Website owners need them to identify user. No actually to authenticate users so that we can make their actions accountable.
Recently the Gawker compromise showed us once again a major issue with each site storing user accounts & their passwords. The sad fact is that most people are as dumb as Nick Denton. I am .. I mean was until this ownage.
I bought into the view almost a decade ago that sites should not store user passwords and have long wished for centralized / distributed user authentication. I've always wanted an International federated single sign on solution. It is why user journey 1.1 insists on the use of openID.
What I've found interesting is the conversations which have happened as a result of this latest compromise.
To answer the most immediate question of "isn't having to register and log into many sites a big problem that everyone has?," I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here's some of them:I hate to agree with him but he is right about the normal person. It's not on their radar. But the argument is flawed.
These are all perfectly valid solutions that a regular user finds acceptable. A nerd will wrinkle up his nose at these solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways. On the security angle, no one is going to adopt a product to solve a problem they don't care about (or in many cases, even understand).
- use the same username/password for multiple sites
- use their browser's ability to remember their password (enabled by default)
- don't register for the new site
- don't ever log in to the site
- log in once, click "remember me"
- click the back button on their browser and never come back to the site
Sure people don't care. Neither do most people care about insurance. In fact most people probably have no idea about the particulars of their insurance contracts. Do not lie and claim you even understand the lingo used in the terms and conditions. You MUST have read it before you signed right? However most people understand that they need it.
What people do understand is that when their house burns down, they get burgled, they crashed their car, they loose their job, they need an operation etc.. that their insurance will cover them. That is when insurance becomes important. When you need it. Insurance is security in case things go wrong. Signal Sign On ( OpenID ) can bee seen the same way.
Mr Wong has a point when he states about OpenID:
Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site.Find it hard to argue with most of that. The way OpenID works via re-directs more often than not sucks. Without proxies like Janrain's Engage ( formerly RPX ) I find the whole OpenID authenticate process reminds me of Banzi Mr. Shake Hands Man. When will this handshaking / signup end!
This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?? Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead??
Not only that, but in the cases where OpenID has been implemented without the third-party proxy login, the technical complexity behind what is going on in terms of credential exchange and delegation is so opaque that even extremely sophisticated users cannot easily understand it (I have literally had some of Silicon Valley's best engineers tell me this). At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users.
Even when the process is well designed like the stackoverflow family of sites it still in the worst case senerio involves:
- request sign up on site A
- site A asked you to authenticate with 1 of 10 site B's ( or your own if you want )
- re-directed to site B ( you hope )... darn you're not logged in yet on site B.
- You need to log into site B ( possibly on the dedicated OpenID page of site B. A page you're not familiar with )
- what were you doing again?
There really needs to be a solution with less friction. I really like Greg Raiz suggestion.
The browser should know who I am. The browser should also know how much information I've agreed to share with any particular site. Yes, junior privacy is important. The website should never know my true password. Think of it like Facebook Connect. Perhaps "Browser Connect" where the browser will log you in.
I'd have concerns enabling my work machine's browsers not to mention I'd have to lock my screen EVERYTIME ( although I could auto lock my machine using my phone as a proximity sensor ).
While I wait for the above solution to materialize I think I'll keep advocating OpenID. It's not perfect but compared to the alternative I'm much happier with it than without it.