openidI’ve had some interesting conversations with people lately regarding OpenID. What is OpenID? It’s 1 login/password for every site that supports it. As you may have noticed we’ve implemented it here in the comments and soon you will have to have an OpenID in order to leave a comment. Now Microsoft tried to do this with passport years ago and many websites including eBay tried it out. For whatever reason (trust issues with Microsoft? timing?) it didn’t work out. Typekey is a similar system and they’ve done a pretty good job but… there still isn’t widespread adoption. Part of the problem with Passport and Typekey is that it is a centralized system. OpenID, for better or for worse, is a de-centralized authentication system.

Most of us have agreed that it would take some really big websites to implement OpenID in order for it to really gain some traction. Today Kevin Rose announced that they are moving to Openid to authenticate users. As usual, we are ahead of the curve, and have already done so. Try to keep up, Kevin. Even bigger than digg would be if WordPress would implement OpenID as part of the core package. This would have for sure launch it into the mainstream. Then again, there would be almost no need for there Akismet spam prevention system. (Shoemoney side-note: the false positives are really annoying me lately.)

Unfortunately, it’s not all roses, here’s 10 11 reasons OpenID Rocks and Sucks.

Here are 5 reasons why I think OpenID Rocks:

1) 1 ring to rule them all – why wouldn’t you want the ability to have 1 sign-in across all blogs?

2) Bye-bye comment spam.

3) Verify who is actually making comments. Many fake Matt Cutts’, Jason Calacanis’ make comments and require verifying IPs or other time-consuming checks when prolific people do comment.

4) MyOpenID’s (inaptly-named) affiliate system is a nice tool for developers and large site owners.

5) De-centralized authentication leaves no single player holding all the cards.

Here are 6 reasons why OpenID sucks

1) It is (as yet) too complicated for average website owner to implement.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”

5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Want an OpenID? Get one here

By Jeremy Schoemaker

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of ShoeMoney Media Group, and to date has sold 6 companies and done over 10 million in affiliate revenue. In 2013 Jeremy released his #1 International Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. You can read more about Jeremy on his wikipedia page here.

90 thoughts on “11 Reasons Why OpenID Rocks/Sucks”
  1. I noticed that you had started using OpenID and had just been listening to a podcast about it so I thought it would be a good thing to look at. You are right about it being complicated to implement! I went to the official OpenID website and came away more confused than ever. I still don’t know how to get an OpenID ID.

    As for getting rid of comment spam; what’s to stop a spammer creating lots of OpenID accounts (?) and using them? I don’t see OpenID as stopping spam or even going some ways towards building trust. Everything that is out there will be abused (look at MyBlogLog) and OpenID will probably go the same way. Still, if it helps legitimate users to comment on blogs then at least that’s something.

  2. Mike,

    If an IDP came out that required some identity authentication (say, a CC verification) you could implicity trust that IDP. Any comments from *.trustedidp.com would be a heck of a lot closer to spam-free. You’re right that OID doesn’t provide that, but it provides a mechanism which COULD be more trusted.

    I installed the below-mentioned verselogic OpenID plugin. It wasn’t as easy as it should be IMHO but it wasn’t hard.

  3. Mike Empuria here (see first post). I’ve created an OpenID account and I’m signing in to see what happens (sorry Shoe but I have to test somewhere). I can already see one SEO downside that will make SEOs not want to use this!

  4. Mike, I see what you’re suggesting. I /think/ that would be fixed with a better implementation.

  5. “Hackish implementations.” … I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker. Wouldn’t local user accounts still exist but with an OpenID assigned to them as an alternative to the normal login option? You would still need to validate the user’s email address etc… in case the user’s implementing a fake identity server.

  6. I’m surprised that you didn’t include phishing in your list of negatives. As far as I know, no one’s been able to come up with a satisfactory solution yet without some custom client side software.

  7. I’m getting sick of this FUD over OpenID. It has THE SAME “TRUST” AS EMAIL BASED AUTHENTICATION. The only differences are:

    1. You can change your provider at any time but keep your same openID (a plus)
    2. They can’t send you anything (another plus).

