11 Reasons Why OpenID Rocks/Sucks

Posted by



openidI’ve had some interesting conversations with people lately regarding OpenID. What is OpenID? It’s 1 login/password for every site that supports it. As you may have noticed we’ve implemented it here in the comments and soon you will have to have an OpenID in order to leave a comment. Now Microsoft tried to do this with passport years ago and many websites including eBay tried it out. For whatever reason (trust issues with Microsoft? timing?) it didn’t work out. Typekey is a similar system and they’ve done a pretty good job but… there still isn’t widespread adoption. Part of the problem with Passport and Typekey is that it is a centralized system. OpenID, for better or for worse, is a de-centralized authentication system.

Most of us have agreed that it would take some really big websites to implement OpenID in order for it to really gain some traction. Today Kevin Rose announced that they are moving to Openid to authenticate users. As usual, we are ahead of the curve, and have already done so. Try to keep up, Kevin. Even bigger than digg would be if WordPress would implement OpenID as part of the core package. This would have for sure launch it into the mainstream. Then again, there would be almost no need for there Akismet spam prevention system. (Shoemoney side-note: the false positives are really annoying me lately.)

Unfortunately, it’s not all roses, here’s 10 11 reasons OpenID Rocks and Sucks.

Here are 5 reasons why I think OpenID Rocks:

1) 1 ring to rule them all – why wouldn’t you want the ability to have 1 sign-in across all blogs?

2) Bye-bye comment spam.

3) Verify who is actually making comments. Many fake Matt Cutts’, Jason Calacanis’ make comments and require verifying IPs or other time-consuming checks when prolific people do comment.

4) MyOpenID’s (inaptly-named) affiliate system is a nice tool for developers and large site owners.

5) De-centralized authentication leaves no single player holding all the cards.

Here are 6 reasons why OpenID sucks

1) It is (as yet) too complicated for average website owner to implement.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”

5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Want an OpenID? Get one here

91 thoughts on “11 Reasons Why OpenID Rocks/Sucks

  1. Mike Empuria

    I noticed that you had started using OpenID and had just been listening to a podcast about it so I thought it would be a good thing to look at. You are right about it being complicated to implement! I went to the official OpenID website and came away more confused than ever. I still don’t know how to get an OpenID ID.

    As for getting rid of comment spam; what’s to stop a spammer creating lots of OpenID accounts (?) and using them? I don’t see OpenID as stopping spam or even going some ways towards building trust. Everything that is out there will be abused (look at MyBlogLog) and OpenID will probably go the same way. Still, if it helps legitimate users to comment on blogs then at least that’s something.

  2. dillsmack

    Mike,

    If an IDP came out that required some identity authentication (say, a CC verification) you could implicity trust that IDP. Any comments from *.trustedidp.com would be a heck of a lot closer to spam-free. You’re right that OID doesn’t provide that, but it provides a mechanism which COULD be more trusted.

    I installed the below-mentioned verselogic OpenID plugin. It wasn’t as easy as it should be IMHO but it wasn’t hard.

  3. Me

    “Hackish implementations.” … I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker. Wouldn’t local user accounts still exist but with an OpenID assigned to them as an alternative to the normal login option? You would still need to validate the user’s email address etc… in case the user’s implementing a fake identity server.

  4. aRgus

    I’m getting sick of this FUD over OpenID. It has THE SAME “TRUST” AS EMAIL BASED AUTHENTICATION. The only differences are:

    1. You can change your provider at any time but keep your same openID (a plus)
    2. They can’t send you anything (another plus).

    YOU manage your authentication. They don’t need to send you password resets etc. They don’t have an email address to sell to a thrid party, or to spam you with their product “newsletters”. OpenID is BETTER than email based account management.

    The only true con is that you REQUIRE a website (1 page) to use one.

    1) It is (as yet) too complicated for average website owner to implement.

    Uh.. you paste a line of html into your index page.

    2) The security implications of this type of cross-site authentication haven’t been fully explored.

    It’s as secure as email as a login mechanism. If your webserver is compromised you lose. If you email server is compromised you lose. How is this any different?

    3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them??

    This is called RTFM. Put “openid” into any search engine and there’s your answer. If someone knows enough about OpenID to want one, they will be able to find out how to get one.

    5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

    This has nothing to do with OpenID as a standard. Just the quality of the particular plugin you’re looking at.

    6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

    Your “security” on financial sites is only as secure as the email address you associate with it. Your online banking security is only as secure as your email account.

    Just as with email, you can be your own provider. There is no requirement to EVER trust a third party.

    The ONLY WAY to compromise an OpenID account is to either compromise the webserver hosting the link to the provider, or to compromise the provider. If your email server gets compromised its the SAME RESULT.

