Digg

Discover the best of the web!
Learn more about Digg by taking the tour.

11 Reasons Why OpenID Rocks/Sucks

shoemoney.com — OpenID is something I have been hearing more and more about. This article points out some really good reasons why its good and bad.

Bury

webtickle 1 year 182 days ago, made popular 1 year 181 days ago

794 diggs
digg it

chipitople, on 10/12/2007, -6/+36i didnt even know what openID was until now ;)
- killerofkiller, on 10/12/2007, -11/+4http://duggmirror.com
- ElliotShoe, on 10/12/2007, -20/+2http://www.shoemoney.com/2007/02/20/11-reasons-why-openid-rockssucks/
  
  Direct Link
- GopherGod, on 10/12/2007, -5/+13This seems like a good idea, but now it gives hackers only one ID to compromise.
  
  That is the last thing I need. And yes, I realize that some people use the same ID and password from site to site, but that is not my fault.
  
  Plus, it holds the user at ransom to the site that created the password system. Hopefully OpenID can get around that, but the future is long........ who knows what can happen in the future.
- idonthack, on 10/12/2007, -3/+5@elliotshoe
  Um... that's the link at the top of the page
- Techreads, on 10/12/2007, -4/+13130k adsense check, and can't even buy a dedicated server. Seriously wtf.
  
  I’ve had some interesting conversations with people lately regarding OpenID. What is OpenID? It’s 1 login/password for every site that supports it. As you may have noticed we’ve implemented it here in the comments and soon you will have to have an OpenID in order to leave a comment. Now Microsoft tried to do this with passport years ago and many websites including eBay tried it out. For whatever reason (trust issues with Microsoft? timing?) it didn’t work out. Typekey is a similar system and they’ve done a pretty good job but… there still isn’t widespread adoption. Part of the problem with Passport and Typekey is that it is a centralized system. OpenID, for better or for worse, is a de-centralized authentication system.
  
  Most of us have agreed that it would take some really big websites to implement OpenID in order for it to really gain some traction. Today Kevin Rose announced that they are moving to Openid to authenticate users. As usual, we are ahead of the curve, and have already done so. Try to keep up, Kevin. Even bigger than digg would be if Wordpress would implement OpenID as part of the core package. This would have for sure launch it into the mainstream. Then again, there would be almost no need for there Akismet spam prevention system. (Shoemoney side-note: the false positives are really annoying me lately.)
  
  Unfortunately, it’s not all roses, here’s 10 11 reasons OpenID Rocks and Sucks.
  
  Here are 5 reasons why I think OpenID Rocks:
  
  1) 1 ring to rule them all - why wouldn’t you want the ability to have 1 sign-in across all blogs?
  
  2) Bye-bye comment spam.
  
  3) Verify who is actually making comments. Many fake Matt Cutts’, Jason Calacanis’ make comments and require verifying IPs or other time-consuming checks when prolific people do comment.
  
  4) MyOpenID’s (inaptly-named) affiliate system is a nice tool for developers and large site owners.
  
  5) De-centralized authentication leaves no single player holding all the cards.
  
  Here are 6 reasons why OpenID sucks
  
  1) It is (as yet) too complicated for average website owner to implement.
  
  2) The security implications of this type of cross-site authentication haven’t been fully explored.
  
  3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.
  
  4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”
  
  5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.
  
  6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.
  
  Want an OpenID? Get one here
- Atomic1fire, on 10/12/2007, -3/+3typekey is an openid provider
  profile.typekey.com/username
- aRgusChung, on 10/12/2007, -0/+5@Gopher it is the same as having 1 email address to compromise. If you have an email address associated with your accounts, a "hacker" needs only to compromise that email account to have access to everything else.
  
