Too Many OpenID Providers
One of the worries I had early on with OpenID as an authentication system was its decentralization, the key feature of the system. I still to this day, don’t understand how a system like OpenID could be considered secure enough to use as a membership system for various sites.
Recently, a post on ReadWriteWeb talked about how many different providers there are and how you can set up the OpenID authentication system on your own site.
I enjoy the idea of being able to log into numerous sites with one set of credentials, but what is to stop the OpenID system from becoming a great system for spammers to use to enter sites using it as an authentication system? What stops me from having an OpenID on every provider, or every domain I own?
It amazes me how many sites are using OpenID instead of the traditional username and password system we are used to.
The OpenID system is still in its infancy, but it is being picked up faster and faster by bigger companies and websites and other than its decentralization, which stops big companies like Microsoft from controlling your data, what is so great about OpenID?
I would love to know more about people’s reasons for supporting OpenID. So if you are a fan of it, please let me know in the comments below.
Want an avatar? Get a gravatar! • You can link to this comment
I hate making people sign up, and get yet another username and password to manage.
Allowing people to comment by leaving their email address is all right, but anyone can put in anyone else’s email address.
With OpenID, you can’t spoof who you are. Sure you can have a dozen domains, but I can still go back and see where you’re “coming from.”
I think a big problem in forums and comment threads is the perceived anonymity that people have. We’ve all seen internet “discussions,” turn into a mess. People that think they are hiding behind some kind of smoke screen behave in ways they never would in public. OpenID provides easy identity.
Yes, it can be abused, but I’m always against punishing the well intentioned majority in favour of preventing a malicious minority. It doesn’t take away the necessity of moderating comments, but it gives people a way to say, “hey, this is me, and I can prove it,” without the necessity of many accounts, email verification, etc.
Want an avatar? Get a gravatar! • You can link to this comment
Hi, David. It’s definitely nice not to require users to register at a new site. OpenID has the potential to get rid of reg forms almost entirely, and that will be a beautiful day.
As for security:
* Phishing issues with OpenID are no greater than they are with any other website.
* OpenID doesn’t specify an authentication method; so a provider can implement 2-factor auth or some other seriously strong mechanism, and then your site, the consumer application, could choose only to allow in users with strong auth.
* The ‘one password’ problem is a practical non-issue since users often have only one password across sites anyway. Also see the previous point.
As for spam, you’re absolutely correct that OpenID doesn’t explicitly solve spam. It does create a unique identifier, however, and reputation systems will grow around that.
All in all, OpenID is solid and tech-savvy people should be using it. It’s the foundation block for data portability (see http://dataportability.org for more), and soon we’ll all own our data, services will compete on features, and we’ll all finallly be happy. ;p
Want an avatar? Get a gravatar! • You can link to this comment
I like OpenID for what it is– an easy way to login to some public websites with one account. Yes, OpenID had problems with anonymity but that problem goes way beyond Open ID. Anyone who thinks they have privacy on the net are crazy. Just think of what your ISP and Google knows about you. Not to mention the other dozens of tracking sites. If you don’t want someone to know something about you then NEVER publish it online, regardless if its said to be private and viewable only be friends.
I prefer to use OpenID for sites that I don’t really care if someone knows its me or even if my password is compromised. Of course I don’t want that to happen and take preventive measures but its not the end of the world if someone logs into my bookmarking site, etc.
OpenID should never work for online banking or commerce sites. Those sites need lots of security and their own unique user name and password combinations. Unfortunately too many people use the same password for their banking site as they do for everything else.
Alex also brings up some good advantages of OpenID in his comment.
IF you want to learn more about OpenID and security, I suggest you check out the “More Secure OpenID” article on my blog.
Want an avatar? Get a gravatar! • You can link to this comment
Platforms and applications are not innately secure, so it’s up to the OpenID providers to implement their own security measures - in which case you have to choose one that is secure.
\
As fast as OpenID is growing, it may take some time to completely take over traditional username/password sign on and as you mention in your title – we may face the problem of not only having too many passwords to manage but too many OpenIDs as well…
Louise
By the way, PassPack plans on supporting OpenID so I’m an interested party.
Want an avatar? Get a gravatar! • You can link to this comment
I agree that OpenID should not be used to access my bank account (at least not by itself), but I’m pretty sure the nature of its security is perfect. Depending on your overall level of information paranoia you can choose a provider that gives you the security you want, or even go as far as implementing it yourself, but it still leaves room for the average Joe who just wants to store his bookmarks on Ma.gnolia. As stated multiple times above, many people, including myself, use the same password everywhere, which at least in my case, means if they ever want to change their usual password then they have to also change it everywhere or else they loose the “benefit” of always using the same password. If I could change my password in one place and not need to update it in twenty others, I would be more inclined to chance my password more often, making it at least a little more secure.
Want an avatar? Get a gravatar! • You can link to this comment
OpenID is an alternative for user/password authentication that has most of the security issues Email Login has but…
Think about really secure Providers (like ur bank or some other institute) where you can be sure that they provide real and secure data about the user, for services that need such data
Want an avatar? Get a gravatar! • You can link to this comment
@Eric DeLabar
Just wanted to comment on all the talk of reusing the same password across sites - It’s really not a good idea. If you are not using any applications to store your passwords, at the very least a password generator is a good idea.
Having a ‘master’ password is a great time-saving idea – but having a ‘master’ password for an OpenID or a ‘master’ password for a password manager is very different from using and reusing the same password on different sites.
It’s easier to keep one ‘master’ password to a secure storage safe. It’s less easy (and less likely) that one password on twenty different sites is safe – considering most of the time when surfing sites, we don’t usually know what security is being used to actually protect our passwords.
Finding out that all twenty of your accounts have been compromised is a lot more frustrating than using 20 different passwords.
Louise
Want an avatar? Get a gravatar! • You can link to this comment
OpenID is not designed to be a SPAM-fighting or validation service. It’s simply supposed to be a unified login system.
Just like spammers can sign up with a randomly generated username and password, they can sign up with a randomly setup OpenID. That’s not something OpenID is trying to combat or prevent.
OpenID is *only* supposed to give you a single interface for logging into every site you vist, nothing more. Expecting anything else out of it is a misconception.