  5. Pingback: OpenID - The Good and Bad | Latent Semantic Indexing

  6. David Magda

    OpenID doesn’t necessarily provide trust.

    It isn’t designed to: its goal was to be an identification system. Once you ID someone you can choose whether to trust them or not (or choose to trust some providers more than others).

  7. Kurt

    Been using openID for ages now and really would wish for open adoption. What if it were supported in phpBB? One log in for all my forums…

  8. Pingback: Site setup: OpenID now enabled || Name This Blog

  9. Pingback: Long day 20/2/07 | Link

  10. Guder

    I hadn’t found this that hard to implement. Though it took a second to work out that there are both OpenID servers out there you can use, or you can create your own.

  11. Alan J Castonguay

    Can you think of a better option than creating local user accounts for people leaving comments? That’s how just about every other interactive commenting platform works, apart from anonymous stuff. The fit seemed obvious to me, but hey, I’m open to hearing alternate proposals.

  12. Pingback: ShinyLiving » OpenID

  13. rektide

    you are a moron. security is as good as the idp implements and the user is willing to futz with, no more and no less. your other points may or may not apply.

    implementation would be a lot easier if the docs didnt suck. in particular, /w openid 2.0 no one has any fucking clue what XRI is nor why we need yet another naming scheme. i get that pasta meeting the wall feeling.

  14. http://JeremyVanVeelen.myopenid.com/

    3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    By default you would think that you accept *any* openid provider, surely spammers will be starting up their own providers which will require site to start white listing or black listing openid providers.

  15. Tony

    OpenID is a great start. I think people are expecting a new identity system to solve all issues immediately. Let’s just get started with OpenID and let the future decide how it evolves. I don’t mind reimplementing newer versions as the spec improves.

  16. zzz

    so, if i want to be mr smart and nice on digg under the username Ty420, but a noob flamer on shoemoney, ppl will know me? like were all friends?
    and i thought nsa spying was too much
    forget this, let me keep invididual personalities and names for each site i go to. u spy !

  17. Aeiouy

    I tried to sign up here with my openid and it kicked me back for some reason. Anyways, the captcha on the openid site needs improvement. It sucks.

  18. dillsmack

    No, you’re right. The thing is I should have elaborated more. My point was actually that if an implementation isn’t complete, the results per-site will sick. BTW, shoot me an email, theres an issue with your plugin that should probably be fixed.

  19. Steven Wittens

    I don’t get your comment about local accounts… every CMS out there has some notion of users, usually an entry in a ‘users’ table. How this account is instantiated and used doesn’t matter except for the log-in. From that point on, you use a regular session cookie and keep all session data on the local server.

    OpenID just helps you identify the user and do the log-in. Local accounts, whether a complicated object, or just a row in a database, are a necessary mechanism for doing any sort of user interaction on the site. For example, if you want to do OpenID attribute exchange, you’ll want to cache the attribute values locally for speedy access. OpenID includes a clear flow for the propagation and refreshing of such cached values.

    In Drupal (drupal.org) for example, the authentication is cleanly pluggable and local accounts are tied to the OpenID using a standard API mechanism. Perhaps you mean to say that the WordPress plug-in leverages some code to mimic a real account creation a by a user in a less than kosjer way, but that’s no reason to dismiss local accounts.

  20. Wally

    Easy to get openid, but may take a while to be adopted since only the geeks seem aware of it. Many aol users won’t know what openid is or how to use what they have been given

  21. dillsmack

    Thats half the point. The site NEVER gets and CANT get your password. You enter your OpenID, the site checks with your IDP, you approve it via the IDP if you’ve never done it, and the IDP passes back “OK”. It doesn’t pass any more information than that.

  22. Pingback: Adopting OpenID » SELaplana

  23. Mike Prasad

    Hi All,

    There’s a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It’ll be an open forum so anyone can ask questions. If you’re interested in showing up, check out http://www.idcast.org (site is being put up today).

    Hopefully I’ll see some of you there!

  24. mxcl

    You should add:

    6: convenience, it’s very quick and easy to post comments on forums, blogs, web2 sites now. No email back-and-forth is needed, no permenant registration.

    7: You don’t have to give your email address out to authenticate,

    8: Guarenteed username. Nobody else can preregister my domain or pretend to.

