I believe there’s a parallel issue that a lot of these accounts exist purely to harvest email addresses from users. If I’m correct in this assumption, we could do away with a lot of user/pass combos if the harvesters just gave up on the idea of collecting them.
@Nick: Do you create a new email address for every site that you visit? How is that any different than openid? Knowing that I’m “the url <a href=“http://burntpopcorn.net””>http://burntpopcorn.net" when I log in doesn’t mean that when I log in from one place or another that they won’t magically be able to link that together any more than when I logged in with my email address.
@antic: what do you mean you just need to use a username/password to log in? How do you know that I don’t require two-factor authentication to log in to my openid provider? One like: http://code.google.com/p/google-authenticator/ . That’s one of the benefits of openid in my opinion, because you can make your account as secure as you need it to be. Don’t you hate logging in to sites where they have ridiculous login requirements that don’t seem secure at all?
I do currently support openid. I actually ended up changing my comments bit on my own blog to intense debate for 2 reasons.
- It supported multiple login methods (most of the key ones).
- It was controlled by a 3rd party.
- It reduced load on my providers server by keeping that stuff on another system.
Of course that is still up in the air at the moment due to a number of factors since it is on another provider’s server it could potentially affect the appeared performance of my site to visitors.
Support auth methods
Intense Debate
Wordpress.com (it’s a wordpress powered blog so it makes sense 
Facebook
Twitter
OpenID
There’s a few things going on here:
a) convenience across sites
b) security
c) privacy
All these parameters have different pro’s and con’s.
@ some earlier posters on the privacy angle and anonymous logins for different sites, check out a startup called Abine.
I’ve been using OpenID for years now, via VeriSign’s PIP thing (Symantec now owns it). I use my personal website address as my OpenID identifier. I know not everyone owns a domain name and can host it, add appropriate markup to the page to get it to work, etc. but I will say that I have never had problems with it and absolutely love it. I use VeriSign’s “SeatBelt” plugin for Firefox and it all “just works” for me.
That said, I care more about the idea and benefits than any given implementation. As someone else mentioned, this is a step in the right direction.
If people don’t like it, feel it is horrible, etc., that is fine - but rather than just complaining, work to make something better. Don’t tear something down that is currently working unless you are building something else up to replace it.
This is one of the biggest problems for everyone on the internet. Programmers must unite with standards!
Identity theft is rampant, and I wouldn’t trust anyone with knowing too much about me.
Banks and government agencies aside …
- no one knows my full name
- no one knows my real birthdate (except the friends who show up to buy me drinks).
- no one knows my mothers maiden name
- no one knows my social security #
- no one knows my real postcode (unless they actually deliver goods)
- no one knows where I was born
Why? I’m not paranoid, it’s just that they have no need, nor right to that information. I don’t have a big ego where I want to be able to google myself. Who I am is my business.
All that aside, I don’t see what’s wrong with OpenID. It’s fine because I can set up a number of different profiles for an email address I use for random activities (like SO or posting here).
From my perspective, OpenID solves
- the insecure storage of credentials
- easily mapping credentials to other held data (although likely not the case in practice)
- 100 different implementations of password reset, forgotten password, insecure passwords in plaintext emails, etc
A commenter said:
Here’s where the driver license analogy breaks down: I have physical control over my license, it stays with me. No one can lose my license for me.
But - hey, maybe it should be exactly like a drivers license. Physical.
I use my own name everywhere on the Internet. I have lots of accounts. Logins tire me out. Now I use LastPass which is convenient, but doesn’t always work well. I use mainly 1 week and 1 strong password.
My idea would be to use 1) login 2) password 3) random challenges for more security info 4) Paypal has a great device which gives me a 6 digit number to type in appended to my strong password. 5) a biometric --thumbprint for now and voice print later
Basically you need an ID name, a mental secure phrase, a random number generator (like Paypal) and a biometric. And the random number must be reinput about once every hour. This would produce pretty good security, but would still be a bit of a hassle.
OpenID is not the answer.
How can we trust OpenID when it is backed by Google, Facebook, Microsoft etc who have no interest in peoples’ privacy?
You cannot trust your open ID provider not to cancel your ID without notice, locking you out of your online life, and ignore your emails completely. OpenID.net did it to us when we dared to criticise them.
David Recordon (Facebook & OpenID) has ignored a superior technology that was offered free, but cannot be controlled by the OpenID masters, why?
Simple fact is that OpenID is open in code only. It is funded by all the companies that cannot be trusted with private data and loaded with their staff. There is an open and user-centric solution which is being ignored by blogs promoting OpenID.
@Steve: Regarding your PS to me: ‘Bring me solutions, not problems’ is such an obvious fallacy. I’m ashamed to admit I don’t know the proper name for it.
OpenID is not a login protocol. It’s a homepage / URL verification scheme. Bending it for something else might make technical sense, but it’s hardly userfriendly. URLs are not designed as user identifiers, and the builtin address bar magic doesn’t help it.
It’s working on Stackoverflow because people have a lot more technical competence. For anybody else, only user@something accounts are viable. But it’s way too late for OpenID3 to fix that; nevermind the anti-privacy features built into the protocol.
It’s more than clear from this and most threads about identity on the internet, that identity authentification/verification/authorization is a very emotional hot button for a number of people. And just as clearly, quite misunderstood by many of those most concerned by it.
It’s good that you’re trying to find metaphors which help people understand it, Jeff.
Our new German password will allow you to prove your identity to a website. Unfortunately the internet is quite global and a one country solution won’t help much.
In the end it however should be a role of a government to be a trusted third party for identity.
Although I use openID for SO, it’s the only site I use it for and I can’t see it ever achieving mass adoption (normal internet users don’t understand it, advanced internet users barely understand it and don’t agree on its benefits).
OAuth2 is a bit better (at least normal users understand it) but personally I’d rather not have Facebook or whoever know what other sites I use.
My personal solution is to use 1Password for all sites - I register with an email address and a randomly generated password. 1Password remembers all the logins and provides them automatically (and syncs using Dropbox).
Third-party login modules seem very vulnerable to identity theft:
- evil website offers to sign you in with ‘gmail’
- shows facsimile of the gmail login page, collects your password
- evil site now owns your identity
Of course, if you use the same password everywhere, the same thing might happen, but if you don’t it won’t.
You have interesting timing. I very recently started building a blog network that uses Facebook for all authentication (sign-in/post, comments, etc), wall posts, etc. That part works; alas, it’s far from complete.
So in other words you’re advocating for Microsoft Passport.
I was going to remark that the fact that you own a Louis Vuitton wallet (whether faux or real) renders all your arguments worthless. 
- but then I realized it wasn’t yours.
Well, that was bizarre. I click the sign on link, and get taken to TypePad (who are they?). I find OpenID, and enter my ID URL (<http://phpmyid.com/ ). Wait, before I click enter, I guess I should have a look at the ToS and Privacy Police: "By using TypePad, you agree to the TypePad Terms of Service and Privacy Policy."
The ToS say:
"Six Apart reserves the right to update and change this TOS from time to time without notice or acceptance by you"
The privacy police says:
"Six Apart reserves the right to update and change this Privacy Policy from time to time without notice or acceptance by you, "
So, does that mean if I use the site once, to sign in to comment on this blog, noticing that the privacy policy looks OK, that later Six Apart can change the policy to say “we will give all the information we have on you to anyone who asks, and for free”? (it might say that already, I don’t’ know). Even if I never use TypePad again?
I don’t want to have to agree to that bullshit just to comment on some blog. OK, but just this once I will. (Note to everyone concerned, a commenter shouldn’t have to agree to anything to merely comment, except at most the ToS posted by the website to which they are commenting.)
I am then asked if I want trust “https://www.typepad.com/” (by my ID provider). Wait a minute! I don’t trust them, I wanted to post to coding horror, what’s up with that? OK, I hit no, and, huh? I’m sent to the main page for TypePad. Where the blog post I was reading? A bit more hassle and I click yes. Yay, I’m signed on.
OK, now for my post…
OK, I wanted to say that an ID card of some sort, such as OpenID can be great. But when I am carded ‘cause I look under 25, the booze store doesn’t record details of who I am, it just confirms I’m over 18. When I get stopped driving my car, the police don’t record my details unless I’ve actually committed (or am accused of committing) an offence. When a shop asks me for details “for warranty purposes” I refuse. I give fake information, or don’t answer in as many other places as required.
I also wish to say that the comments above about anonymous OpenID are good.
Oh, and if you don’t trust a big company, run your own OpenID (or multiple ones). You could, for example, use phpMyID <http://siege.org/phpmyid.php>.
–End post–
OK, click preview, umm, dudes, my URLs! < and > aren’t valid in URL’s, so why is your URL catcher including them? It’s a standard way to surround URL’s (especially those that contain spaces or other weird chars). I’ve removed the final > now.
Here is how the first URL was meant to look like:
my ID URL (<http://phpmyid.com/>). Wait,
Oh, and apparently I know have a TypePad profile. http://profile.typepad.com/6p0112791e8d9628a4
And can jump through hoops to deactivate it.
https://www.typepad.com/secure/account/request-deactivate-account
This is bullshit. Sorry Mr Horror, but I doubt I’ll be posting any more on your blog. Your comments in a previous blog about anonymous comments are off the mark. I have, in the past, thought about commenting (with insightful comments, and/or interesting links) but have refrained from doing so because of the absurd stuff I’ve documented in this post. I’ll be deactivating that account as soon as I post this…