  If you used multiple email accounts, you'd probably use multiple openIDs in the same way.
- aRgusChung, on 10/12/2007, -0/+3@gopher also you aren't held at ransom by any site. That's the point. You set a URL of YOUR chosing and point to any provider you want from there.
- podgey22, on 10/12/2007, -1/+1An article that doesn't suck: http://digg.com/programming/The_Pros_and_Cons_of_OpenID
garyv, on 10/12/2007, -7/+6Kevin Rose said today at FoWA that they were supporting OPENID
jd33, on 10/12/2007, -0/+6Ah... getting rid of some of the comment spam would make it so worth it.
- DigeratiPrime, on 10/12/2007, -1/+2I doubt it will stop the spam, where there is a will...
hutchy, on 10/12/2007, -1/+8http://duggmirror.com/tech_news/11_Reasons_Why_OpenID_Rocks_Sucks/
fox40, on 10/12/2007, -7/+1man, these sites go down quickly, not even 100 diggs
petepetepete, on 10/12/2007, -7/+0It was the best of times, it was the worst of times.
aRgusChung, on 10/12/2007, -3/+21I'm getting sick of this FUD over OpenID. It has THE SAME "TRUST" AS EMAIL BASED AUTHENTICATION. The only differences are:

1. You can change your provider at any time but keep your same openID (a plus)
2. They can't send you anything (another plus).

YOU manage your authentication. They don't need to send you password resets etc. They don't have an email address to sell to a thrid party, or to spam you with their product "newsletters". OpenID is BETTER than email based account management.

The only true con is that you REQUIRE a website (1 page) to use one.

1) It is (as yet) too complicated for average website owner to implement.

Uh.. you paste a line of html into your index page.

2) The security implications of this type of cross-site authentication haven’t been fully explored.

It's as secure as email as a login mechanism. If your webserver is compromised you lose. If you email server is compromised you lose. How is this any different?

3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

Yes there is. You don't link to the fake Mark Cuban's provider in your page. It's as simple as that. What's to stop someone from making a fake email address claiming to be you?

4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?”

This is called RTFM. Put "openid" into any search engine and there's your answer. If someone knows enough about OpenID to want one, they will be able to find out how to get one.

5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

This has nothing to do with OpenID as a standard. Just the quality of the particular plugin you're looking at.

6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

Your "security" on financial sites is only as secure as the email address you associate with it. Your online banking security is only as secure as your email account.

Just as with email, you can be your own provider. There is no requirement to EVER trust a third party.

The ONLY WAY to compromise an OpenID account is to either compromise the webserver hosting the link to the provider, or to compromise the provider. If your email server gets compromised its the SAME RESULT.
- greyfade, on 10/12/2007, -5/+1having had a web server compromised (which i do not administer), i really have a hard time seeing the appeal of OpenID. woo, single-sign-on using your blog URL. the ease with which a server (or account) might be compromised is so frighteningly simple, i cannot see myself ever using OpenID for anything - not even logon for blog comments.
  
  IMO, for that reason alone, OpenID is yet another fad to avoid.
- pkulak, on 10/12/2007, -0/+4I never thought about it before, but it really is just a nicer email authentication. CraigsList has been doing OpenID for years now. :D
- aRgusChung, on 10/12/2007, -0/+3@greyfade
  
  "having had a web server compromised (which i do not administer), i really have a hard time seeing the appeal of OpenID. woo, single-sign-on using your blog URL. the ease with which a server (or account) might be compromised is so frighteningly simple, i cannot see myself ever using OpenID for anything - not even logon for blog comments.
  
  IMO, for that reason alone, OpenID is yet another fad to avoid."
  
  If you webserver was compromised you should change hosting companies regardless of OpenID.
  
  As far as administration, do you administer your email server? Why do you have more trust in your email server than your webserver? Do you perceive a difference between the two?
  
  To answer your question about appeal, you maintain control of your online identity and you don't need to give the site an address to spam you with.
quickgold192, on 10/12/2007, -5/+7Having "open" is the name will probably be the single reason it succeeds
phlux, on 10/12/2007, -0/+3The concept behind OpenID is terrific. As @GopherGod points out - it represents a single security vector - but that is not a deal breaker.

The other issue is that of people being pissed off if their username is taken. I have not looked into open ID fully yet (reading up on it now) but what would seem to work is the ability to map a local site-user-display-name to a unique OpenID. e.g.

my openID is 12398034290

on Digg openID:12398034290==phlux
on Slashdot:12398034290==_ph1ux_
but on Slashdot:phlux==openID:9087340923

Additionally, if you have a variety of N-factor auth types - its all the more appealing (secureID tokens, biometrics, etc) - couple all these together. Since you can deploy your own openID server so that the auth path is within your network it looks like the future to me....

