Is OpenID the future?
Yesterday, I was reading a thread on evolt.org’s thelist, perhaps the oldest community of web designers and programmers around.
The topic of the thread was OpenID, the implementation of which on websites is one of the most contentious issues I’ve seen in a long time. Some of the input from the thread:
I have discovered OpenID,
Here is a link if you haven’t heard of it, http://openid.net/
I am un-sure at the moment whether this is a good secure service and I was wondering if any of you folks had any experience with this.
Last I checked, it was going to be too much of a headache for us to implement
I’ve only seen it used on stackoverflow.com, which is even a headache
for a user if you don’t habitually authenticate with one of their
OpenID providers whenever you surf.
I gazed over the specs and that’s exactly what happens.
Personally, I wouldn’t even bother with it. I think it’s a case of “good
ideal, bad implementation”.
Given that Backboard allows you to authenticate with OpenID:
and that embedit.in requires you to do so (the buttons for AOL, Yahoo!, and Google are merely shortcuts to the OpenID URLs for those providers):
you might suspect we have something to say about the whole matter. And you’d be right. The way we see it, OpenID fundamentally solves two very important problems while creating one new problem.
Problem solved: Password fatigue
OpenID, while not technically an example of single sign-on, does solve the problem of creating a new password for every site you visit. Since you care about the security of your data, you are using a new, randomly-generated password for each site you visit, right?
Right?
If you are, you have to either write them down somewhere (a security breach if anybody ever finds your desk) or memorize them all, something that’s pretty difficult if you have 130 different accounts like most of us do.
If you’re not, then if somebody finds your password, you suddenly have to change it in a hundred different places, most of which you won’t remember to do.
The problem is called password fatigue, and it remains one of the more important problems in computer security, perhaps being a greater threat to keeping data safe than anything else even if it is only a social effect.
Problem solved: Building a secure login form
Remember what happened to Twitter in January? Someone managed to break in to the Twitter accounts of Barack Obama, Britney Spears, Fox News, and Facebook, among others, thanks to two problems.
- Twitter’s login form allowed an unlimited number of attempts with no throttling or logout.
- One of Twitter’s administrators had an insecure password.
A dictionary attack isn’t even the only way to compromise the security of a login form. But if you’re not spending your days concentrating on security, you probably haven’t even thought of this one.
Google and Yahoo! and all of the other OpenID providers have squadrons of people working on this stuff all the time, and you can pretty much guarantee that they can build a better login form than you can.
Problem created: Complexity of user experience
People may not like having yet another password to remember, but at least they’re familiar with the process. When you click the Google button, you’re redirected to google.com, even when you’re trying to use embedit.in. Sure, you can look in the address bar to see that yes, this is in fact from Google, and you can look at the certificate to see that yes, this is secure.
But seeing a Google login form for a non-Google site smells exactly like the phishing attacks that hit millions of people every year.
Of course, the alternative interface is even worse: throwing a URL input field at the person using your site will confuse and drive away anybody who isn’t among the most hardcore of web users. 37signals’ Basecamp gets it wrong: they make you read seven screenfuls of instructions to learn how to use OpenID with Basecamp.
Two steps forward, one step back
Only time will tell if typing a different username and password in to every site you visit will go the way of the dodo or if the security advantages of an authentication scheme like OpenID will drive its adoption. Seeing it pushed off to the side as the “alternate option for nerds” may do more to hurt its adoption than anything else, since it comes across as discouraging.
For embedit.in, though, we think we’ve integrated it seamlessly enough that it provides a serious boon to anybody using it.
Jamie Said,
March 25, 2009 @ 3:52 am
Two problems I have with OpenID (or implementations of it I’ve seen) - along with your “Two steps forward, one step back” point (which I also think is very valid):
1) Sites often use OpenID for authentication, but then make you /also/ create a local profile before you can do anything. As a user, it feels like an added extra step of complexity for no reason.
2) I feel a little uneasy about logging in everywhere with one ‘account’:
• It gives the provider (AOL or Google, say) yet another way to track my web usage habits.
• It means that there’s a single point of failure - if someone cracks my password, they can now log in anywhere (I know, this is the same problem as if I use the same password everywhere, but I think that, psychologically, it feels more ‘real’ when the actual sign-in process is also the same).
• Single point of failure in reverse: what happens in the future if I’m using, say, my AIM account as OpenID everywhere, but I decide I want to delete my AIM account?
• When my OpenID ID is used as a user name (which is somewhat necessary to allow, given that the alternative is to go the way of my point 1, which is also annoying), it means that anyone who knows my account in one place can now find my account in any other place.
My logical brain tells me that point 2’s subpoints are mainly just paranoia, but that doesn’t take away the bad feelings.
I think though that if my point 1 were addressed - i.e. if OpenID worked to the extent that I could just go to a new site, log in, do nothing further, and everything worked, the sheer convenience would probably cancel out my concerns in point 2. As it stands, using OpenID (as a user) on an arbitrary site is often more complex than not using it.
AndrewBoldman Said,
June 4, 2009 @ 8:39 am
Hi, cool post. I have been wondering about this topic,so thanks for writing.