Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Poll: Do you have an OpenID?
25 points by cmelbye on Nov 27, 2009 | hide | past | favorite | 42 comments
I'm reconsidering the authentication that I'm using in my Rails application, and I have a simple question for you all: Do you have an OpenID?<p>My application is targeted to developers, so the response here should be similar to what it would be for potential users of my web application (I'd think).<p>Remember that services like Google, Yahoo, AIM, etc are OpenID providers, so if you have an account with them, you have an OpenID.<p>Thanks!
Yes, and I know my identifier
221 points
Yes, I know I have one provided by Google, Yahoo, etc but I don't know the identifier
131 points
No, I don't have an OpenID and I will not get one.
28 points
No, I don't have an OpenID but I might consider getting one
19 points
Yes, but I wouldn't want to actually use it to register/login for a site.
18 points



The idea behind OpenID is great. The user experience of using OpenID is so bad that even as a technically-inclined person I can't work up the motivation to use it.


From a user standpoint, OpenID has little to offer to me usually. Most sites have a simple enough registration (email and password) that it really isn't that much easier to use openid in its place. To add to the confusion, Google and Yahoo have long identifiers, and you must use a seperate button to login with them.

From a website owner standpoint, it's so hard to implement, both technically and conceptually (tying into my sites regular registration flow) that it just convolutes the process for the user.

For example, as far as I know since the last time I attempted implementing openID, the only info I am guaranteed to receive from an openID identified user is their identifier. So if my site collects email addresses or any other info, I would have to have them enter that anyways.

In most cases OpenID registration actually takes longer, just so the user can use one account password.


Why is that? I have my own OpenID (using phpMyID) as well as ids from various places and I have had almost no problems using it.

The biggest trouble was when I tried to associate multiple IDs with my StackOverflow.com account -- ended up they had a bug and it was fixed within a day.


The point is you took the time to figure it out.

My browser keeps my login state and I don't want to figure something out to replace something that works pretty well.


Maybe the integration with the browsers (like shown in this mockup of Firefox: http://www.azarask.in/blog/post/identity-in-the-browser-fire...) is the solution.


OpenID solves a problem I don't have using an approach I don't want with a troubling restriction (no functional revocation) and all while ignoring better solutions (password keepers) that are already available.

And the "don't delegate to somebody you don't trust" model? Even the most trustworthy of companies can implode and reboot and sell off all sorts of data on their users.

Sure, I can delegate. Not.

I have my own OpenID server. I don't use it.


I refuse to know my identifier, or care what an identifier is (though I think its a URL).

I do not believe anything more than an email address and service-specific password should be sufficient to authenticate me - like StackOverflow uses with their OpenID setup.

If a site asks me my OpenID URL or identifier or other thing, I don't bother, as it's too much work.


Yes, I have one, and I know my identifier. No, I don't like using it, and, given the choice, don't use it.

I toyed with the idea of adding OpenID to my various projects, but haven't, and don't intend to, but my apps are targeted towards a different audience than yours.


Like yourself, I have one and don't use it. Main reason is that I can never remember the identifier.

That is OpenIDs big flaw... How many average web users do you know that remember a url? Most of them head to google to find sites they know well.

This is why facebook connect and the like are more popular; they are easy.


Have a look at JanRain's RPX - http://rpxnow.com. Makes it very easy to deploy OpenID and equally easy for end users to login using an OpenID, plus Facebook Connect, LiveID, Twitter, etc.


Yes, and it's running on my domain :P


Ditto.

And the provider implementation is my own, running on a server I have physical access to, with a self-signed certificate.


There is a variation you need to consider: even if I have an OpenID, I may not want to use it.


Seems like a common sentiment; I've added a new choice at the bottom.


I keep seeing all these comments from folks here that they "can't be bothered," that "it's too much trouble," and so on, and I really want to hear an explanation of why.

I mean, if I'm registering at a new website, it seems considerably easier to enter one item -- my OpenID identifier -- and then be immediately verified, rather than go through the "enter email address -> get confirmation email -> click on confirmation link -> choose new password -> hope that the site is compatible with Firefox's password manager so I don't have to enter it every time" treadmill for each site.

