I like it. It's like email, but for logging into websites. (I can run my own server, or I can use someone else's. That is how the Internet is supposed to work.)
I use it (only for StackOverflow) but I don't think it's better or worse than normal logins. Sometimes it's a pain because I always have to do extra clicks to get logged in.
Sorry, I'm not willing to put that much (any) effort into improving my OpenID experience. I just don't care that much. I find plain logins simpler, but will use OpenID if a site wants me to.
The benefit for me is that you get to choose who stores your password. A random website may store my password plaintext, I have no way of knowing -- so I am forced to use different passwords for each site, and manage them some way.
Ofcourse, I _know_ this, but in general, users don't know and don't care. So, OpenID actually makes the web a safer place for inexperienced users, which is I think is rather important.
Except the phishing aspects make it worse for inexperienced users, since an arbitrary website can redirect to a page that asks for a potentially more sensitive username/password, and that's actually considered normal flow.
I don't understand how anyone can promote OpenID in good conscience with this glaring hole in the design. You simply can't rely on user education.
I've been saying this the whole time and nobody seems to view it as a serious problem. Sure, there are users who will use the same username and password on every site, and there's no hope for them. However, there is a class of users who might think with openid they can use the same credentials for their bank as they do for facebook, but not know to check for valid ssl certificates and nefarious proxying.
Can someone who doesn't believe the phishing potential is real please tell me why? What am I missing?
A better question would be, for those of you who implement OpenID, Facebook Connect, etc. What's the customer percent breakdown against doing it the old fashioned (email & password) way?
In fact, FB connect is pretty much the antithesis of openid. Openid is open, federated and gives user control. FB connect is closed, centralized and basically allows FB to play big brother.
In fact, a ton of the code that runs the site itself is fully open source: http://developers.facebook.com/fbopen/ That's mind-blowingly impressive. I still don't believe more people don't know about this or seem to care.
Oh I know and use a lot of their open source software but what has that got to do with fb connect?
"FB connect" is a session management and authentication product from facebook. I find it obnoxious. It is pretty much literally the antithesis of openid. FB open source: good, FB connect: horrible.
I initially wasn't too impressed by OpenID, but I was sold by the third site I got to use my login. It's value is really tied to the adoption by sites.
It's especially nice on small blogs: you don't have post anonymously if you are averse to signups.
The only option for those of us that use it is "use it on a daily basis". Pretty weak options.
I am always happy when I can use OpenID on a site. It's a really low barrier and guarantees that I won't leave at the sign up form. The only reason I don't use it every day is because the sites I visit every day don't support it.
Choosing separate usernames and passwords for each site allows you to form only bilateral trust relationships with all those sites. OpenID requires multilateral trust, which is more complicated.
I'd much rather have "login with openid" rather than seeing "login with twitter ; login with facebook ; login with posterous" or whichever subset of sites any random service thinks is most valuable to support.
The great thing about login/identity/authentication standards is that there are so many to choose from. Didn't we learn the first time around with web browser capabilities to avoid this kind of fragmentation again?
Having a single URL that I can rely on for all my stuff on the web is going to be amazing...when it finally happens. OpenID provides the authentication component in that dream, which is key, but there is much more potential in URL-based services beyond SSO and solving 'the password problem'.
I like to keep a list of my accounts on the web and OpenID would automate this task for me, if it weren't for the fact that most websites where I maintain an account do not support OpenID or do not make full use of OpenD (i.e. they link an OpenID URL to a traditional email/username and password based account account).
As most websites that do support it — that I use — require a traditional email/username and password based account and I've yet to encounter a website that required me to have OpenID to make full use of functionality, to me, an OpenID account is the extra account I have to keep track of.
I just started using it yesterday, but I'm not quite happy. My reservation is not due to technological reasons, but to bad business models or lack of features.
Gravatar support is, for example, a feature I'd like to get from my OpenID provider. After all, my image belongs to my identity.
Next, with a single identity comes also privacy concerns. Automatically generated disposable E-Mail addresses for each new sign-up would be nice to have, in my opinion.
Privacy concerns, however, are also related to the most common business models of these providers: It seems, nearly all of them want to display or sent me advertising. Or they want to be able to improve their advertising displays.
Can't they just ask for, say, US$29 or US$39 a year?
