Technophilia: One OpenID to Rule Them All…or Not?
Decentralized online identification system OpenID can log you into dozens of social networking sites (and counting) using a single username and password. OpenID asserts who you are by proving you own a URL—not an email address, not a passwords, not your mother’s maiden name, just a URL that must be confirmed by both the accepting site and OpenID host. No more filling out web site registration forms! Now that sounds wonderful to those of us sick of having to keep track of dozens of usernames and passwords. However, while OpenID is terrific in theory, it’s real-world usage still has a way to go. Let’s take a look at some of the pros and cons of OpenID.
OpenID Pros
Identity management:If you’re looking to build an identity online, OpenID makes your networks easier to manage. Instead of having multiple usernames and passwords for various sites, you only have one. To see all the sites that OpenID is currently accepted it, check out the OpenID Directory. Following that train of thought, if you’re trying to build a good online reputation, OpenID is potentially a godsend for tearing down walled gardens and making more than one social network easier to access—you just leap from one network to another using your OpenID URL. Think of it as the BugMeNot for social networks.
Security: As far as security goes, it’s much easier to manage only one username and password rather than 45, right? So you could change your OpenID host password periodically just to keep things more secure. You’re also allowed to create more than one OpenID persona, so you could enact differing levels of security depending on what you’re accessing.
Decentralization: OpenID is decentralized, which means everyone’s OpenID data isn’t stored in one place or managed by one entity or company. Unlike other identity management systems, like Microsoft’s Passport (now Live ID) and Six Apart’s Typekey, you have a choice of OpenID providers and can even set it up on your very own web site. (Here’s a tutorial on how to do this.)
In a nutshell, OpenID is a convenient way to manage your online identity across sites with a single username and password.
OpenID Cons
User profiling: The first issue that came to my mind when looking at OpenID was that of user profiling. If you’re concerned about what you use on the web being tracked in any way, shape, or form, you’ll want to stay away….but heck—then again, you’ll want to stay away from Google, Yahoo, or any other service that traces your user activity. OpenID gave me pause because there’s the possibility of so many different networks and sites being compromised and tracked at once.
I must clarify that this is ONLY if your OpenID is cracked by an unscrupulous user. What we’re looking at here is potentially a big problem, especially if your OpenID is linked to dozens or even hundreds of sites—especially since OpenID is accepted at something like 5,000 sites (and counting) now. None of these sites are what you would call “secure” sites, i.e., anything that uses https:// or has any kind of really (read: financial) sensitive information. OpenID makes it simple to track a user’s movements once an identity is revealed, even more so than multiple identities scattered across the web, which is what most of us have right now—multiple, unlinked accounts make anonymity easier to accomplish.
Anonymity concerns: Some of us actually enjoy multiple personalities—not to mention anonymity—on the web, instead of just one identity provided by OpenID. Though you can build more than one OpenID URL to take care of this, many of us already have password management systems, so OpenID might seem a little redundant. However, OpenID is an excellent solution for managing usernames and passwords to sites and networks you don’t mind losing if compromised (this is both a pro and a con). For more sensitive information, such as financial or email, I wouldn’t suggest that you use OpenID to manage your information. At least, not yet. There are security issues that need to be addressed, namely, the fact that amateur hackers need only one username and password to get all your information—plus the smart hacker can potentially hitch that cracked username to an email and go really nuts. For an excellent discussion of OpenID security concerns, I suggest you read The problem(s) with OpenID.
Usability issues: For the average user, OpenID is too confusing to create and use. I had problems, and I don’t consider myself a newb by any means. Just finding the signup page to create your own OpenID is quite the feat; and the process of actually using it at a site that professes to accept it is clunky and difficult. Yes, there ARE a lot of OpenID providers, but if you go to Live Journal’s home page, you won’t find an OpenID signup. If you go to Yahoo’s home page, you won’t find an OpenID signup…and so on. It’s pretty buried. The only way I was able to find it on Live Journal was to google “openid livejournal”. You can’t sign up for an OpenID from within these services; in fact, if you enter in a wrong URL ID you’ll just get a cryptic error message such as this one:
Error:One or more errors occurred processing your request. Please go back, correct the necessary information, and submit your data again.
This error message is pretty useless with no out to create an OpenID whatsoever &mdash nowhere in sight. However, this doesn’t mean that OpenID isn’t working right—quite the contrary, because OpenID is not an account. According to the folks behind OpenID, it is also NOT a trust system, because trust requires verification of identity. All you’re doing with an OpenID URL is telling the site that you have the ability to prove ownership of that particular URL. It’s not a Live Journal account, it’s not a Yahoo account—it’s just an alternative to starting an account at any of these sites, a name and password substitute. Which makes it somewhat handy, actually, if you can get it to work. :>)
Back to creating your own OpenID: well, they couldn’t have made it LESS user-friendly. If you go to the OpenID home page (http://openid.net/), all you get is a bunch of techno-babble. Way down on the right hand side is a link to I Want My OpenID
(http://iwantmyopenid.org/), which sounds promising until you actually go there. It was sheer luck that I was able to find my way to creating an OpenID, and that’s probably just poor marketing/navigation, but dang. THIS (https://www.myopenid.com/) is the correct signup page, but you don’t find this URL in any official documentation that I could find.
Not always reliable: Even though sites may *say*they accept OpenID, it’s a bit hit and miss. Out of the five sites that I tested this on (Moodstr, Simpy, Issues Done, Vote Monkey, and Treedolist), this is what happened: Moodstr would not recognize me at all no matter what. Simpy recognized my OpenID, but still required me to open a Simpy account just to look around—the OpenID passport was pretty much ignored. Issues Done liked my OpenID, but then redirected me to a page where my email was required to keep going. Vote Monkey was successful, as well as Treedolist &mdash I was able to dive right in.
Here’s a good quote from Simon Willison that explains why this happened a little further:
Most web application signup processes work something like this:
- Bob selects a username
- Bob enters a password, twice
- Bob enters his e-mail address
- Bob clicks a validation link in an e-mail sent to that address
Some sites throw a CAPTCHA in there for good measure. OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you’ll almost certainly want them to jump through the e-mail and/or CAPTCHA steps.In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.
Identity theft:How do you prevent false identities from being registered? You don’t. Anyone could register as you and create quite a bit of havoc if they really wanted to—possibly wrecking an online reputation that could take a lot of effort to rebuild.
Online identity management experts are usually united on this one principle: if you’re not using a variety of thoughtfully crafted user names and passwords online, you’re not doing a good job of protecting yourself. OpenID aims to make this process more intuitive and secure, but at this point, there are too many unanswered questions to make it a truly secure identity management system.
What you can do with it right now (and what we wish we could do with it)
OpenID is a double-edged sword. I use it, but only for stuff I don’t mind getting cracked (I don’t think my stash of unicorn pics is interesting to anyone but me). It’s a great shortcut for blog comments, as well—no more having to create a TypeKey account just to make your voice heard.
Then again, it’s irritating to do everything twice. You can’t just sign in to something with your OpenID—you still have to create a user name and password for anything you want to use your OpenID key at. There’s also a few security and usability issues that need to be fully addressed before OpenID can be really embraced by the general online public. It’s a great idea—in theory—but I’ll take security over convenience any old day.
Quick footnote: Here are two video presentations about OpenID that are recommended viewing for anyone wanting to learn more about it. First, a Google Tech Talk titled “The Implications of OpenID”:
Secondly, a quick OpenID security writeup:
Wendy Boswell, Lifehacker’s Weekend Editor, likes kittens better than unicorns. Subscribe to her feature series Technophilia using the Technophilia feed.
Original post by Wendy Boswell