So, explain to me, what makes you complain so much about using an OpenID?


Why implement something that people don't think is valuable? When I try to explain the concept of OpenID to 'average' internet users they don't know why its better than what they normally do. And honestly, I really don't have an answer for them because I personally don't like OpenID either.

I think StackOverflow is a good example of how confusing it can be. Their wall of possible ways to login is very confusing. Yes, I actually have accounts with ALL those sites listed... but which one did I setup for StackOverflow? If I pick an OpenID provider that wasn't associated with StackOverflow it starts to create a NEW account for me. Not what I wanted!

In the end, an Email and Password with my browser remembering it works just fine.


How is picking the wrong OpenID provider any different than entering an incorrect email and password, because you have multiple email addresses and you couldn't remember which one you used?

Were you aware that you can associate multiple OpenIDs with one account at StackOverflow?

Do you ever use a computer that does not store your passwords for you?

Would a standard OpenID-remembering feature in your browser help change your mind?


Every site that decides they want to support OpenID now becomes yet ANOTHER option to login with.

I also prefer email because I have a set of spam/anonymous addresses I can use to test sites that I don't trust quite yet with my real information. Having spam/anonymous OpenID accounts would be a real mess to manage.

StackOverflow lets me pick a max of two OpenIDs. But why not instead let me specify an infinite number of verified email addresses to login with instead?

I'm not sure if one of the goals of OpenID is to show that I'm the same user across multiple sites. That's a feature I'm sometimes interested in with certain sites and sometimes absolutely not interested in with others.


You last point is exactly why I avoid OpenID authentication.


Setting up an OpenID account:

  1. finding software (I chose phpMyId, which is relatively easy to install and use)
  2. installing software (in case of phpMyId unpacking a file)
  3. configuring software (in case of phpMyId editing index.php)
  4. (optional) setting up delegation by editing an HTML file
(I don't have, nor want, gmail. I don't have, nor want, a Yahoo account. I don't have, nor want, etc.)

Registering on a site which doesn't have OpenID is three steps, or five when e-mail addresses are involved:

  1. enter username
  2. enter password
  3. (sometimes) enter e-mail address
  4. hit submit
  5. (sometimes) click link in e-mail message
5 can be cumbersome when kmail isn't running, but usually it's already running.

Registering at an OpenID site:

  1. enter OpenID URL
  2. (sometimes) enter e-mail address
  3. hit submit
  (3a. wait for OpenID redirect which is annoying and usually results in being
       distracted)
  4. hit "OK" on browser authentication dialogue (asked for by phpMyId, browser
     saved password)
  5. (sometimes) verify e-mail address
Logging in on normal site:

  1. press Opera's "Log in" button, which auto-fills the login form and submits it.
Logging in on OpenID site:

  1. enter OpenID url (auto-completed, but still requires a switch from mouse to
     keyboard)
  (1a. usually wait for redirect etc.)
  2. press "OK" on browser authentication window
It's usually slower to use, it requires more thought on my part, and it makes it more annoying to keep multiple identities around. Cumbersome.


I assume that you also operate your own mail daemon, and therefore won't use delegation to MyOpenID for the same reason?

Also, were you aware that, for instance, on Facebook, you are automatically logged in whenever you are also logged in to your OpenID provider?


Why are my posts in this thread being downmodded for asking questions about OpenID usability?


Because there are voting arrows next to each and every post that say "Make a judgement on this post!"

If you give people an opportunity to make a judgement, some will always take it, regardless of whether a judgement makes sense or not.

And that's one of the reasons I don't want to use OpenID.

The internet is full of this braindead social shit. It's only a question of time until somebody comes up with the idea to aggregate all the meaningless karma across many sites. And it's only a question of time until that super karma score is quoted on your resume together with how many "followers", "friends" or other kind of nonsensical internet money you have accumulated ... by hook or crook.