What also would be interesting is a log-in log. So I could go to OpenID - enter my userID and see a log of all sites I visited and my credentials were passed to.

(ya ya personal privacy and all that - I should have the option to clear that log when I want and the option to not log at all)

I am working on a site and I would love to use Open ID so long as it has that mapping capability.
- GopherGod, on 10/12/2007, -4/+3So let me get this right... Basically I don't log in, but I am just a "giant cookie" and websites recognize me when I use the site?
  
  This only plays into the hands of e-marketers... they may not have an email address, but they can definately target you with advertising. Maybe even build a database of these "Open-IDs"
  
  Maybe I cannot envision this, but it doesn't seem that great. Too many websites depend on you logging into the site, and it will never truly be universal.
- phlux, on 10/12/2007, -1/+2I am not clear if its completely cookie based. That sounds like a red-flag - cookies are spoofable..
  
  it sounds like it is similar to SIP... Ill have to look.
  
  also - you probably cant know someones email address from the openid (unless openid is your email addy - which would be lame for many reasons)
- aRgusChung, on 10/12/2007, -0/+2@Gopher
  
  Short answer No.
  
  Longer answer:
  
  OpenID gives the user power over thier online identity. The verification scheme does not give any company unsolicited access to you. Your provider (you can be your own provider as well) authenticates your identity. All OpenID proves is that YOU have access to modify a page on a webserver. The exact same way email does nothing other than prove YOU have access to read msgs sent to X address.
  
  I'm not sure what your concern is about being targeted or having a "database of OpenIDs". what would such a database accomplish and how would they send you anything?
- aRgusChung, on 10/12/2007, -0/+1@phlux
  Your "username" on your provider is irrelevant. The "username" you use for sites is your own URL unless you choose to use the URL your provider sets aside for you.
  
  For example if my website was "arguschung.com" I would put "arguschung.com" as my openID name. The site would go to arguschung.com and look for a snippet of html in the header, which points them to my provider. I get redirected to the provider and the prover asks me if I want to allow this site to check against my authentication there. if i accept the provider confirms my identity to the site and now I'm "logged in".
  
  Now if i had used the url from my provider directly i could have put "arguschung.myprovider.com" and the steps would have been the same. The site goes to arguschung.myprovider.com" and looks for the snippet instead of my personal URL.
- GopherGod, on 10/12/2007, -2/+1@argu
  
  It is not my concern, I actually work in online marketing. I am on the research side.
  
  If our site can give you a cookie, it can also read your open ID. Maybe create or pay for access to a database who somehow builds a profile on you... maybe your age, where you are from, sites you visit... etc..
  
  I'll be honest I don't full understand the way this works, but I don't think it will prevent someone from emailing you, but it won't stop them from marketing to you. It might even make them better at it.
- aRgusChung, on 10/12/2007, -0/+1@Gopher
  
  This is how it works. There isn't any "cookie" based authentication that follows you from site to site. When you log into a site with your openID, you get redirected to the provider specified by you, in the URL you use as your ID. This happens at each site you log into. The site is then responsible for setting a session cookie for that site alone. No cookie is set by your OpenID provider that persists between sites.
  
  It's the same as any conventional email based authentication. It just has the added step of verifying with a 3rd party, rather than the site's internal user management, and keeps your email address out of it.
- phlux, on 10/12/2007, -0/+1@Argus...
  
  So the biggest issue I see here is that my openID provider must also be up in order to let me get around ok...
  
  wait for an openID DB to get huge - then DOS the individual site and now you have potentially millions of users unable to login to N sites.
  
  So resiliancy (and maybe even latency) need to really be thought out. Right now I am sure that latency is not an issue - but this has been a problem on many many MMORPG games that use central sign-on clusters. Logging into galaxies was a no-go when it came out due to insufficient resources. many others were laggy in the process...
- ddn3d, on 10/12/2007, -0/+4@@GopherGod
  
  So let me get this right.. You don't have a clue how this system works. You don't have a grasp of the technologies involved because "its not your concern". You're not in a position to judge because you don't "get it".
  