  25. Pingback: 11 Reasons Why OpenID Rocks/Sucks « News Coctail

  26. Pingback: Trip Hop Clan » Blog Archive » Debate about OpenID

  27. ahmet aktaş

    hello ım ahmet,from,türkish,ım,staying,in,nusaybin,and,ım,live,in,nusaybin.ım,want,to,speak,english,very well thanks yourfor,english nice to meet you see your later by

  28. sp-dev

    im 50/50 about openID at the moment although i spent most of the night playing around with it. I look forward to more implementation of openID on the global interweb

  29. Pingback: links for 2007-02-21 at Baron VC

  30. http://jcims.myopenid.com/

    This is the same issue that many organizations implementing enterprise single sign on have to deal with. Applications almost always have a concept of a local account that maintains entitlements, history, etc. OpenID simply provides a global namespace and authentication method, and does nothing for authorization or other account management issues.

  31. Pingback: Vinny Lingham’s Blog » Blog Archive » links for 2007-02-22

  32. thuhn

    Hello Jeremy,
    it´s god to see that you are one of the early adopters who has implemented OpenID on his site and if this comment shows up, it works great :).
    I would like to spread the word about this emerging technology and have submitted your site to “The OpenID Directory“. I hope this is fine for you.
    Thanks and congratulations!
    Thomas Huhn

  33. Simon

    I’m sure there was a valid point in there somewhere.

    The big issue is lack of trust, as such OpenID is useless for stopping comment spam. Since anyone can set up as an OpenID provider. As witnessed by the “test” messages in response to this post.

    Indeed email authentication is probably better, as we already have established ways of blocking email from many spammers.

    Authentication is the first step in any such system. If you can’t tell whether two comments are made by the same person, you can’t learn to trust someone who makes good comments. But yes, we need a simpler (to use) system with some form of trust.

    Of course some of the ease of use is an implementation issue largely, how long before there is a firefox plugin or feature that just fills in the OpenID field for you, just like the password tool does.

    Building trust on the other hand will always require more work, and will go wrong sometimes. Trust requires sophistication, and as con men know, sophistication is often lacking.

  34. Pingback: Wazaber » 11 причин почему OpenID рулит/?о?ёт

  35. Pingback: Linky na víkend 49 na depi.sk - IT & Life Weblog

  36. VinodLive

    I think using your own domain name as openID is better. You can either redirect the auth requests to a service provider or you could as well host it.

  37. http://raviudeshi.com/

    Instead of creating local users, you *could* just use OpenID to verify comment authors. This makes a lot more sense for most blogs with a single author, where the only time visitors need to ever “log in” (via OpenID or otherwise) is to leave a comment.

  38. James

    In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts…

  39. Pingback: OpenId « emmeesse

  40. Pingback: j’Alias » OpenID: quelques références

  41. Geir A

    The purpose of OpenID is for authentication only, not authorization. Trust has nothing to do with the former, only the latter.

    But you’re right that many people find implementation too complicated. It doesn’t work on this site, for instance.

  42. rjspotter

    Sorry about being late to the party. I think there’s a common misconception about what OpenID is and is not. OpenID is an authentication system not an authorization system.

    What’s to stop a spammer from creating their own OpenID server and creating a massive amount of OpenIDs? Nothing. They are perfectly valid OpenIDs.

    What’s to prevent them from using those OpenID to post comments on your site? Well, that depends on you. You decide what forms of authorization information from what trusted providers you’re going to require. Simple example; http://botbouncer.com/ a single strong captcha associated with an OpenID. If botbouncer says that the OpenID has successfully negotiated the captcha and you choose to trust botbouncer you can authorize the user as a ‘real’ person.

    Not requiring some sort of authorization is equvalent to requiring an email address in your signup form and never actually verifying the email address.

    –R

  43. Halve

    Thanks for pointing out that Affiliate programs help clarify what OpenID is and helps sites to refer users to established OIP’s. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

  44. Halve

    I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

  45. steve pepple

    In regards to that last reason that OpenID sucks right now:

    The team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID, TrustBearer OpenID.

    We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.

    With our OpenID, you basically just set-up a strong authentication device and then link the device to your OpenID URL.

  46. shitwolf

    Open ID has confusing documentation, but is not that hard to implement on your site If i can do it a monkey can.. + coffee *sideways glance* . As for the comment about users on wordpress having a local login behind the scenes… would you rather all wordpress’s sensitive information associated with the user be assosicated with the openID, such as a users wordpress internal user id?? what if every site required this? this would fall flat on its face and no one would use open id for fear of revealing internal program structure.

  47. Paul Myatt

    I love the fact that you can now use you own domain name as your OpenID. I show how to do this with WordPress at paulmyatt.com

  48. Pingback: Be A Pro Blogger! » Jo's Web – Creative Resources For Designers

  49. Villas in Bali

    I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker.

  50. Pingback: Open ID gets greater Support | Barnhard Blog

  51. pharma

    We’re a gaggle of volunteers and starting a new scheme in our community. Your site offered us with helpful info to work on. You’ve done an impressive process and
    our whole neighborhood can be grateful to you.

Comments are closed.