Gaining insight, asking questions, having a debate, making judgements, pushing an agenda, feeling good about judging others without making a case for or against anything. These things all get mixed up relentlessly in these primitive voting schemes.

And not even the smart people who make this website seem to realise what an intellectual mess their Frankenstein game theory is. Or maybe they do but still think it's worth it.

I disagree. The filtering effect of all these voting schemes is next to worthless. It creates more perverse incentives than positive ones. It's getting totally out of control. Millions of people are morphing into one man/woman cynical self marketing machines collecting fake internet money.

I'm waiting for the world's first karma inflation crisis :-)


Have you read Cory Doctorow's "Down and Out in the Magic Kingdom?" I think you'd like it.


If you use a Yahoo/Google OpenID, the user doesn't need to know the identifier (or anything else for that matter) - you use a fixed URL (https://www.google.com/accounts/o8/id for Google), Google/Yahoo handles the sign in and sends them back.

I'm currently building an app that relies solely on OpenID for user auth. I chose to enable only these sites, so that (a) users are not required to supply/complete a URL, and (b) there isn't the "which OpenID did I use this site?" when a user returns to it after a while.


You're not using OpenID if you do this, you're using Google's id.

It's fine if that's what you expose by default, but you really do need to give the user a checkbox or something so they can input their own if they have one. I have an OpenID I use everywhere, if I come to one of your sites and end up using my google ID instead it will cause me nothing but frustration and end up being less secure.

In fact I'd probably not login to your site because of this if I didn't have a compelling reason to do so.


I'm using Google ID, but the technology that enables this is OpenID. It's just under the hood, which IMHO is where it should be. Most users have no idea what OpenID is, and are confused when they are asked for a URL in order to sign up.

Even for an OpenID-savvy user, why would it be frustrating or less secure to login via Google? If someone got my Gmail password, sites like mine would be the least of my worries..


Because my preferred openid provider uses client-side SSL certs to authenticate me, google doesn't. Part of the point of openid is it allows me to implement security procedures you haven't thought of without making me beg every site I use to do things the way I want.


Because I don't have a google account. But I do run my own openid provider.


I'd say that's an edge case, but still - sites that don't support OpenID would require you to create login. This method basically asks you to create that login with Google instead, is more secure than most of these sites.


This is still OpenID.

Google uses a singular URL for all identities that OpenID consumers use to discover the true user identity, which is unique per user per consumer domain.


If it only accepts google logins, then it doesn't matter if google is using openid as the mechanism -- you can't say you use openid logins. It's like if I said that my application supports CSV, but you have to provide it as an Excel file.


Actually, google has just begun to use your profile URL, using that 'Vanity URL' business. If you turn vanity urls on, your OpenID identifier will be like so: http://google.com/profiles/<your-google-login>;

I have used it and logged on to stackoverflow.com. It does work.


You're right - but for my apps I don't think I'd support these, for the same reasons.


We've done that by using RPX (https://rpxnow.com/). It's awesome - users with Google/Facebook/Twitter/Yahoo accounts don't have to remember their URL and more savy users can use whatever OpenID they want.


First time I hear about RPX - looks interesting.


Yes for personal use (really just Basecamp). No for app development...

I always use Facebook Connect (via Facebooker plugin) over OpenID authentication. The adoption rate and viral advantages of Facebook are unmatched.


Unfortunately, OpenID is still broken on HN. Changing an existing account to use OpenID doesn't work. After the initial login at ClickPass, I get transferred to this page: http://news.ycombinator.com/openid_merge (which doesn't exist).


I use Google Apps for my domain and have OpenID running on my domain using it. Here's how: http://jeremiahlee.com/blog/2009/09/28/how-to-setup-openid-w...


http://aaron.justaaron.com/

I hope openid becomes mainstream some day, I really like logging in once, and I really like being able to log in to a new site without having to register.


Wow, this sure got bumped way off of the front page quickly ;-)

Thanks for voting and commenting, this has given me a really good idea of what direction I should go in when I revamp my application's authentication.


Thanks to stackoverflow...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: