Back in summer 2008 when we were building Stack Overflow, I chose OpenID logins for reasons documented in Does The World Really Need Yet Another Username and Password:
âInternet Driving Licenseâ is a horrible metaphor for the problem of internet identity and authentication.
Just to note that there is no Shanghai Peking Development Bank, itâs Shanghai Pudong Development Bank; which i would never have bothered pointing out if i had to register here just to comment (so i still illustrate your point).
Oh, I donât know Robert - I quite like the idea of certain sites preventing people from interacting until theyâve passed a test of some sort 
In Belgium ID cards are being progressively replaced by eID cards.
With it, we identify ourselves online and use a wide range of gov services, but also anyone who wants to supports it. There is an API for that: http://eid.belgium.be/nl/binaries/eID_Developers_Guide_tcm147-63130.pdf
One ID for everything (administrative gov stuff, banking, club membership, online logins, âŚ) is our future!
Indeed Stuart. Except thatâs exactly what Jeff isnât talking about 
Hereâs where the driver license analogy breaks down: I have physical control over my license, it stays with me. No one can lose my license for me.
Also, I would dispute the assertion that third-party auth makes the internet better, rather it is a transfer of responsibility from users to the third party.
This post also doesnât address what I thought was Rob Coneryâs best argument, that it is entirely plausible to end up with multiple accounts at the same site be using multiple sign in providers. Not so much âsingle sign onâ at that point.
Kevdog: If youâre so big on responsibility, why not run your own OpenID provider? Itâs not hard, and if you run it on a box that lives in your house then you can even have physical control over it too.
Regarding the use of multiple sign-on providers: I went to the doctor once and said âDoctor, it hurts when I hold my arm up over my head and twist it around like this!â And the doctor said: âWell, donât do that, then.â
Pierre: As a citizen of the United States I find myself dismayed at the thought of using the same credentials when I log onto a website in order to make a comment, and when I get pulled over for driving too fast. I dunno, maybe Belgian cops are all trustworthy, and youâd never have to worry about it potentially being trivial for them to identify your political opinions et cetera? But thatâs a lot more information than Iâm comfortable with the idea of J. Random State Trooper â you know, the one whoâs twenty-two years old and white and shaves his head and listens to Glenn Beck on the radio â being able to find out about me while Iâm sitting on the side of the road waiting for him to turn me loose.
@Kevdog: The problem with multiple sign in providers is partially solved when your application does a quick check on email-address. If you already have an account with that email-address you can join these.
I can log in with Facebook, Twitter, Google, Wordpress.com and OpenID. But i only have 1 email address for all of them so that whould be a good solution, at least for me.
We have internet driving licence in Sweden. Itâs called BankID and you can use it to log into your bank, insurance, tax-declaration, student registry and some other governmental services.
Itâs pretty good for the high trust services like these but i wouldnât use it for a random internet forum/facebook etc. I want to be more or less anonymous there. I donât even think itâs possible for any random developer to get access to it through API or something like that, itâs designed only for banks etc, as opposed to the belgium eID Pierre posted about.
A good idea pushed to the limit doesnât result in a great one. It would degrade and become mediocre. The last thing I want is to give up the greatest gift of the internet, my anonymity, and expose my true identity on every website that asks me to login for no apparent reason. Expect IDL forgery to become commonplace and rightly so I must say.
The solution is not to enhance our identification mechanisms but to limit identification to when itâs truly needed. Take you website for instance, why are you forcing me to login to leave a comment when a Name text box suffices?
@ Aaron Em: Just because a website authenticates against some third-party agent (before accepting your comment) doesnât necessarily mean the third-party can track your identity back to your comment.
Oh dear. The European Computer Driving License actually IS a scheme to show you passed an exam (to âdriveâ your computer, presumably). http://www.ecdl.org/programmes/
@Ashkan Aliabadi: Just a name text box is essentially the same as anonymous comments. That can make moderating very hard.
http://www.codinghorror.com/blog/2010/02/welcome-back-comments.html
What about Facebook or Twitter connect? Those sites are much more prominent amongst the mainstream, while oauth/openid have been struggling to âcross the chasmâ from the beginning.
+1000 for the expert Photoshop mockup.
Posted using my OpenID
@Vicentvw: Twitter uses OAuth. Facebook as also pledge to support OpenID: http://developers.facebook.com/blog/post/246
I agree with this post; which doesnât mean OpenID should be a strong authenticator, I should be able to create accounts without them being linked to my real identity.
The whole use of your (Belgian) eID for online shopping and whatever idea has always been enormously short-sighted and needs to die in a fire. Iâm Belgian and while giving the cops my eID is one thing (for them, it really is the same as a driverâs license), handing private entities a singular tracking identifier of me is something I will never submit to. Not that using it for tracking would be legal, but when did that ever stop anyone?
Itâs a similar problem with OpenID. Usually when I post something somewhere with OpenID, you can follow it back to that identity. Itâs not just the owner of the blog that can see who I am (or at least one identity of me), itâs whoever cares to crawl back down the link to my identity page. Which makes it a really good way to create targeted marketing user profiles.
Now @Aaron, there really is very little chance Belgian cops could get at much more information than American cops could using your driverâs license. The data collected from your eID, i.e. an identifier used to log you into that forum, lives in a private database that they simply donât have access to. Even their access to government owned databases is in theory heavily regulated. Iâve heard of at least one example of a guy getting a not-so-friendly visit by the FBI after some anonymous comments on a forum, so you might want to watch what you say either way. Especially now that anti-terror laws mean you can be put away for years for what are basically thought crimes.
In practice, cops do often violate the restrictions based on them (most common example, opening up the files on celebrities that commit suicide). At least we know about it (access is logged meticulously), but unfortunately we donât really do anything about it, which is a cautionary tale for anyone supporting giving the government (any government) more access to your data.
So in the past 10 minutes I created a Google ID under the name of Big Foot, and logged in here to post a comment. Where exactly did my identity come into the picture?