Thu

Feb 22
2007

Brady Forrest

Brady Forrest

Pros and Cons of OpenID


Openid, the lightweight, distributed ID system, has been getting a lot of press lately for good reason. (For an overview of the system see this earlier Radar post.) Started by LiveJournal founder Brad Fitzpatrick (now with SixApart), it has recently started getting a lot of support - kind of.

Up until recently, Zooomr, Ma.gnol.ia, and various SixApart properties were the biggest supporters of OpenID (and its biggest acceptors). Two weeks ago Microsoft, Verisign, JanRain (a Portland-based startup), and SXIP ( Vancouver-based startup) announced that they would work with SixApart (early supporters, acceptors, and providers of OpenID) to support OpenID and integrate it with Vista's Identity manager CardSpace (Radar post). There was no mention of MSN or Live becoming acceptors or providers of OpenID. Last week AOL announced that they would become providers of OpenID, giving anyone who has an AIM account an OpenID (Radar post). Earlier this week Digg announced that they would become both a provider and an acceptor (Radar post).

Note in that flurry of announcement there was only one new big acceptor - DIgg. AOL, Microsoft are not accepting OpenID. Why not? What are the Pros and Cons of OpenID currently? Here's a crack at it (from the Radar Team):

OpenID Pros

  • You probably already have one - Via your AOL page or SixApart blog
  • You can make your own website into an OpenID provider - This is very simple and is what makes it so appealing to bloggers.
  • Saves you time when trying new sites and features - You already know your namespace is available
  • Desktop support is coming via Vista and Firefox 3.0 (Radar post)
  • Easy to maintain multiple identities - All you need are different URLs
  • It's decentralized - Not owned by any one company (MS Passport) or standards body (Liberty Alliance)

OpenID Cons

  • Though you have one, there are not many places to use it (yet) - The biggest sites that accept OpenID are SixApart's sites and Digg. None of the big players -- AOL, MS, Google, Yahoo!, MySpace -- accept OpenID.
  • The sign-in process can be very confusing and jarring to users - It requires going to another site - not the normal stay-on-one-site-sign-in system that people are used to. (It's about as user-friendly as when you learned 'http://')
  • Security Concerns have not been fully resolved - Because of the reliance on a second site for sign-in, OpenID is open to phishing attacks. These concerns are being actively addressed, but the solutions are still being tested and each OpenID has the latitude to choose their solution. An uninformed consumer may not realize that their provider is behind the times. Until this situation is resolved it is not suitable for high-privacy sites like banking, or health (if ever).
  • Unrealized loss of Anonymity - Currently, each site where you have a login only knows what you tell them about yourself. With OpenID, even thought you can maintain multiple identities, you are inherently tying a lot of services together and thus losing some amount of anonymity

So what does all that mean?
It means that there are a lot of people who have OpenID, but they don't have many places to use them yet, and they probably aren't aware that they have one. It is a good step towards solving some key online identity problems through an open standard that isn't trying to solve every problem at once and is instead focusing on deployment and handling issues and requirements as they arise organically. We are overall bullish on OpenID, but the security and usability issues need to be addressed before there is wide-spread user uptake and the larger players become acceptors.

What do you think?
You have an OpenID (whether you want it or not). Given the chance, will you use it? What do you feel are the biggest hurdles to its adoption? Are you more likely to use a service if you can simply plug in your OpenID? Do you trust it? Is there another identity solution that you think is being overlooked?


tags: web 2.0  | comments: 21   | Sphere It
submit:

 
Previous  |  Next

1 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/5265

With the popularity of Web 2.0 comes an issue with multiple registrations for its adoptees; interactive sites require log-ins, and you'll soon find your list of log-ins requires a better memory than an elephant, as well as feel like you've give... Read More

Comments: 21

  Anonymous [02.23.07 12:16 AM]

I think OpenID is doing it pretty well on the Web2.0 market..as it is a simple and lightweight solution. However, for enterprises, academia and many other business SAML protocol and the techonologies that have appeared beyond SAML seem to be a more robust solution

  HeresTomWithTheWeather [02.23.07 12:35 AM]

If Myspace never supports it, who cares? There is exponentially more value in the long tail of social network websites than in Myspace.

My review of the good, bad & ugly of openid is at Identity Woman.

  Dan W [02.23.07 04:36 AM]


Simon Willison
made a great presentation about OpenID at the Future of Web Apps which covered the pros, cons and solutions. He made a great point about how if you follow a link from the front page of digg to some great new web app you could just log straight in using your digg account. Full audio and slides will be up soon but for now check out the photos on flickr and this great mind map of what he said.

  Dharmesh Shah [02.23.07 07:57 AM]

I think adoption could be helped considerably by someone developing a simple, open source Javascript widget that allows an OpenID login to occur without leaving a given site. This way, there is also some consistency is the login process instead of each provider creating their own UI.

If we had something like this, we'd use it on our small business community website.

  Johannes Ernst [02.23.07 08:42 AM]

Don't forget OSIS (which includes not only many of the companies you mention but also IBM, Sun, CA, Oracle, us at NetMesh and others). OSIS' goal is to build an Open-Source Identity System from many open-source parts.