Then, I'd also need some sort of easy Identity transfer. If I switch providers, for example, the new one should be able to ask the old one for all the data and notify the consumers about the switch. Otherwise, the transaction costs of a switch would be rather high, exposing me to monopoly problems.
Browser support would also be nice to have, so there's a check that I'm being redirected to my true ID provider, not just something that looks like it.
Maybe, this stuff is too sophisticated for a sufficiently large number of people. But maybe, it works with the right sales pitch.
Your initial concerns are addressed by openid "personas". myopenid.com has them implemented and is free (or you could set up your own server to achieve it). https://www.myopenid.com/help#personas
Your later concerns are solved by openid delegation. Any uri you own can be made an alias of any openid you want. Thus if you switch openid providers all you need to do is edit a page you own and make it point to a new provider. https://www.myopenid.com/help#own_domain
The only thing that makes me use open ID is the fact that I used myopenid to create my account on stackoverflow :/
Now I want and account transfer feature on stackoverflow so that I can attach/shift from myopenid to plain simple gmail id.
Um... that feature exists. You can attach an alternative OpenID to your account make it your main one. Just go to your user page and click on "new login" to the left of the "about me" box.
Was skeptical of OpenID. Tried it for the first time yesterday to log into to answers.onstartups.com.
I'm a believer.
I used MyOpenID instead of google/yahoo etc since after reading the article about the power of google passwd that was posted here, since I expect MyOpenID to be primarily for trivial logins.
Lately I've been thinking that what we really need is something based on PGP/GnuPG. Think about it. If the browser implemented access to your keychain, then you could use your keys as login.
When you 'sign up' you would just provide you public key to the website (upload or url). Then when you were presented with a login, the browser would be sent a data set to sign with your private key and send back to the server you are trying to access (which would then verify with you public key).
I've been thinking about OpenPGP based website authentication too. You should check out the web pages I have book marked under the "gpg" tag: http://delicious.com/jf/gpg
My main frustration right now is that, aside from Bouncy Castle, all the libraries I've looked at to do cryptography seem to just be partially implemented wrappers around GnuPG.
actually it is possible already to set up certificates and use them for authentication, in firefox you can check this under preferences/advanced/encryption
I really like client-side SSL certificates, I just hate dealing with custom root certificates. I'm excited about using the OpenPGP web-of-trust to add a "social" layer to applications. For example: "Allow any of my friends to log in to this server".
My main inspiration of thought along these lines is the urge to want to post things like photos online for friends/family, but I shy away from using something like Facebook to do it. The only problem with 'rolling my own' is the I don't want to necessarily make all photos world-viewable, and I don't want to force my friends/family to create an account just to view my photos.
If all I had to do was grab their public key, I could then do everything behind the scenes (even creating groups so that some people can see some photos and others can't).
This can be easily done using openid. Openid providers are free to authenticate you any which way including exotic means like those. Here's an implementation in private beta: http://pgpopenid.com/
Yea... That page is next to useless. Had heard of them a while ago and thought they would have more write up then that on their home page.
Anyway, this is very simple to do. You first create a server that can authenticate you just for itself over the web. You send it your id, it sends a random string. You sign it and send it a random string of your own. Server signs your random string and sends it back. You both know you are authentic, server leaves a signed cookie at your end. Now this server can act as an openid server too. You give random web-app your openid residing on this server... random web app asks this server. It confirms or denies and life is good.
OpenID in its present form will never really catch on because it's too involved and complicated for normal people to use. I am not a technologist but I'm a pretty savvy user, and I have never really understood how to use it.
Your readers might want to think about accepting registrations and logins from Yahoo, Google, Twitter, Facebook, MySpace, AOL, Hotmail, Windows LiveID and many other accounts using JanRain's RPX, http://rpxnow.com
Additionally, users can publish their activities on a website back to social networks including Yahoo, Facebook, Twitter, and MySpace which increases referral traffic to your sites and facilitates subsequent logins.
Clients include Sears, Kmart, Universal Music Group, EMI, Fox News, KickApps, UserVoice, Viewpoints, Get Satisfaction, Savings.com, FamilyLink, DC Shoes, Famous Footwear, and many others
54 comments
[ 4.5 ms ] story [ 90.5 ms ] threadAnd there are few sites I log in with my OpenID.
Ofcourse, I _know_ this, but in general, users don't know and don't care. So, OpenID actually makes the web a safer place for inexperienced users, which is I think is rather important.
