported sites increasing these past few months which makes me nervous. I also find OpenID hard to explain to people who are actually smart and fairly technical. It seems to fill people with low-level dread and confusion. I try explaining it as "a way to log in to a site using an account you already have at another site." That's the most condensed I can get the explanation.
I'm planning to switch from local avatars to something else. Thanks for the link. I'll check it out.
Regarding OpenID, all the services I've tested with so far don't even return email, let alone anything else. Is this a heavily under-used aspect of the protocol on the provider side?
I also find OpenID hard to explain to people who are actually smart and fairly technical. It seems to fill people with low-level dread and confusion.
This is one of the fundamental reasons why OpenID is a failure. Its complexity-to-utility ratio is way out of whack.
OpenID always reminds me of one of Spolsky's lines:
For some reason most people seem to be born without the part of the brain that understands pointers. Pointers require a complex form of doubly-indirected thinking that some people just can’t do, and it’s pretty crucial to good programming.
What is OpenID? It's a system that asks you, not for a username and password, but for a pointer to a site that wants your username and password. And, lo, Spolsky is right: it causes many, many people's heads to explode.
Nevertheless, if OpenID prevented cancer everyone on Earth would try to figure it out. There'd be special schools to teach it. But all OpenID does is replace usernames and passwords. Most people use the same ones on every site. Or they have cookies turned on so they rarely have to login, and they use email reminders on those rare occasions when they do. Or they pay their $35 for 1password and just solve the problem. There are a few use cases that can't be solved like this, but not enough of them to justify the overhead of OpenID for most people.
OpenID might have a future as a coder's tool, like SSH. Coders can learn to use the protocol fairly quickly, and they're more likely to understand the security tradeoffs.
I think Clickpass has the potential to give OpenID a lot of traction among non-early-adopting mid-tier or low-end sites. I gave them some advice along those lines here:
I don't understand most of the arguments centering around "single point of failure."
Not too long ago I was a victim of partial Identity Theft; somebody gained access to my credit card information and started making random charges. My credit card was a single point of failure for my finances. It took me a long time to figure this out and to fix it considering I was stuck in Afghanistan at the time, but a phone call and explanation to American Express is all it took to get my card reissued and the charges removed.
You can't do this when you're using passwords. If somebody compromises your "strong" password and changes the password at important sites before you find out, you're pretty much screwed. You could use "I forgot my password," but that same password is likely on your e-mail, so forget that.
With OpenID, there are fixes for this. Say, for instance, the ability to completely disable it if you've used it recently and have the browser cookie. Okay, so now you can't get to your bank account, but neither can the person using your OpenID. You could then use some sort of other verification method to ensure you're the actual owner and reset it.
But forget all this; consider probability! A SSN is basically a single point of failure for your identity; it identifies you specifically and could not possibly represent somebody else. That doesn't mean that the military actually worries about the fact that your SSN is used for everything, including signing into chow. I can't even fathom how many thousands of documents out there have my Social on them. The reason they don't care is because being a victim of identity theft is pretty rare, even when hundreds or thousands of people see your SSN every single day.
I don't understand most of the arguments centering around "single point of failure."
Part of the problem is that the terminology is misleading. You can, in fact, have multiple "single points of failure".
A better term is "central point of failure". Your email account is a central point of failure -- once it is compromised, an energetic black hat can use "forgotten password" links all over the web to compromise many other things. (Assuming that your usernames are guessable, which they often are.)
If you only have one central point of failure, it's also a "single" point of failure. Unfortunately, once you link a bunch of logins to your OpenID provider it becomes a second central point of failure. The black hat can compromise a slew of accounts by either getting your OpenID password or your email password.
Now, at some point, mud is mud, and you can't make it muddier by dumping mud on it. And, at some point, insecure is insecure, so it really may be silly to object to OpenID on central-point-of-failure grounds, because you've already got an even bigger problem with email. But I think it depends on the details. And, at best, you're playing for a tie: "OpenID -- at least as secure as the insecure thing you're using now." is not a great rallying cry.
I don't know your specific situation, but most people use password-based sites that have an "I forgot my password" feature that authenticates based on email. Thus most people have a single point of failure already: their email account.
If there's a security question I use a string of random characters as the answer and don't record it (which effectively disables the feature on most sites).
You're right about email being central to authentication on the Web. This makes it important to protect.
Do you use different passwords on every site? I have three tiers of passwords I use depending on how much I care about the site in question. I can do the same thing with OpenIDs, although most of the sites that support OpenID in the first place fall into the lowest tier of necessary security.
The flip side is that putting all your auth in one basket makes it worth spending money to protect it. Unfortunately, I don't see any OpenID providers other than VeriSign doing this.
I would say "a typical web user" uses the same passwords or slight variations on at least 3 different sites... that being said I wouldn't want my openID hacked...(single point of failure) are the at least demanding strong passwords?
One aspect that's been overlooked is that single sign-on is only the beginning of what OpenID makes possible. Once you've got an identity that you can use across website boundaries, all kinds of network effects open up.
A common identity would be powerful, but also dangerous, for the same reasons people oppose national ID systems. I notice that by default Clickpass creates separate OpenID URLs for the different sites you authenticate to.
I have two problems with OpenID. First, big service providers seem to be offering OpenID but not allowing you to use it on their site. I know the market reason behind this, but that's just disrespectful to users. Until they change this, I don't see it getting enough exposure to convince non-early-adopting mid-tier or low-end sites that they should support it as well.
Second, OpenID doesn't seem to really carry any of that other repetitive profile data with it and only solves the username/password situation. Until more value can be achieved, it seems like finding a good username and trying to sign up for new services before someone takes it isn't that bad.
I just don't see OpenID making it yet. I was hoping Clickpass would make some headway, but that definitely hasn't made it out of the technical circle and I don't see their list of supported sites increasing these past few months which makes me nervous. I also find OpenID hard to explain to people who are actually smart and fairly technical. It seems to fill people with low-level dread and confusion. I try explaining it as "a way to log in to a site using an account you already have at another site." That's the most condensed I can get the explanation.