11 Reasons Why OpenID Rocks/Sucks

by ddn on February 20, 2007 · 91 comments

openidI’ve had some interesting conversations with people lately regarding OpenID. What is OpenID? It’s 1 login/password for every site that supports it. As you may have noticed we’ve implemented it here in the comments and soon you will have to have an OpenID in order to leave a comment. Now Microsoft tried to do this with passport years ago and many websites including eBay tried it out. For whatever reason (trust issues with Microsoft? timing?) it didn’t work out. Typekey is a similar system and they’ve done a pretty good job but… there still isn’t widespread adoption. Part of the problem with Passport and Typekey is that it is a centralized system. OpenID, for better or for worse, is a de-centralized authentication system.

Most of us have agreed that it would take some really big websites to implement OpenID in order for it to really gain some traction. Today Kevin Rose announced that they are moving to Openid to authenticate users. As usual, we are ahead of the curve, and have already done so. Try to keep up, Kevin. Even bigger than digg would be if WordPress would implement OpenID as part of the core package. This would have for sure launch it into the mainstream. Then again, there would be almost no need for there Akismet spam prevention system. (Shoemoney side-note: the false positives are really annoying me lately.)

Unfortunately, it’s not all roses, here’s 10 11 reasons OpenID Rocks and Sucks.

Here are 5 reasons why I think OpenID Rocks:

1) 1 ring to rule them all – why wouldn’t you want the ability to have 1 sign-in across all blogs?

2) Bye-bye comment spam.

3) Verify who is actually making comments. Many fake Matt Cutts’, Jason Calacanis’ make comments and require verifying IPs or other time-consuming checks when prolific people do comment.

4) MyOpenID’s (inaptly-named) affiliate system is a nice tool for developers and large site owners.

5) De-centralized authentication leaves no single player holding all the cards.

Here are 6 reasons why OpenID sucks

1) It is (as yet) too complicated for average website owner to implement.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”

5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Want an OpenID? Get one here

full disclosure

About the author...

– who has written 9 posts on ShoeMoney.com.

David is the CTO of ShoeMoney Media Group. He makes the gears turn in opposite directions.


Jason recommends you check out these amazing posts:

  1. sportwizards How A $1295 Gambling Debt Turned Me Into An Online Marketer
  2. spamcan 5 Quick and Easy Ways To Stop Blog Spam Before It Hits Your Blog
  3. shutterstock_68611039 How To Profit From Invading Your Users Privacy

{ 76 comments }

1 Mike Empuria

I noticed that you had started using OpenID and had just been listening to a podcast about it so I thought it would be a good thing to look at. You are right about it being complicated to implement! I went to the official OpenID website and came away more confused than ever. I still don’t know how to get an OpenID ID.

As for getting rid of comment spam; what’s to stop a spammer creating lots of OpenID accounts (?) and using them? I don’t see OpenID as stopping spam or even going some ways towards building trust. Everything that is out there will be abused (look at MyBlogLog) and OpenID will probably go the same way. Still, if it helps legitimate users to comment on blogs then at least that’s something.

2 Me

“Hackish implementations.” … I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker. Wouldn’t local user accounts still exist but with an OpenID assigned to them as an alternative to the normal login option? You would still need to validate the user’s email address etc… in case the user’s implementing a fake identity server.

3 David Magda

OpenID doesn’t necessarily provide trust.

It isn’t designed to: its goal was to be an identification system. Once you ID someone you can choose whether to trust them or not (or choose to trust some providers more than others).

4 Miles

I just signed up for openid on my open id.. we’ll see how I like it.

Nice writeup though.

5 rektide

you are a moron. security is as good as the idp implements and the user is willing to futz with, no more and no less. your other points may or may not apply.

implementation would be a lot easier if the docs didnt suck. in particular, /w openid 2.0 no one has any fucking clue what XRI is nor why we need yet another naming scheme. i get that pasta meeting the wall feeling.

6 zzz

so, if i want to be mr smart and nice on digg under the username Ty420, but a noob flamer on shoemoney, ppl will know me? like were all friends?
and i thought nsa spying was too much
forget this, let me keep invididual personalities and names for each site i go to. u spy !

7 Steven Wittens

I don’t get your comment about local accounts… every CMS out there has some notion of users, usually an entry in a ‘users’ table. How this account is instantiated and used doesn’t matter except for the log-in. From that point on, you use a regular session cookie and keep all session data on the local server.

OpenID just helps you identify the user and do the log-in. Local accounts, whether a complicated object, or just a row in a database, are a necessary mechanism for doing any sort of user interaction on the site. For example, if you want to do OpenID attribute exchange, you’ll want to cache the attribute values locally for speedy access. OpenID includes a clear flow for the propagation and refreshing of such cached values.