  And yet you make pronouncements about what it will and will not do? You sir, are a jackass. No wonder I ditched that ***** college.
blukeg, on 10/12/2007, -1/+1my impression is openid plays the role of a certificate authority: an openid server says the user is who they say they are. so the same problems that plague ca chains will be a problem here too.

also, i read recently, aol and microsoft are both supporting (or plan to support soon) openid; those are big players too.
- pkulak, on 10/12/2007, -0/+2EDIT: I was a bit mean and deleted it.
  
  OpenID is about authentication, not identification or trust, or anything else like that. All it says is that the person at your page owns myid.myprovider.com: nothing else.
- aRgusChung, on 10/12/2007, -0/+2@pkulak
  
  Sweet and sour christ, finally someone gets it.
Takteek, on 10/12/2007, -0/+7What a definitive / inconclusive title!
safiire, on 10/12/2007, -0/+0I just read up on how a site requires openID authentication, and it just requires a URL to your name at an openID provider.
Urusai, on 10/12/2007, -3/+1Why would I want to identify myself on the anonymous internets? *****!
Poco, on 10/12/2007, -0/+4I didn't even know what OpenID was before I read this and I created an ID on myopenid.com to try it out (so for those who say you need a web page, you don't).

What I will say is that the authentication is less than what you get with email authentication, or at least less work for the user. That is, unless the site ALSO does email authentication of an openID user then they can't trust the user any more than they could before without email authentication.

Obviously email authentication isn't perfect, but I just created an openID account on myopenid.com without a valid email and I used that openid to login to some of the supporting sites without a valid email address. So it was really no better than me clicking on a "register" icon on that site and giving a bogus email address. I guess it saves me a few steps for every other openid site I sign up with, but it doesn't help that site at all.

I'm not sure I understand the point.
- aRgusChung, on 10/12/2007, -0/+2You don't "need" a URL if you use the one your provider gives you. That just kills a lot of the advantage of OpenID.
  
  To effectively use OpenID you need a single web page. Let's say Poco.com.
  
  First you get a provider setup. Let's say myopenid.net. You setup a username and a password. In this example you do Bob1234 as a user name.
  
  After finishing at the provider you paste 3 lines of HTML in the header of the index page of your site, that contain the info needed to point to your provider. (This code is given to you by your provider).
  
  So now you login to a site with your openID. You type in "Poco.com" and click login. The site goes to Poco.com and looks for your provider snippet. When it finds it, it goes to the provider and you authenticate. The provider tells the site that you're good to go and now you're "logged in".
  
  By using your own URL to login instead of say "poco.myopenid.com", you can change providers at any time but keep your same OpenID of "Poco.com". That way you are never at the mercy of any provider and have full control over your online identity.
  
  You don't need a domain either. You could have members.geocities.com/bob/dobs/1876/myid.html and put the snippet in there. It'd just be an ugly OpenID ;)
- Poco, on 10/12/2007, -0/+2I get that.
  
  I guess it is cool to have the same "name" everywhere. But that is the only thing it gives me which is also true if I login using an email address like poco@poco.com. I suppose it limits the spam as you don't have to give an email address, but is that it?
  
  Also, I expect most sites will still allow for a "friendly name" like Poco so that if my openid was members.geocities.com/bob/dobs/1876/myid.html you wouldn't see that in the header of this comment. Then you have to ask, does the friendly name have to be unique on a site like Digg? Would you want someone submitting stories as "arguschung"? If they are unique then you have to go through some sort of Digg registration page anyway, so why bother with openid?
  
  As for trusting an openid, I got to thinking that a web site might trust an openid if they trusted the provider. If I had a web site I could allow openid logins but only if they are provided by Google. Then I can trust them as much as I trust Google. That is, I can assume that there will not be anymore spam bots logging into my site as spam bots logging into Google. Only if a site truly trusts the provider can it trust any of the openids that are being provided.
  
  Of course, if someone hacked into an openid provider then all the ids it provides could be used the hacker. So as a user I would have to trust the provider too.
  
  I guess we have to see how it all plays out.
- aRgusChung, on 10/12/2007, -0/+1Kinda.
  
  Traditionally your identity is attached to an email address. The biggest problem with email as authentication, is that it gives ANYONE with your address direct unsolicited access to you. The second problem, is your identity on any given page is managed on that site. You give a provider a password and trust them with it. Unless you have a different password for every site you visit (many people do not) you risk giving the provider access to the rest of your accounts.
  
  As a provider I could easily write a line of php into my login page that logs your HTTP_REFFERER string and over time, I'd probably have a fairly complete list of sites you vist regularly. I could pull up your acount info from my site and go down the list.
  
  With OpenID you give nothing but a URL to a site. That's it. No direct access to you. No passwords.
  
  The OpenID provider doesn't own your identity either. You can change providers on a whim and keep the same name, provided you use your own URL. You can even be your own provider.
  
  Another benefit vs email, is if a "hacker" compromised an OpenID provider, they would have to know what sites you used beforehand. There is no "list of sites" on the provider's end for them to go running after. The provider doesn't associate themselves with your external URL either, so there is little linking you directly to the account. Email on the other hand, often contains personal information and account info.
  
  Another nice thing about OpenID, is that at the first sign of a compromise you could switch providers in a matter of seconds.
Visk, on 10/12/2007, -0/+1From the article:
URL to get an open ID: http://www.myopenid.com/
marksmayo, on 10/12/2007, -0/+1Information on how digg is going to be supporting OpenID: http://digg.com/tech_news/Digg_Will_Support_OpenID
rubah, on 10/12/2007, -0/+0I still think an openid authentication system would be really swell for such as guestbooks or tagboards like on personal sites.

I said that last time too and people moaned about how not everyone had an OpenID, but didn't aol just recently give one to all of their users? There's a few more million right there, on top of the ones livejournal already gave, and the other sites that have.

for some reason, my host refuses to install the openid module, so I can't do anything on it right now (and I wouldn't know where to start, frankly; coding stuff is over my head still yet xD) but c'mon, someone!
reverb, on 10/12/2007, -0/+3From http://openid.net/about.bml : "This is *not* a trust system."

I'm not sure the author understands this.
mprasad, on 10/12/2007, -0/+0Hey all, posted the in the Digg adopts OPEN ID story, but it also applies here:

There's a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It'll be an open forum so anyone can ask questions. If you're interested in showing up, check out http://www.idcast.org (site is being put up today).

To clarify a few things I've been hearing on here, the concept of OPEN ID is that it's decentralized and there will be many providers. Currently the source for most providers is open so anyone can see whats going on. It gives you a choice on controlling your identity, and more control on who sees what. Also, there IS work being done on security, and a lot of us are hoping to see increased security features to be come available. Bottom line is that there needs to be, and if adoption of OPEN ID is good, then there will be. Any OPEN ID provider can build on the technology, and someone WILL do it, provided theres enough reason to do so.

Either way, with some many recent providers adopting OPEN ID, its definitely something to be paid attention to. Come to the Skypecast tomorrow, ask questions. idCast.org is trying to create an open forum so you guys can help shape what happens.

Hopefully I'll see some of you there!
thuhn, on 10/12/2007, -0/+0We all know that the number of OpenID enabled sites is still pretty limited. To support the growth of the community, we´ve been putting a lot of effort in gathering all available links in http://openiddirectory.com . Please check the available sites and submit any more you can find!
besonen, on 10/10/2007, -0/+0i prefer unique username/password combos for all of my accounts.

a compromised openid account means that the attacker then has access to all of the accounts on all of the sites with which the compromised openid has been registered. this is something i want to avoid so i don't use openid.

and to the folks who say that email addresses can be compromised with regular credentials. the fact is it would be more effort to access multiple accounts even if they referenced the same email address than it would be to access these same accounts all registered with the same openid.
crossers, on 07/23/2008, -0/+0oh thanks for article, cause I listen about openID but until now don't know what it means.

http://www.shpe-sac.org
http://www.ocflex.com/
http://www.trgovinca.org
http://www.chasr.org/
Login or register to add a comment

Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.

11 Reasons Why OpenID Rocks/Sucks

Login or register to add a comment