  Devon Young [02.23.07 09:00 AM]

Yep, not enough places have it yet. And it's a bit harder to implement than a regular site sign-on.

  rektide [02.23.07 09:20 AM]

this is only pro/con article #2 that i've seen on openid (#1) and i'm already feeling ill.

not a single one of your cons is inherent to openid. it all boils down to hte identity provider and their implementation of authorization methods. the nub is, openid does not specify how a user and their identity provider interact, and besides the RP's relay, theres no reason it has to be web based. a request to the identity provider could trigger a cardspace application, or request a smartcard auth token. your identity provider could offer integrated ways of using pseudonyms. there is so little specified by the openid protocol, yet there seem to be these misconceptions and generalizations related to the current dominant implementations. even just a two-phase key would eliminate most phishing attacks.

couple days ago on the Azul thread Tim talked about how identity is the aggregation of your online presence. i think openid is a perfectly "good enough" solution to tie all the different threads together, for those who opt to create that central profile.

  Josh Peters [02.23.07 10:54 AM]

So...where's the O'Reilly Radar OpenID login at? I agree that OpenID is great, and if there is a dearth of folks accepting it, why not start accepting it for O'Reilly sites? (I know, I just upped the ante from Radar to other O'Reilly sites, forgive me)

  Scott [02.23.07 12:43 PM]

I just don't get the point of this stuff. As mentioned, this page doesn't support OpenID for commenting, but if it did, what would be the benefit?

  Simon Willison [02.23.07 03:44 PM]

Scott: Here's a simple benefit: those of us who use OpenID could comment here in a way that "proved" that it was really us who posted a comment. By coupling a comment to its author we prepare the ground for future services that might let people track conversations they are having around the Web.

  Simon Willison [02.23.07 08:46 PM]

Disregard the previous comment; *I* am the real Simon Willison!

  Don MacAskill [02.24.07 08:10 AM]

SmugMug just joined the party: http://blogs.smugmug.com/onethumb/2007/02/23/smugmug-embraces-openid/

I'm thrilled, OpenID is good for everyone, and I'm glad we can participate.

  Simon Wilson [02.24.07 12:01 PM]

No wait... I'm also Simon Wilson, but perhaps a different Simon Wilson than just posted. Quick... someone register SimonWilson.openid.org before I can!

I have an idea... let's create an entire identity space based on the english spelling of people's names! An OpenID is NOT a unique identifier, it does not help to distinguish between the many Simon Wilsons of the world and in its current implementation it does not seem to deal with the fact that I probably have 6 different OpenIDs because I have accounts with 6 different OpenID participant sites. That means there are 6 different versions of "me" in the OpenID system, with no intelligent way of linking them together.

Thank you,

The Real Simon Wilson

ps- do not accept any imitations!

  Johnny Bufu [02.24.07 03:49 PM]

> Unrealized loss of Anonymity

Anonymity / privacy are actually addressed in OpenID 2.0. You can choose to present a dedicated identifier / identity to each site where you don't want your 'global' identity revealed.

How does it work?
- At Site X, instead of entering your LiveJournal blog URL, you only enter livejournal.com (or rather the URL of their OpenID server).
- Once you login, your OpenID server creates a dedicated / private identifier that will be used *only* with Site X (and manages this relationship for you, so that you don't have to remember these things).
- You login to Site X, and all Site X knows about you is that you have a LiveJournal account - nothing more.

This feature is expected to be offered by many / most OpenID 2.0 providers. Currently Sxipper does this (I'm not actually sure about LiveJournal).

So the users have a choice of using their global identifier at sites where they want to build a global reputation, or use private / dedicated identifiers with other sites.

Johnny

  foobar [02.24.07 05:02 PM]

Johnny, what you describe sounds incredibly complex and unusable to the masses. "If I stand on my head and press control-alt-option-f-4 I can also use OpenID 2.0 to..." All of this I'm sure is fascinating to us navel-gazing alpha geeks, but there is no way that the general public is going to adopt this until it is easier. Just because we can doesn't mean we should.

  steve [02.25.07 01:16 AM]

I use openID with ZOOOMR. It is an annoying log in process.

  Doug Karr [02.27.07 03:22 PM]

Confusing and jarring? Has the author actually utilized it? If I login on Ma.gnolia.com, I immediately get a login/password request from OpenID on my browser and I'm immediately directed back... it's virtually invisible to the user! There's nothing 'jarring' about it.

  Adam Marsh [03.06.07 02:12 PM]

I think OpenID is a very elegant way to accomplish a very specific task: proving that you own a URL (for example the URL that I'm signing this comment with).

But as a general way to ease web logins, I think one of it's biggest hurdles is the difficulty of adoption by sites. I have some ideas on how that hurdle could be lowered; check out:

http://www.econometa.com/archives/51

  Simon Reinhardt [03.07.07 03:51 PM]

Johnny:
Don't those dedicated identifiers defeat the point of using your own OpenID server? Either you have your own server which you can trust - but then you can create as many dedicated identifiers on it as you want, they can all be related to you through a simple whois. Or you have an account on an identification provider for the masses which doesn't have any relation to you but owns all your data then and could stop existing in the future.

Simon:
I don't think being able to track conversations (or any other information) through identifiers is a good thing to have - I think the opposite is the case. Don't you worry that everyone could go and collect everything you write even more easily?

  Vinci [01.27.08 05:14 AM]

Yep, not enough places have it yet. And it's a bit harder to implement than a regular site sign-on. www.grupabiotop.pl

  Części Nissan [04.24.08 07:04 AM]

Open id is a very good ideas for me :). Im learn this article -impressive -Big thanks man

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.

RECOMMENDED FOR YOU

RECENT COMMENTS