In Drupal (drupal.org) for example, the authentication is cleanly pluggable and local accounts are tied to the OpenID using a standard API mechanism. Perhaps you mean to say that the Wordpress plug-in leverages some code to mimic a real account creation a by a user in a less than kosjer way, but that’s no reason to dismiss local accounts.

8 Mike Prasad

Hi All,

There’s a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It’ll be an open forum so anyone can ask questions. If you’re interested in showing up, check out http://www.idcast.org (site is being put up today).

Hopefully I’ll see some of you there!

9 Ned Baldessin

I don’t see how OpenID prevents comment spam : just create 10000 accounts, start spamming, done.

10 ahmet aktaş

hello ım ahmet,from,türkish,ım,staying,in,nusaybin,and,ım,live,in,nusaybin.ım,want,to,speak,english,very well thanks yourfor,english nice to meet you see your later by

11 Diego

Have a little “for dummies” video about OpenID on my blog.

12 Simon

I’m sure there was a valid point in there somewhere.

The big issue is lack of trust, as such OpenID is useless for stopping comment spam. Since anyone can set up as an OpenID provider. As witnessed by the “test” messages in response to this post.

Indeed email authentication is probably better, as we already have established ways of blocking email from many spammers.

Authentication is the first step in any such system. If you can’t tell whether two comments are made by the same person, you can’t learn to trust someone who makes good comments. But yes, we need a simpler (to use) system with some form of trust.

Of course some of the ease of use is an implementation issue largely, how long before there is a firefox plugin or feature that just fills in the OpenID field for you, just like the password tool does.

Building trust on the other hand will always require more work, and will go wrong sometimes. Trust requires sophistication, and as con men know, sophistication is often lacking.

13 Nathan

Just signed up for an ID. Not use if I’d open it up on my forum but for a blog it seems like a good idea.

14 James

In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts…

15 Geir A

The purpose of OpenID is for authentication only, not authorization. Trust has nothing to do with the former, only the latter.

But you’re right that many people find implementation too complicated. It doesn’t work on this site, for instance.

16 rjspotter

Sorry about being late to the party. I think there’s a common misconception about what OpenID is and is not. OpenID is an authentication system not an authorization system.

What’s to stop a spammer from creating their own OpenID server and creating a massive amount of OpenIDs? Nothing. They are perfectly valid OpenIDs.

What’s to prevent them from using those OpenID to post comments on your site? Well, that depends on you. You decide what forms of authorization information from what trusted providers you’re going to require. Simple example; http://botbouncer.com/ a single strong captcha associated with an OpenID. If botbouncer says that the OpenID has successfully negotiated the captcha and you choose to trust botbouncer you can authorize the user as a ‘real’ person.

Not requiring some sort of authorization is equvalent to requiring an email address in your signup form and never actually verifying the email address.

–R

17 Halve

Thanks for pointing out that Affiliate programs help clarify what OpenID is and helps sites to refer users to established OIP’s. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

18 Halve

I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

19 steve pepple

In regards to that last reason that OpenID sucks right now:

The team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID, TrustBearer OpenID.

We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.

With our OpenID, you basically just set-up a strong authentication device and then link the device to your OpenID URL.

20 shitwolf

Open ID has confusing documentation, but is not that hard to implement on your site If i can do it a monkey can.. + coffee *sideways glance* . As for the comment about users on wordpress having a local login behind the scenes… would you rather all wordpress’s sensitive information associated with the user be assosicated with the openID, such as a users wordpress internal user id?? what if every site required this? this would fall flat on its face and no one would use open id for fear of revealing internal program structure.

21 David Newcomb

Not sure I agree with sucks reason #1.
phpMyID ( http://siege.org/projects/phpMyID/ ) is pretty easy to set up.
This blog shows how to set it up for a couple of users.
http://www.bigsoft.co.uk/blog/index.php/2008/11/16/set-up-and-install-phpmyid

22 bali villas

good info

23 Bali Villa

Open ID is simple, just login one time to all open id network.

24 Paul Myatt

I love the fact that you can now use you own domain name as your OpenID. I show how to do this with WordPress at paulmyatt.com

25 Yuval Kogman

OpenID delegations solves the problem of managing your own OpenID provider.

It’s unfortunate that it’s not better known. It’s much easier than setting up even the simplest OpenID provider since it can be done with just static HTML.

http://blog.woobling.org/2009/05/your-openid-sucks.html

26 Twilight

In fact fascinating thought for me .
Will you post some a lot more ? coz i desire to follow ur twitter or facebook

27 Villas in Bali

I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker.

28 protoss build order

Thanks for that post, this really helped me a great deal.

29 pharma

We’re a gaggle of volunteers and starting a new scheme in our community. Your site offered us with helpful info to work on. You’ve done an impressive process and
our whole neighborhood can be grateful to you.

30 android

This article is genuinely a fastidious one it helps
new internet people, who are wishing for blogging.

Previous post:

Next post: