I still don’t understand the desire to translate emails into OpenID url’s. Surely to the user it’s “What I use to login”, it just happens to be currently it’s prodominently email or username, but there’s no reason that can’t change. As has been said before, a lot of people understand the concept of the url to their personal site, be that myspace, facebook, livejournal or whatever and these will hopefully eventually all be usable as an OpenID.
OpenID sounds interesting. You can have your “designer URL” point to OpenID provider (with presumably “ugly” naming) as long as you can host static HTML on the former. This delegation or indirection allows you to switch providers, at the cost of having to consult two servers instead of just the latter one.
From reading the comments, I see you can even be your own OpenID provider (thanks mantrid). I assume then that means if you are paranoid enough to do that, then you must run it on your own hardware, not a shared web hosting service. Is this correct?
The Google App Engine offers this type of functionality. You can use their user base as your own.
So With OpenID you can create your own server, have to type longer URL’s and it stores all your ID’s in one place …
… How is this ‘secure’? It’s simpler maybe (and that’s debatable?)
Putting the password for a Forum I go to occasionally anywhere near the details of my on-line banking is madness …
Plus:
What happens if the OpenID server is offline?
What happens if you no longer own your OpenID domain?
What happens if you need to change you OpenID?
If you are worried about security:
Put a bootable Linux on a memory stick with kiosk mode browser and you have a secure portable simple system …
After reading this post and doing some research, I’ve decided to setup my own OpenID server on my website (asmor.com). Beats the hell out of the other options!
Sigh… Now I’m stuck at the long wait for the DNS info on my new subdomain to propagate…
I think SlashID offers a compromise between the two worlds: you still have to go to a third party (SlashID.com) to get an ID, but it’s a simple username and password, unlike OpenID’s URLs as identifiers. At the moment, SlashID is a centralized system unlike OpenID, so there are chances of an SPOF, but the SlashID guys say they’re working towards a de-centralized system. Sounds good to me.
Open ID as idea is pretty cool but executions leaves to desire. Its just another additional thing to carry/remeber. I’d suggest using something everyone has and what also takes into consideration mobile users: mobile phone and mobile phone number - allmost everyone has it, its constantly carried with.
I use roboform. granted I only use 2-3 computers at most and I keep an encrypted copy of my roboform data on a thumb drive in case I need it someplace else (hasn’t happened yet).
Not a perfect solution, but it remembers for me.
Also, if I am on a site that requires a login and I don’t want to register for yet another site, I just go to bugmenot.com and find a UID/PWD that will work. Great for loggin in to newspaper and maazine sites that want a (free) account to read stuff.
WA
OpenID is one of those ideas that us geeks really latch onto, but we forget that users aren’t geeks. It imposes a change from the status quo, more steps to remember and a potential for capturing their real login info from their OpenID provider if they aren’t careful about SSL.
I don’t see this as a problem that needs solving. Firefox remembers my logins just fine, I can use my email to recover them if lost and my firefox profile is easily backed up and transferred to other machines.
Why even have passwords? Everyone forgets them all the time anyway and uses the “i forgot my password”-function so just send us the login-link without forcing us through all these steps to recover our password.
Disposable loginlinks sent to your email ftw.
- Instead of username/password you just fill in your email and click send.
- Wait 5secs for a mail with a one-time-use login-link, valid for ~10mins, to drop down in your inbox.
- Click this link and you are now logged in!
This assumes that most users have their email-client running all the time.
Then all you have to remember is your mail-account and mail-password.
How about a fingerprint sensor on my mouse? Then I don’t even have to remember my name. Maybe in 10 years…
Why do you need any credentials at all?
The thing I keep missing about OpenID is that it seems to have mechanisms in place to help users trust the provider(s) they choose, but I don’t see where web sites can trust the providers that their users are using.
I don’t want a hacker to set up an OpenID provider on a zombie server somewhere, and then use logins from that provider to log on to my site and dump spam all over the place, let alone conduct financial transactions. How do I, as someone who’d like to allow OpenID logins on my site, verify that the providers are legitimate?
In my experience, most sites/blogs that support OpenID are using it as an alternative to logins such as the one on this comment page. Seems pointless, since it’s just as much work as typing in your name/email.
Are there any major blogs that allow commenting with OpenID in lieu of account creation?
Interesting because stackoverflow.com is a site for advanced computer users. For 90% of the population the “Remember Password” check box in IE or FF takes care of the login issue, but stackoverflow is really for those 10% who consider security when browsing the web.
Still seems like a lot of work for a marginal benefit but I’m curious to see how it works out.
I think a lot of people are missing the point of OpenID, or aren’t understanding what it’s about.
As a consuming website (a site accepting an OpenID login), you don’t have access to the user’s credentials aside from (a) their OpenID URI, and (b) whatever is sent via SREG (simple registration) or Attribute Exchange (both of which allow the user to specify, via their OpenID account, what - if any - addition information above and beyond their OpenID URI is sent to the consuming website).
