Pros and Cons of OpenID

Openid, the lightweight, distributed ID system, has been getting a lot of press lately for good reason. (For an overview of the system see this earlier Radar post.) Started by LiveJournal founder Brad Fitzpatrick (now with SixApart), it has recently started getting a lot of support – kind of.

Up until recently, Zooomr, Ma.gnol.ia, and various SixApart properties were the biggest supporters of OpenID (and its biggest acceptors). Two weeks ago Microsoft, Verisign, JanRain (a Portland-based startup), and SXIP ( Vancouver-based startup) announced that they would work with SixApart (early supporters, acceptors, and providers of OpenID) to support OpenID and integrate it with Vista’s Identity manager CardSpace (Radar post). There was no mention of MSN or Live becoming acceptors or providers of OpenID. Last week AOL announced that they would become providers of OpenID, giving anyone who has an AIM account an OpenID (Radar post). Earlier this week Digg announced that they would become both a provider and an acceptor (Radar post).

Note in that flurry of announcement there was only one new big acceptor – DIgg. AOL, Microsoft are not accepting OpenID. Why not? What are the Pros and Cons of OpenID currently? Here’s a crack at it (from the Radar Team):

OpenID Pros

  • You probably already have one – Via your AOL page or SixApart blog
  • You can make your own website into an OpenID provider – This is very simple and is what makes it so appealing to bloggers.
  • Saves you time when trying new sites and features – You already know your namespace is available
  • Desktop support is coming via Vista and Firefox 3.0 (Radar post)
  • Easy to maintain multiple identities – All you need are different URLs
  • It’s decentralized – Not owned by any one company (MS Passport) or standards body (Liberty Alliance)

OpenID Cons

  • Though you have one, there are not many places to use it (yet) – The biggest sites that accept OpenID are SixApart’s sites and Digg. None of the big players — AOL, MS, Google, Yahoo!, MySpace — accept OpenID.
  • The sign-in process can be very confusing and jarring to users – It requires going to another site – not the normal stay-on-one-site-sign-in system that people are used to. (It’s about as user-friendly as when you learned ‘http://’)
  • Security Concerns have not been fully resolved – Because of the reliance on a second site for sign-in, OpenID is open to phishing attacks. These concerns are being actively addressed, but the solutions are still being tested and each OpenID has the latitude to choose their solution. An uninformed consumer may not realize that their provider is behind the times. Until this situation is resolved it is not suitable for high-privacy sites like banking, or health (if ever).
  • Unrealized loss of Anonymity – Currently, each site where you have a login only knows what you tell them about yourself. With OpenID, even thought you can maintain multiple identities, you are inherently tying a lot of services together and thus losing some amount of anonymity

So what does all that mean?
It means that there are a lot of people who have OpenID, but they don’t have many places to use them yet, and they probably aren’t aware that they have one. It is a good step towards solving some key online identity problems through an open standard that isn’t trying to solve every problem at once and is instead focusing on deployment and handling issues and requirements as they arise organically. We are overall bullish on OpenID, but the security and usability issues need to be addressed before there is wide-spread user uptake and the larger players become acceptors.

What do you think?
You have an OpenID (whether you want it or not). Given the chance, will you use it? What do you feel are the biggest hurdles to its adoption? Are you more likely to use a service if you can simply plug in your OpenID? Do you trust it? Is there another identity solution that you think is being overlooked?