Back in summer 2008 when we were building Stack Overflow, I chose OpenID logins for reasons documented in Does The World Really Need Yet Another Username and Password:
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html
“Internet Driving License” is a horrible metaphor for the problem of internet identity and authentication.
Just to note that there is no Shanghai Peking Development Bank, it’s Shanghai Pudong Development Bank; which i would never have bothered pointing out if i had to register here just to comment (so i still illustrate your point).
Oh, I don’t know Robert - I quite like the idea of certain sites preventing people from interacting until they’ve passed a test of some sort
In Belgium ID cards are being progressively replaced by eID cards.
With it, we identify ourselves online and use a wide range of gov services, but also anyone who wants to supports it. There is an API for that: http://eid.belgium.be/nl/binaries/eID_Developers_Guide_tcm147-63130.pdf
One ID for everything (administrative gov stuff, banking, club membership, online logins, …) is our future!
Indeed Stuart. Except that’s exactly what Jeff isn’t talking about
Here’s where the driver license analogy breaks down: I have physical control over my license, it stays with me. No one can lose my license for me.
Also, I would dispute the assertion that third-party auth makes the internet better, rather it is a transfer of responsibility from users to the third party.
This post also doesn’t address what I thought was Rob Conery’s best argument, that it is entirely plausible to end up with multiple accounts at the same site be using multiple sign in providers. Not so much “single sign on” at that point.
Kevdog: If you’re so big on responsibility, why not run your own OpenID provider? It’s not hard, and if you run it on a box that lives in your house then you can even have physical control over it too.
Regarding the use of multiple sign-on providers: I went to the doctor once and said “Doctor, it hurts when I hold my arm up over my head and twist it around like this!” And the doctor said: “Well, don’t do that, then.”
Pierre: As a citizen of the United States I find myself dismayed at the thought of using the same credentials when I log onto a website in order to make a comment, and when I get pulled over for driving too fast. I dunno, maybe Belgian cops are all trustworthy, and you’d never have to worry about it potentially being trivial for them to identify your political opinions et cetera? But that’s a lot more information than I’m comfortable with the idea of J. Random State Trooper – you know, the one who’s twenty-two years old and white and shaves his head and listens to Glenn Beck on the radio – being able to find out about me while I’m sitting on the side of the road waiting for him to turn me loose.
@Kevdog: The problem with multiple sign in providers is partially solved when your application does a quick check on email-address. If you already have an account with that email-address you can join these.
I can log in with Facebook, Twitter, Google, Wordpress.com and OpenID. But i only have 1 email address for all of them so that whould be a good solution, at least for me.
We have internet driving licence in Sweden. It’s called BankID and you can use it to log into your bank, insurance, tax-declaration, student registry and some other governmental services.
It’s pretty good for the high trust services like these but i wouldn’t use it for a random internet forum/facebook etc. I want to be more or less anonymous there. I don’t even think it’s possible for any random developer to get access to it through API or something like that, it’s designed only for banks etc, as opposed to the belgium eID Pierre posted about.
A good idea pushed to the limit doesn’t result in a great one. It would degrade and become mediocre. The last thing I want is to give up the greatest gift of the internet, my anonymity, and expose my true identity on every website that asks me to login for no apparent reason. Expect IDL forgery to become commonplace and rightly so I must say.
The solution is not to enhance our identification mechanisms but to limit identification to when it’s truly needed. Take you website for instance, why are you forcing me to login to leave a comment when a Name text box suffices?
@ Aaron Em: Just because a website authenticates against some third-party agent (before accepting your comment) doesn’t necessarily mean the third-party can track your identity back to your comment.
Oh dear. The European Computer Driving License actually IS a scheme to show you passed an exam (to ‘drive’ your computer, presumably). http://www.ecdl.org/programmes/
@Ashkan Aliabadi: Just a name text box is essentially the same as anonymous comments. That can make moderating very hard.
What about Facebook or Twitter connect? Those sites are much more prominent amongst the mainstream, while oauth/openid have been struggling to “cross the chasm” from the beginning.
+1000 for the expert Photoshop mockup.
Posted using my OpenID
@Vicentvw: Twitter uses OAuth. Facebook as also pledge to support OpenID: http://developers.facebook.com/blog/post/246
I agree with this post; which doesn’t mean OpenID should be a strong authenticator, I should be able to create accounts without them being linked to my real identity.
The whole use of your (Belgian) eID for online shopping and whatever idea has always been enormously short-sighted and needs to die in a fire. I’m Belgian and while giving the cops my eID is one thing (for them, it really is the same as a driver’s license), handing private entities a singular tracking identifier of me is something I will never submit to. Not that using it for tracking would be legal, but when did that ever stop anyone?
It’s a similar problem with OpenID. Usually when I post something somewhere with OpenID, you can follow it back to that identity. It’s not just the owner of the blog that can see who I am (or at least one identity of me), it’s whoever cares to crawl back down the link to my identity page. Which makes it a really good way to create targeted marketing user profiles.
Now @Aaron, there really is very little chance Belgian cops could get at much more information than American cops could using your driver’s license. The data collected from your eID, i.e. an identifier used to log you into that forum, lives in a private database that they simply don’t have access to. Even their access to government owned databases is in theory heavily regulated. I’ve heard of at least one example of a guy getting a not-so-friendly visit by the FBI after some anonymous comments on a forum, so you might want to watch what you say either way. Especially now that anti-terror laws mean you can be put away for years for what are basically thought crimes.
In practice, cops do often violate the restrictions based on them (most common example, opening up the files on celebrities that commit suicide). At least we know about it (access is logged meticulously), but unfortunately we don’t really do anything about it, which is a cautionary tale for anyone supporting giving the government (any government) more access to your data.
So in the past 10 minutes I created a Google ID under the name of Big Foot, and logged in here to post a comment. Where exactly did my identity come into the picture?