@Fake51: A decent OpenID provider will allow you to pick a STRONG password - randomly generated, 16+ characters long, upper/lower-case characters, numbers, symbols, spaces. Such a password makes it very difficult to “guess” with a dictionary attack.
@anon Wrong - signing up to a new site without OpenID will still require you to key in all the supposed required information in setting up a new account, which will not be stored in Firefox (the inbuilt password manager only stored the username, password, and associated site). Unless you are referring to data stored within Firefox’s form cache (which any good person will regularly clear out), then you’ve missed the mark here.
@Aaron G: Microsoft Passport/Live is a centralised proprietary authentication system owned and run by Microsoft. OpenID is a decentralised system based upon open standards and is not “owned” by any single person or company. Yes, your login details are “centralised” at your OpenID provider, but they are “decentralised” from the consuming websites.
@alphager: You say you don’t want to type those, “damn long OpenID-Urls with my cell phone”. Say your email address is with Yahoo!. How is typing in mynickname@yahoo.com much different or longer to me.yahoo.com/mynickname (a whole 3 characters longer).
@Clinton Pierce: Whilst you make a point, this is the exact type of behaviour people should be changing. Having 1-4 usernames and 1-4 passwords with one email address is inherently insecure. Generally, email is inherently insecure (unless signed with a PGP/GPG key… and how often does that happen in the wild?). At least OpenID provides the option of security features that would usually mean an intruder would need to either (a) know the person (eg., to get mobile phone or fob), or (b) have access to their PC (for ID Cards (eg., CardSpace) or client certificates), or © both!
@Kris: URL vs email? As I said above, they’re not that different (replace ‘@’ with ‘/’).
@Jaster: no banking websites accept OpenD (yet?), probably never will. There is nothing to say that if this changed down that track, that you couldn’t run two OpenIDs - one for day to day use, and one for secure mission-critical applications such as banking. Yes, that means two identities - but it’s still better than the current 50+ many people have. Even now, many people (certainly OpenID-proficient/keen) have OpenIDs with many providers. These can be tied together (to an extent - if one wishes it to be so).
@Olavi: Nice idea, but almost every site that provides interaction with mobile phones is US/Canada/UK limited - leaving most of the world in the dark. It would require too many contracts with network providers and too much stuffing round to get off the ground. Even established websites can’t offer decent worldwide mobile phone interaction with their websites to a user’s mobile phone.
@Wayne: bugmenot = FTW!
@bcl: New versions of web browsers are looking at SSL and user “awareness” more carefully. eg., changing the colour of the address bar based upon a good/bad SSL connection/certificate. Regardless, OpenID will always ask a user to accept/reject a login request for a new website. If this is asked on an already accepted/rejected site, then the user should be aware that something is amiss. Likewise, if the user is NOT asked on a new site, they should also be aware. People can’t afford to be complacent online - and many people (especially gen y’ers or technically-illiterate-yet-still-remain-online) already are.
The main thing to remember here is - you have choice. You have the ability to choose whichever OpenID provider you want. Check out their features, check out their security measures. Do you trust them? Do they support delegation? If not, move on. I use myOpenID and trust it. Why? It’s run by a company of good folk who have a key involvement and investment in the OpenID community, and are responsible for many of the open source libraries available.
It is not clear from this article what the difference is between having an OpenID which is ‘trusted’ (and only requires a URL to login) and having a website that only requires an e-mail address with no password.
What stops someone guessing your OpenID URL when it is ‘trusted’ and you no longer have to provide credentials to access a site?
Surely, anyone can guess your OpenID easily enough, at which point non-security-critical websites could bypass the whole process by making passwords optional, thereby making OpenID redundant.
@D. Lambert: You can request additional information when a new user logs into your site the first time using OpenID (or every time really I suppose). Ask them to perform a challenge request (eg., CAPTCHA) at your site after OpenID verification/login.
@Josh Stodola: Then you need to read the “Fingerprint Charade” by Kim Cameron at the Identity Blog - http://www.identityblog.com/?p=981 
/shutting up now!
You talk about the complexity of setting up your OpenID provider… but that’s a one time cost. The additional overhead once you already have an OpenID provider is practically zero.
If you have your own domain, you can also delegate your OpenID so that I can keep the same OpenID URL (my domain name), but delegate the responsibility to a different provider next week if the one I have this week turns out to suck.
Although I support OpenId as an application developer, my experience as a user has been quite bad so far!
That’s why for the moment, I’m all in favour of password managers:
http://evolvingworker.com/2008/4/4/in-favor-of-password-managers
I use 1password on Mac, RoboForms on Windows. I believe they’re both largely worth their price. There is also KeePass which is free.