    YOU manage your authentication. They don’t need to send you password resets etc. They don’t have an email address to sell to a thrid party, or to spam you with their product “newsletters”. OpenID is BETTER than email based account management.

    The only true con is that you REQUIRE a website (1 page) to use one.

    1) It is (as yet) too complicated for average website owner to implement.

    Uh.. you paste a line of html into your index page.

    2) The security implications of this type of cross-site authentication haven’t been fully explored.

    It’s as secure as email as a login mechanism. If your webserver is compromised you lose. If you email server is compromised you lose. How is this any different?

    3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?�

    This is called RTFM. Put “openid” into any search engine and there’s your answer. If someone knows enough about OpenID to want one, they will be able to find out how to get one.

    5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

    This has nothing to do with OpenID as a standard. Just the quality of the particular plugin you’re looking at.

    6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

    Your “security” on financial sites is only as secure as the email address you associate with it. Your online banking security is only as secure as your email account.

    Just as with email, you can be your own provider. There is no requirement to EVER trust a third party.

    The ONLY WAY to compromise an OpenID account is to either compromise the webserver hosting the link to the provider, or to compromise the provider. If your email server gets compromised its the SAME RESULT.

  8. OpenID doesn’t necessarily provide trust.

    It isn’t designed to: its goal was to be an identification system. Once you ID someone you can choose whether to trust them or not (or choose to trust some providers more than others).

  9. Been using openID for ages now and really would wish for open adoption. What if it were supported in phpBB? One log in for all my forums…

  10. […] is decentralized, any website can employ OpenID software as a way for users to sign in.”read more | digg story Bookmarking Links: These icons link to social bookmarking sites where readers can […]

  11. I hadn’t found this that hard to implement. Though it took a second to work out that there are both OpenID servers out there you can use, or you can create your own.

  12. Can you think of a better option than creating local user accounts for people leaving comments? That’s how just about every other interactive commenting platform works, apart from anonymous stuff. The fit seemed obvious to me, but hey, I’m open to hearing alternate proposals.

  13. you are a moron. security is as good as the idp implements and the user is willing to futz with, no more and no less. your other points may or may not apply.

    implementation would be a lot easier if the docs didnt suck. in particular, /w openid 2.0 no one has any fucking clue what XRI is nor why we need yet another naming scheme. i get that pasta meeting the wall feeling.

  14. 3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    By default you would think that you accept *any* openid provider, surely spammers will be starting up their own providers which will require site to start white listing or black listing openid providers.

  15. OpenID is a great start. I think people are expecting a new identity system to solve all issues immediately. Let’s just get started with OpenID and let the future decide how it evolves. I don’t mind reimplementing newer versions as the spec improves.

  16. so, if i want to be mr smart and nice on digg under the username Ty420, but a noob flamer on shoemoney, ppl will know me? like were all friends?
    and i thought nsa spying was too much
    forget this, let me keep invididual personalities and names for each site i go to. u spy !

  17. I tried to sign up here with my openid and it kicked me back for some reason. Anyways, the captcha on the openid site needs improvement. It sucks.

  18. No, you’re right. The thing is I should have elaborated more. My point was actually that if an implementation isn’t complete, the results per-site will sick. BTW, shoot me an email, theres an issue with your plugin that should probably be fixed.

  19. Anybody who logs with the open id ‘http://www.techmag.biz/thejeshgn’ is me. And they can know about me on the same page.

    This is another use of open id. Use openId delegation method and use your profile page or about page as your open id.

  20. I don’t get your comment about local accounts… every CMS out there has some notion of users, usually an entry in a ‘users’ table. How this account is instantiated and used doesn’t matter except for the log-in. From that point on, you use a regular session cookie and keep all session data on the local server.

