Too OpenID or Not to OpenID

| 9 Comments | No TrackBacks |
User accounts are a pain in the ass.

Website owners need them to identify user. No actually to authenticate users so that we can make their actions accountable.

Recently the Gawker compromise showed us once again a major issue with each site storing user accounts & their passwords. The sad fact is that most people are as dumb as Nick Denton. I am .. I mean was until this ownage.

I bought into the view almost a decade ago that sites should not store user passwords and have long wished for centralized / distributed user authentication. I've always wanted an International federated single sign on solution.  It is why user journey 1.1 insists on the use of openID.

What I've found interesting is the conversations which have happened as a result of this latest compromise.
Yishan Wong states "OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have". That's a touch harsh in my opinion. He writes in his blog post:

To answer the most immediate question of "isn't having to register and log into many sites a big problem that everyone has?," I will say this: No, it's not.  Regular normal people have a number of solutions to this problem.  Here's some of them:

  • use the same username/password for multiple sites
  • use their browser's ability to remember their password (enabled by default)
  • don't register for the new site
  • don't ever log in to the site
  • log in once, click "remember me"
  • click the back button on their browser and never come back to the site
These are all perfectly valid solutions that a regular user finds acceptable.  A nerd will wrinkle up his nose at these solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways.  On the security angle, no one is going to adopt a product to solve a problem they don't care about (or in many cases, even understand).

I hate to agree with him but he is right about the normal person. It's not on their radar. But the argument is flawed.

Sure people don't care. Neither do most people care about insurance. In fact most people probably have no idea about the particulars of their insurance contracts. Do not lie and claim you even understand the lingo used in the terms and conditions. You MUST have read it before you signed right? However most people understand that they need it.

What people do understand is that when their house burns down, they get burgled, they crashed their car, they loose their job, they need an operation etc.. that their insurance will cover them. That is when insurance becomes important. When you need it. Insurance is security in case things go wrong. Signal Sign On ( OpenID ) can bee seen the same way.

Mr Wong has a point when he states about OpenID:

Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site. 

This is the height of irony - in order to ease my too-many-registrations woes, you are
asking me to register yet again somewhere else??  Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead??  

Not only that, but in the cases where OpenID has been implemented without the third-party proxy login, the technical complexity behind what is going on in terms of credential exchange and delegation is so opaque that even extremely sophisticated users cannot easily understand it (I have literally had some of Silicon Valley's best engineers tell me this).  At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users

Find it hard to argue with most of that. The way OpenID works via re-directs more often than not sucks. Without proxies like Janrain's Engage ( formerly RPX ) I find the whole OpenID authenticate process reminds me of Banzi Mr. Shake Hands Man. When will this handshaking / signup end!

Even when the process is well designed like the stackoverflow family of sites it still in the worst case senerio involves:

  • request sign up on site A
  • site A asked you to authenticate with 1 of 10 site B's ( or your own if you want )
  • re-directed to site B ( you hope )... darn you're not logged in yet on site B.
  • You need to log into site B ( possibly on the dedicated OpenID page of site B. A page you're not familiar with )
  • what were you doing again?

There really needs to be a solution with less friction. I really like Greg Raiz suggestion.

The browser should know who I am.  The browser should also know how much information I've agreed to share with any particular site. Yes, junior privacy is important.  The website should never know my true password. Think of it like Facebook Connect. Perhaps "Browser Connect" where the browser will log you in.

If only this could be true NOW. Sure there are security issues about empowering the browser even further. How would it work in an Internet cafe, shared home machine or University?

I'd have concerns enabling my work machine's browsers not to mention I'd have to lock my screen EVERYTIME ( although I could auto lock my machine using my phone as a proximity sensor ).

While I wait for the above solution to materialize I think I'll keep advocating OpenID. It's not perfect but compared to the alternative I'm much happier with it than without it.

No TrackBacks

TrackBack URL:


I do trust all the concepts you have presented to your post.
They are really convincing and can certainly work.
Still, the posts are too quick for beginners.
May you please lengthen them a bit from next time?
Thanks for the post.

Hi, yeah this article is truly fastidious and I have
learned lot of things from it on the topic of blogging.

What a information of un-ambiguity and preserveness of
precious knowledge about unexpected feelings.

It's very trouble-free to find out any topic on web as compared to textbooks, as I found this piece of writing at this site.

If you wish for to improve your know-how just keep visiting this website and be updated with
the most up-to-date information posted here.

It's actually very complicated in this active life to listen news on TV, so I simply use internet for that reason, and get the most up-to-date news.

Pretty element of content. I simply stumbled upon your blog and in accession capital to
say that I get actually enjoyed account your weblog posts.
Any way I'll be subscribing for your feeds or even I achievement you get entry to consistently rapidly.

Great web site you have here.. It's hard to find high-quality writing like yours these days. I honestly appreciate individuals like you! Take care!!

It's wonderful that you are getting thoughts from this paragraph as well as from our discussion made at this place.

Leave a comment

About this Entry

This page contains a single entry by Chief Chair Dancer published on December 26, 2010 4:24 AM.

Modern Perl was the previous entry in this blog.

Creating A User Model is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

OpenID accepted here Learn more about OpenID