âIdentityâ has to do with the ability to connect, not to our âessential beingâ or the control we may think we have about our environment. There are good and bad connections though, and to discriminate them is probably the most important thing to learn. In fact, there arenât many other things that important in life, and most of them are just a matter of chance
Of course, if I canât control my identity, no one (no other⌠identity) should have that power in my stead.
An account on a website is more like a loyalty card than a driverâs license. And I just checked⌠I have 34 pieces of âIDâ like that in my wallet and on my keychain. No, 36, I forgot the access cards around my neck.
I donât want a single ID. I have multiple IDs. Itâs none of your business what MMOs I play, and I have no interest in sharing just how geeky I am with random high level druids on some game, so googling for my RPG character wonât pull up messages posted with my real name, and vice versa. And if I have to carry two âloyalty cardsâ to make sure of that, thatâs fine.
I personally DO NOT WANT THIS. I donât want all my internet accounts to be linked together. I donât want to FB connect the world. I donât want any random Googler to be able to procure a profile of me and my interests in a 2 second search. Internet is freedom only while its anonymous.
Websites that use OpenID/FB Connect have been nothing but a pain in the ass. Want an account from me? Sure, here is an email and password (a la Mint.com), because thats all you need, not my ID (âOpenâ or otherwise). Thatâs exactly two fields that are actually required to âidentifyâ an account. You want to please your users? Make those the only required pieces of information to register. Its way faster and simpler than OpenID, your users will appreciate it.
If your website uses OpenID or FB connect as a primary means to âregisterâ thatâs about a 90% chance right there that I wont be using it.
Honestly, Jeff, I donât know why you preach this tech so much. I consider this one of the few big design mistakes of SO. I never have used my OpenID anywhere else and I had to make two already because my Verisign OpenID provider was an exceptional pain in the ass to use. Then you, the developer, had to go and code up a way so that your users could change their openids or assign multiple ids or switch between them. Why?!!! Where is the so called convenience for you or me?? If you just required an email and password (and perhaps a username, since its a publicly facing acct) for SO neither you nor me would have these problems.
So stop it. OpenID is a terrible idea. Its used by companies that want to own and track your âonline presence,â to the user it brings no convenience whatsoever.
If everyone is forced to adhere to some universal internet sign-on policy it kind of defeats the freedom of the internet. Having to keep track of multiple usernames and passwords is a bit of a hassle but I donât think this is the answer.
To quote Jeff from the article I mentioned âThe lesson I take from this is that no matter how wonderful your walled garden is, it canât compete with the public, open internet.â.
The concept of âOpen IDâ (and I use that term generally) is more or less a server side version of a password vault, with arguably more security concerns around social engineering. You are putting a lot of trust in the sites that host your identity and presumably, their admin/help desk folks that may or may not be able to back door to your identity to âtroubleshoot problemsâ.
As this method becomes popular, it will also add another means to phish. Or malicious virtual lap dance sites may just collect your user/password anyway on the way to verifying if your login actually works at the authenticatorâs site.
That said, is it any worse than using your same email/password on various sites that maintain their own identity management? (Which a LOT of people do, including techies that should know better). I bet if Jeff implemented his own user/password sign in where he actually stored the password at both here and stack overflow, he would have the gmail, yahoo, hotmail logins of a LOT of users.
Web accounts in general have two parts: Authentication and Authorization.
OpenID passes the Authentication part off to a random third-party.
Itâs the perfect case of favoring convenience over security.
As a web developer, I feel this falls too far on the convenience side, and Iâm unwilling to potentially compromise my systemâs Authorization scheme by allowing untrusted third-parties for the Authentication phase.
Convenience over security is also a major reason as to why Windows post-NT still has a checkered security history: Windows 2000/XP and its âcreate all users as Administratorsâ default on standalone or non-Active Directory networked computers.
Btw, great job on having stack overflow change the lives of developers. Win!
Facebook has definitely become my internet driverâs license. Iâm using it right now!!! Twitter is still a little obscure in my opinion. The problem is, I donât feel very secure giving that license to everyone. They can get a lot of info about me when I FB connect. Scary . . .
The commenters proclaiming doom because somebody can find out everything about you have forgotten a simple fact: You can create multiple identities.
If you donât want your posts on a forum about spanking your wife in a furry bunny suit to be associated with your professional blog, use a different ID. Thatâs the beauty of OpenID, you can create precisely as many identities as you need and, sites willing, use the right one for the right job.
@Gordon. What if I donât want ANY of my online identities to be associated to each other? Also, how would the scheme you describe be different from the âtraditionalâ scheme of having a different account for different sites?