I don't understand how anyone can promote OpenID in good conscience with this glaring hole in the design. You simply can't rely on user education.
Can someone who doesn't believe the phishing potential is real please tell me why? What am I missing?
In fact, a ton of the code that runs the site itself is fully open source: http://developers.facebook.com/fbopen/ That's mind-blowingly impressive. I still don't believe more people don't know about this or seem to care.
"FB connect" is a session management and authentication product from facebook. I find it obnoxious. It is pretty much literally the antithesis of openid. FB open source: good, FB connect: horrible.
To those of you who haven't used it, try it out before condemning it.
It's really nice to login with the click of a button (no typing usernames and passwords) and signing up is usually a one click action as well.
Or you can host your own.
See here for a good list: http://openid.net/get-an-openid/
I initially wasn't too impressed by OpenID, but I was sold by the third site I got to use my login. It's value is really tied to the adoption by sites.
It's especially nice on small blogs: you don't have post anonymously if you are averse to signups.
http://intertwingly.net/blog/2007/01/03/OpenID-for-non-Super...
This allows you to change the underlying implementation at any time.
I am always happy when I can use OpenID on a site. It's a really low barrier and guarantees that I won't leave at the sign up form. The only reason I don't use it every day is because the sites I visit every day don't support it.
The great thing about login/identity/authentication standards is that there are so many to choose from. Didn't we learn the first time around with web browser capabilities to avoid this kind of fragmentation again?
As most websites that do support it — that I use — require a traditional email/username and password based account and I've yet to encounter a website that required me to have OpenID to make full use of functionality, to me, an OpenID account is the extra account I have to keep track of.
Interestingly, Wildbit removed support for OpenID in Beanstalk earlier this year. (http://wildbit.com/blog/2009/05/26/what-happened-to-openid-s...)
Gravatar support is, for example, a feature I'd like to get from my OpenID provider. After all, my image belongs to my identity.
Next, with a single identity comes also privacy concerns. Automatically generated disposable E-Mail addresses for each new sign-up would be nice to have, in my opinion.
Privacy concerns, however, are also related to the most common business models of these providers: It seems, nearly all of them want to display or sent me advertising. Or they want to be able to improve their advertising displays.
Can't they just ask for, say, US$29 or US$39 a year?
Then, I'd also need some sort of easy Identity transfer. If I switch providers, for example, the new one should be able to ask the old one for all the data and notify the consumers about the switch. Otherwise, the transaction costs of a switch would be rather high, exposing me to monopoly problems.
Browser support would also be nice to have, so there's a check that I'm being redirected to my true ID provider, not just something that looks like it.
Maybe, this stuff is too sophisticated for a sufficiently large number of people. But maybe, it works with the right sales pitch.
Your later concerns are solved by openid delegation. Any uri you own can be made an alias of any openid you want. Thus if you switch openid providers all you need to do is edit a page you own and make it point to a new provider. https://www.myopenid.com/help#own_domain
I'm a believer.
I used MyOpenID instead of google/yahoo etc since after reading the article about the power of google passwd that was posted here, since I expect MyOpenID to be primarily for trivial logins.
When you 'sign up' you would just provide you public key to the website (upload or url). Then when you were presented with a login, the browser would be sent a data set to sign with your private key and send back to the server you are trying to access (which would then verify with you public key).
My main frustration right now is that, aside from Bouncy Castle, all the libraries I've looked at to do cryptography seem to just be partially implemented wrappers around GnuPG.
If all I had to do was grab their public key, I could then do everything behind the scenes (even creating groups so that some people can see some photos and others can't).
Anyway, this is very simple to do. You first create a server that can authenticate you just for itself over the web. You send it your id, it sends a random string. You sign it and send it a random string of your own. Server signs your random string and sends it back. You both know you are authentic, server leaves a signed cookie at your end. Now this server can act as an openid server too. You give random web-app your openid residing on this server... random web app asks this server. It confirms or denies and life is good.
Additionally, users can publish their activities on a website back to social networks including Yahoo, Facebook, Twitter, and MySpace which increases referral traffic to your sites and facilitates subsequent logins.
Clients include Sears, Kmart, Universal Music Group, EMI, Fox News, KickApps, UserVoice, Viewpoints, Get Satisfaction, Savings.com, FamilyLink, DC Shoes, Famous Footwear, and many others