    OpenID just helps you identify the user and do the log-in. Local accounts, whether a complicated object, or just a row in a database, are a necessary mechanism for doing any sort of user interaction on the site. For example, if you want to do OpenID attribute exchange, you’ll want to cache the attribute values locally for speedy access. OpenID includes a clear flow for the propagation and refreshing of such cached values.

    In Drupal (drupal.org) for example, the authentication is cleanly pluggable and local accounts are tied to the OpenID using a standard API mechanism. Perhaps you mean to say that the WordPress plug-in leverages some code to mimic a real account creation a by a user in a less than kosjer way, but that’s no reason to dismiss local accounts.

  21. I hope more sites adopt OpenID. What about phishing sites? Is it possible for a website to fake trying to authenticate to ones OpenID server (when it’s actually just capturing ones password)?

  22. Easy to get openid, but may take a while to be adopted since only the geeks seem aware of it. Many aol users won’t know what openid is or how to use what they have been given

  23. Hope OpenID 2.0 comes out fast with Global logout and attribute quesries, just like SAML and WS-FED.

  24. If I have an existing LJ account and a myopenid account, would it be possible to forgo authentication on LJ using my LJ credentials and instead use my myopenid OpenID account?

  25. Thats half the point. The site NEVER gets and CANT get your password. You enter your OpenID, the site checks with your IDP, you approve it via the IDP if you’ve never done it, and the IDP passes back “OK”. It doesn’t pass any more information than that.

  26. […] ShoeMoney gave us five (5) reasons why OpenID rocks and six (6) reasons why it sucks. […]

  27. Hi All,

    There’s a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It’ll be an open forum so anyone can ask questions. If you’re interested in showing up, check out http://www.idcast.org (site is being put up today).

    Hopefully I’ll see some of you there!

  28. I don’t see how OpenID prevents comment spam : just create 10000 accounts, start spamming, done.

  29. You should add:

    6: convenience, it’s very quick and easy to post comments on forums, blogs, web2 sites now. No email back-and-forth is needed, no permenant registration.

    7: You don’t have to give your email address out to authenticate,

    8: Guarenteed username. Nobody else can preregister my domain or pretend to.

  30. […] Reasons Why OpenID Rocks/Sucks Filed under: Uncategorized — recar @ 1:13 pm 11 Reasons Why OpenID Rocks/Sucks OpenID is something I have been hearing more and more about. This article points out some really […]

  31. […] 11 Reasons Why OpenID Rocks/Sucks – ShoeMoney […]

  32. hello ım ahmet,from,türkish,ım,staying,in,nusaybin,and,ım,live,in,nusaybin.ım,want,to,speak,english,very well thanks yourfor,english nice to meet you see your later by

  33. im 50/50 about openID at the moment although i spent most of the night playing around with it. I look forward to more implementation of openID on the global interweb

  34. […] 11 Reasons Why OpenID Rocks/Sucks The best summary I’ve seen so far. Short and sweet. It’s not exactly a walk in the park to implement/integrate that’s for sure. (tags: openid) […]

  35. This is the same issue that many organizations implementing enterprise single sign on have to deal with. Applications almost always have a concept of a local account that maintains entitlements, history, etc. OpenID simply provides a global namespace and authentication method, and does nothing for authorization or other account management issues.

  36. What would be great is if mainstream sites like Yahoo!, HotMail and AOL supported it.

  37. […] 11 Reasons Why OpenID Rocks/Sucks – ShoeMoneyâ„¢ We’re investigating implementing OpenID in Synthasite. Some interesting views from Jeremy. […]

  38. Hello Jeremy,
    it´s god to see that you are one of the early adopters who has implemented OpenID on his site and if this comment shows up, it works great :).
    I would like to spread the word about this emerging technology and have submitted your site to “The OpenID Directory“. I hope this is fine for you.
    Thanks and congratulations!
    Thomas Huhn

  39. Sorry for the noise, just another newbie OpenID test. Meant to do soemthing about this before and now, thanks to you, I have. Cheers!