You shouldnât have to do extra work to remain anonymous; âanonymouslyâ should be the default and the most convenient way to register. Creating a new OpenID for every website is not more convenient than supplying acctname/email/password for every service that you want to use. Hence, in my book, OpenID should be an alternative option to an existing registration system, at best, for those cases where you care more about convenience than remaining anonymous. (ex. Hacker News)
@Gordon Tyler - But we already have functionality where we can create as many ids as we want. We create individual IDs for as many sites as we want already. Even multiple IDs for the same site if we desire!
Thatâs hardly the beauty of OpenID, itâs the beauty of whatâs been implemented for years now. OpenID is supposed to try and reduce the amount of accounts you need to have. Once you start talking about creating multiple OpenIDs for different purposes youâre actually moving away from what OpenID is trying to accomplish.
If a provider goes down, is hacked or changes their format, youâre sunk, not just one one site, but on every site you used.
Users are unfamiliar with the concept, they might forget which provider they used to login in with at one time and login with a different provider the next time. The site has no way of connecting the identities.
Using your drivers license metaphor: I donât want every blog I comment on to know my weight, address, or even my full name, I want a way to control who gets what information.
I agree that this single credential idea is good and has a lot of potential, but I am wary of evangelizing it to the world before it is ready. If people use it and dislike it, it could crush this idea forever. Itâs like nuclear power, the accidents that occurred in its infancy set adoption of the technology back by decades. Wait until you get something thatâs idiot proof, then Iâll evangelize it.
I click on the link, and go to TypePad WTF? what is TypePad...
Oh, there's a link that I can select other ID providers...
Hmmm, Have I used Facebook, Yahoo, or Google with this site before?
I think I use my Yahoo ID for Stack Overflow, so I'll try that.
Enter email.
Now - which standard password did I use? (got it on the second try ;)
Ok, signing in - Uh Oh - "Error: Bad Gateway" - blank page.
Now what? I click the back button. Look around... "I am signed in as Steve" Yay! I did it!
Whew! Even with an array of OpenID providers, this is pretty broken.
I didn't use my open ID provider because, to the best of my knowledge I have to enter some hideous string to use it. If I could enter an OpenID username/password, then I would use it... As it is, it is unworkable for me, cause I have to look up the string in a file somewhere.
However, it seems to me that because all of my email providers (I have Yahoo and GMail), and my Facebook and Twitter accounts are OpenID providers, I donât really need to think about all this so much, as I have an array of usable IDâs available. The problem is being solved behind my back. So, the evangelizing mostly applies to website developers, who now need to implement the OpenID signing for maybe ten providers, and most everybody is happy.
p.s: @Robert Baker: if you are going to complain about the driverâs license metaphor, maybe you should suggest a better one. IMO âdrivers license as a default identity credentialâ is a pretty decent metaphor. Just ignore the fact that it is also a license to operate a motor vehicle.
p.p.s: OMG the furry bunny suit!
No, Steve, âdrivers license as a default identity credentialâ is a pretty stupid metaphor, outside the United States. In many countries, thereâs a government-issued ID that everyone must have since very early in their life . Also, in the US, everyone pretty much relies on cars, which is not a universal fact either.
I donât think anyone in Argentina will accept your drivers license as a generic identity credential.
at first i didnât like the openId requirement. âHow hard is it to track user names and passwords?â I thought. And said. Repeatedly. Until Jeff told me to STFU and go somewhere else. Not really. But almost.
But now that thereâs, what, 500 stack sites, having a single sign-on for all of them is convenient. Kudos!
The problem with current Internet Driverâs License systems like OpenID and OAuth is that they still rely on the user storing a username/password on a site somewhereâand then using that site as an authentication authority.
What we need is a widespread adoption of GPG/OpenPGP. If everyone had a public/private keypair, we could authenticate using cryptographically secure signatures, which would remove the need for us to hand over the private keys to our identities to 3rd parties. Granted, power users can already setup their own OAuth/OpenID servers but that system still lacks the key signing circle of trust that GPG has built in.
Besides, Iâd love to sign my tax documents with a GPG signature instead of send along a plaintext SSN, which is absurdly passed around and stored in countless databases already.
@Nick & @Sean, the problem with the current system is that you have no choice. You have to have a separate identity on every site even if you want to share an identity across some subset of sites.
I also donât see where the claim of lack of anonymity comes from. The only truly anonymous way to participate on a site is if it allows participation without login. Otherwise, youâre identified in some way or another. Heck, your IP address identifies you unless youâre paranoid enough to use TOR.
I think this OpenID thing is still new. I think that, at some point in the future, OpenID providers may start providing easy ways to generate new âanonymousâ identities that you can use to login to sites that you donât want to connect to one of your main identity. Think of it like one-time use credit card numbers.