Your Internet Driver's License

#22

Please, simplify.

Facebook and Twitter are quickly becoming the dominant identity providers.

This is plenty enough in most cases.

For special cases, a classic email based id should be OK.

ie: Twitter for professionals, Facebook for kids, email for geeks.

:slight_smile:

#23

“Identity” has to do with the ability to connect, not to our “essential being” or the control we may think we have about our environment. There are good and bad connections though, and to discriminate them is probably the most important thing to learn. In fact, there aren’t many other things that important in life, and most of them are just a matter of chance

Of course, if I can’t control my identity, no one (no other… identity) should have that power in my stead.

#24

An account on a website is more like a loyalty card than a driver’s license. And I just checked… I have 34 pieces of “ID” like that in my wallet and on my keychain. No, 36, I forgot the access cards around my neck.

I don’t want a single ID. I have multiple IDs. It’s none of your business what MMOs I play, and I have no interest in sharing just how geeky I am with random high level druids on some game, so googling for my RPG character won’t pull up messages posted with my real name, and vice versa. And if I have to carry two “loyalty cards” to make sure of that, that’s fine.

#25

I personally DO NOT WANT THIS. I don’t want all my internet accounts to be linked together. I don’t want to FB connect the world. I don’t want any random Googler to be able to procure a profile of me and my interests in a 2 second search. Internet is freedom only while its anonymous.

Websites that use OpenID/FB Connect have been nothing but a pain in the ass. Want an account from me? Sure, here is an email and password (a la Mint.com), because thats all you need, not my ID (“Open” or otherwise). That’s exactly two fields that are actually required to “identify” an account. You want to please your users? Make those the only required pieces of information to register. Its way faster and simpler than OpenID, your users will appreciate it.

If your website uses OpenID or FB connect as a primary means to “register” that’s about a 90% chance right there that I wont be using it.

Honestly, Jeff, I don’t know why you preach this tech so much. I consider this one of the few big design mistakes of SO. I never have used my OpenID anywhere else and I had to make two already because my Verisign OpenID provider was an exceptional pain in the ass to use. Then you, the developer, had to go and code up a way so that your users could change their openids or assign multiple ids or switch between them. Why?!!! Where is the so called convenience for you or me?? If you just required an email and password (and perhaps a username, since its a publicly facing acct) for SO neither you nor me would have these problems.

So stop it. OpenID is a terrible idea. Its used by companies that want to own and track your “online presence,” to the user it brings no convenience whatsoever.

#26

Whenever I think about OpenID I feel it comes dangerously close to a walled garden. Jeff even had a post about this a while back:

http://www.codinghorror.com/blog/2007/06/avoiding-walled-gardens-on-the-internet.html

If everyone is forced to adhere to some universal internet sign-on policy it kind of defeats the freedom of the internet. Having to keep track of multiple usernames and passwords is a bit of a hassle but I don’t think this is the answer.

To quote Jeff from the article I mentioned “The lesson I take from this is that no matter how wonderful your walled garden is, it can’t compete with the public, open internet.”.

#27

The concept of “Open ID” (and I use that term generally) is more or less a server side version of a password vault, with arguably more security concerns around social engineering. You are putting a lot of trust in the sites that host your identity and presumably, their admin/help desk folks that may or may not be able to back door to your identity to “troubleshoot problems”.

As this method becomes popular, it will also add another means to phish. Or malicious virtual lap dance sites may just collect your user/password anyway on the way to verifying if your login actually works at the authenticator’s site.

That said, is it any worse than using your same email/password on various sites that maintain their own identity management? (Which a LOT of people do, including techies that should know better). I bet if Jeff implemented his own user/password sign in where he actually stored the password at both here and stack overflow, he would have the gmail, yahoo, hotmail logins of a LOT of users.

#28

Web accounts in general have two parts: Authentication and Authorization.

OpenID passes the Authentication part off to a random third-party.

It’s the perfect case of favoring convenience over security.

As a web developer, I feel this falls too far on the convenience side, and I’m unwilling to potentially compromise my system’s Authorization scheme by allowing untrusted third-parties for the Authentication phase.

Convenience over security is also a major reason as to why Windows post-NT still has a checkered security history: Windows 2000/XP and its “create all users as Administrators” default on standalone or non-Active Directory networked computers.

#29

Btw, great job on having stack overflow change the lives of developers. Win!

Facebook has definitely become my internet driver’s license. I’m using it right now!!! Twitter is still a little obscure in my opinion. The problem is, I don’t feel very secure giving that license to everyone. They can get a lot of info about me when I FB connect. Scary . . .

http://tech.rawsignal.com

#30

The commenters proclaiming doom because somebody can find out everything about you have forgotten a simple fact: You can create multiple identities.

If you don’t want your posts on a forum about spanking your wife in a furry bunny suit to be associated with your professional blog, use a different ID. That’s the beauty of OpenID, you can create precisely as many identities as you need and, sites willing, use the right one for the right job.

#31

Sounds exactly like cardspace and info cards. Although it never took off… .for three reasons I think…

  1. It was window’s only… although there were mac and linux implementions.

  2. The info cards were not portable but installed on a specific PC.

  3. No major web sites really implemented it. Heck, even microsoft still stuck with passport nee live id.

BOb

#32

@Gordon. What if I don’t want ANY of my online identities to be associated to each other? Also, how would the scheme you describe be different from the “traditional” scheme of having a different account for different sites?

You shouldn’t have to do extra work to remain anonymous; “anonymously” should be the default and the most convenient way to register. Creating a new OpenID for every website is not more convenient than supplying acctname/email/password for every service that you want to use. Hence, in my book, OpenID should be an alternative option to an existing registration system, at best, for those cases where you care more about convenience than remaining anonymous. (ex. Hacker News)

#33

@Gordon Tyler - But we already have functionality where we can create as many ids as we want. We create individual IDs for as many sites as we want already. Even multiple IDs for the same site if we desire!

That’s hardly the beauty of OpenID, it’s the beauty of what’s been implemented for years now. OpenID is supposed to try and reduce the amount of accounts you need to have. Once you start talking about creating multiple OpenIDs for different purposes you’re actually moving away from what OpenID is trying to accomplish.

#34

I have some issues with OpenID.

If a provider goes down, is hacked or changes their format, you’re sunk, not just one one site, but on every site you used.

Users are unfamiliar with the concept, they might forget which provider they used to login in with at one time and login with a different provider the next time. The site has no way of connecting the identities.

Using your drivers license metaphor: I don’t want every blog I comment on to know my weight, address, or even my full name, I want a way to control who gets what information.

I agree that this single credential idea is good and has a lot of potential, but I am wary of evangelizing it to the world before it is ready. If people use it and dislike it, it could crush this idea forever. It’s like nuclear power, the accidents that occurred in its infancy set adoption of the technology back by decades. Wait until you get something that’s idiot proof, then I’ll evangelize it.

#35

Ok, so I wanted to sign in…

  1. I click on the link, and go to TypePad WTF? what is TypePad...
  2. Oh, there's a link that I can select other ID providers... Hmmm, Have I used Facebook, Yahoo, or Google with this site before? I think I use my Yahoo ID for Stack Overflow, so I'll try that.
  3. Enter email.
  4. Now - which standard password did I use? (got it on the second try ;)
  5. Ok, signing in - Uh Oh - "Error: Bad Gateway" - blank page.
  6. Now what? I click the back button. Look around... "I am signed in as Steve" Yay! I did it!
  7. Whew! Even with an array of OpenID providers, this is pretty broken.
I didn't use my open ID provider because, to the best of my knowledge I have to enter some hideous string to use it. If I could enter an OpenID username/password, then I would use it... As it is, it is unworkable for me, cause I have to look up the string in a file somewhere.

However, it seems to me that because all of my email providers (I have Yahoo and GMail), and my Facebook and Twitter accounts are OpenID providers, I don’t really need to think about all this so much, as I have an array of usable ID’s available. The problem is being solved behind my back. So, the evangelizing mostly applies to website developers, who now need to implement the OpenID signing for maybe ten providers, and most everybody is happy.

p.s: @Robert Baker: if you are going to complain about the driver’s license metaphor, maybe you should suggest a better one. IMO “drivers license as a default identity credential” is a pretty decent metaphor. Just ignore the fact that it is also a license to operate a motor vehicle.
p.p.s: OMG the furry bunny suit!

#36

No, Steve, “drivers license as a default identity credential” is a pretty stupid metaphor, outside the United States. In many countries, there’s a government-issued ID that everyone must have since very early in their life . Also, in the US, everyone pretty much relies on cars, which is not a universal fact either.

I don’t think anyone in Argentina will accept your drivers license as a generic identity credential.

#37

at first i didn’t like the openId requirement. “How hard is it to track user names and passwords?” I thought. And said. Repeatedly. Until Jeff told me to STFU and go somewhere else. Not really. But almost.

But now that there’s, what, 500 stack sites, having a single sign-on for all of them is convenient. Kudos!

#38

The problem with current Internet Driver’s License systems like OpenID and OAuth is that they still rely on the user storing a username/password on a site somewhere–and then using that site as an authentication authority.

What we need is a widespread adoption of GPG/OpenPGP. If everyone had a public/private keypair, we could authenticate using cryptographically secure signatures, which would remove the need for us to hand over the private keys to our identities to 3rd parties. Granted, power users can already setup their own OAuth/OpenID servers but that system still lacks the key signing circle of trust that GPG has built in.

Besides, I’d love to sign my tax documents with a GPG signature instead of send along a plaintext SSN, which is absurdly passed around and stored in countless databases already.

So let’s get some developers to relaunch http://www.gpgauth.com/ – that’s my vote.

#39

@Nicolás Alvarez: The States issue State IDs that look almost identical to Drivers Licenses. Driving is not mandatory to having a license.

@Nov8r: Having a network-wide login doesn’t require it to be implemented using OpenID. It just means you need access to the same database.

#40

@Nick & @Sean, the problem with the current system is that you have no choice. You have to have a separate identity on every site even if you want to share an identity across some subset of sites.

I also don’t see where the claim of lack of anonymity comes from. The only truly anonymous way to participate on a site is if it allows participation without login. Otherwise, you’re identified in some way or another. Heck, your IP address identifies you unless you’re paranoid enough to use TOR.

I think this OpenID thing is still new. I think that, at some point in the future, OpenID providers may start providing easy ways to generate new “anonymous” identities that you can use to login to sites that you don’t want to connect to one of your main identity. Think of it like one-time use credit card numbers.

#41

Is that a real wallet? Wow, somebody spends a lot of time/money on “entertainment.”

Ontopic:
OpenID = good. There is better. One step at a time…