  40. I’m sure there was a valid point in there somewhere.

    The big issue is lack of trust, as such OpenID is useless for stopping comment spam. Since anyone can set up as an OpenID provider. As witnessed by the “test” messages in response to this post.

    Indeed email authentication is probably better, as we already have established ways of blocking email from many spammers.

    Authentication is the first step in any such system. If you can’t tell whether two comments are made by the same person, you can’t learn to trust someone who makes good comments. But yes, we need a simpler (to use) system with some form of trust.

    Of course some of the ease of use is an implementation issue largely, how long before there is a firefox plugin or feature that just fills in the OpenID field for you, just like the password tool does.

    Building trust on the other hand will always require more work, and will go wrong sometimes. Trust requires sophistication, and as con men know, sophistication is often lacking.

  41. Wazaber » 11 причин почему OpenID рулит/Ñ?оÑ?Ñ‘Ñ‚ says:

    […] ЗарегиÑ?трировать OpenID иÑ?точник […]

  42. […] 11 Reasons Why OpenID Rocks/Sucks – 11 dôvodov preÄ?o je OpenID super/na niÄ? […]

  43. I think using your own domain name as openID is better. You can either redirect the auth requests to a service provider or you could as well host it.

  44. Just signed up for an ID. Not use if I’d open it up on my forum but for a blog it seems like a good idea.

  45. Instead of creating local users, you *could* just use OpenID to verify comment authors. This makes a lot more sense for most blogs with a single author, where the only time visitors need to ever “log in” (via OpenID or otherwise) is to leave a comment.

  46. In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts…

  47. […] Shoe Money: 11 Reasons Why OpenID Rocks/Sucks […]

  48. The purpose of OpenID is for authentication only, not authorization. Trust has nothing to do with the former, only the latter.

    But you’re right that many people find implementation too complicated. It doesn’t work on this site, for instance.

  49. Sorry about being late to the party. I think there’s a common misconception about what OpenID is and is not. OpenID is an authentication system not an authorization system.

    What’s to stop a spammer from creating their own OpenID server and creating a massive amount of OpenIDs? Nothing. They are perfectly valid OpenIDs.

    What’s to prevent them from using those OpenID to post comments on your site? Well, that depends on you. You decide what forms of authorization information from what trusted providers you’re going to require. Simple example; http://botbouncer.com/ a single strong captcha associated with an OpenID. If botbouncer says that the OpenID has successfully negotiated the captcha and you choose to trust botbouncer you can authorize the user as a ‘real’ person.

    Not requiring some sort of authorization is equvalent to requiring an email address in your signup form and never actually verifying the email address.

    –R

  50. Thanks for pointing out that Affiliate programs help clarify what OpenID is and helps sites to refer users to established OIP’s. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

  51. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

  52. In regards to that last reason that OpenID sucks right now:

    The team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID, TrustBearer OpenID.

    We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.

    With our OpenID, you basically just set-up a strong authentication device and then link the device to your OpenID URL.

  53. Open ID has confusing documentation, but is not that hard to implement on your site If i can do it a monkey can.. + coffee *sideways glance* . As for the comment about users on wordpress having a local login behind the scenes… would you rather all wordpress’s sensitive information associated with the user be assosicated with the openID, such as a users wordpress internal user id?? what if every site required this? this would fall flat on its face and no one would use open id for fear of revealing internal program structure.

  54. I love the fact that you can now use you own domain name as your OpenID. I show how to do this with WordPress at paulmyatt.com

  55. […] 11 Reasons Why OpenID Rocks-Sucks […]

  56. In fact fascinating thought for me .
    Will you post some a lot more ? coz i desire to follow ur twitter or facebook

  57. I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker.

  58. […] Update: Reasons it rocks and sucks. […]

  59. We’re a gaggle of volunteers and starting a new scheme in our community. Your site offered us with helpful info to work on. You’ve done an impressive process and
    our whole neighborhood can be grateful to you.

  60. This article is genuinely a fastidious one it helps
    new internet people, who are wishing for blogging.

Comments are closed.