OpenID – The Good and Bad

    February 20, 2007

I’ve had some interesting conversations with people lately regarding OpenID. What is OpenID?

It’s 1 login/password for every site that supports it. As you may have noticed we’ve implemented it here in the comments and soon you will have to have an OpenID in order to leave a comment. Now Microsoft tried to do this with passport years ago and many websites including eBay tried it out. For whatever reason (trust issues with Microsoft? timing?) it didn’t work out. Typekey is a similar system and they’ve done a pretty good job but there still isn’t widespread adoption. Part of the problem with Passport and Typekey is that it is a centralized system. OpenID, for better or for worse, is a de-centralized authentication system.

Most of us have agreed that it would take some really big websites to implement OpenID in order for it to really gain some traction. Today Kevin Rose announced that they are moving to Openid to authenticate users. As usual, we are ahead of the curve, and have already done so. Try to keep up, Kevin. Even bigger than digg would be if WordPress would implement OpenID as part of the core package. This would have for sure launch it into the mainstream. Then again, there would be almost no need for there Akismet spam prevention system. (Shoemoney side-note: the false positives are really annoying me lately.)

Unfortunately, it’s not all roses, here’s 10 11 reasons OpenID Rocks and Sucks.

Here are 5 reasons why I think OpenID Rocks:

1) 1 ring to rule them all – why wouldn’t you want the ability to have 1 sign-in across all blogs?

2) Bye-bye comment spam.

3) Verify who is actually making comments. Many fake Matt Cutts’, Jason Calacanis’ make comments and require verifying IPs or other time-consuming checks when prolific people do comment.

4) MyOpenID’s (inaptly-named) affiliate system is a nice tool for developers and large site owners.

5) De-centralized authentication leaves no single player holding all the cards.

Here are 6 reasons why OpenID sucks

1) It is (as yet) too complicated for average website owner to implement.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

4) Too confusing to users. "OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?"

5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Want an OpenID? Get one here



Add to | Digg | Reddit | Furl

Bookmark WebProNews: