Who needs OpenID?

by Julie Gomoll on July 30, 2007

Openid
When I first heard about OpenID, I thought “great – one central place with only one ID to remember. Then numerous OpenID sites opened, and I realized my assumptions were wrong. Still, I thought, it’s good that we’re working on more secure ways to access multiple sites. Then I went and signed up for an OpenID, found nothing particularly secure about it, and realized the rest of my assumptions were wrong, too.

OpenID is not centralized, and it is not about security. In fact, it’s arguably less secure than getting a separate login for each site you visit.

Here’s how it works:

  • You go to an OpenID provider. There are lots of them springing up. Here’s a list of OpenID providers.  You can even run your own OpenID server on your own domain.
  • You sign up, and get your own URL & password.
  • When you go to a site that supports OpenID, you’re automatically redirected to that URL, where you say “yes, it’s me”. Different providers handle things differently, but the ones I’ve encountered ask you for a password.
  • Once you affirm that you are you, and that you want to log into this other site, you’re sent back to that site with your identity confirmed.

So basically, the site you’re registering for is saying “we’re not going to worry about your name and password – we’ll trust that your OpenID site has handled all that and let you in.” You still need to register for the new site if you want any information about you saved.

Why is this less secure? If everyone switches over to OpenID, I’ll have one login name (URL) and password, so if someone guesses or steals it, I’m really screwed. If someone has that, they can “authenticate” every login without my presence. You could get multiple OpenIDs and passwords, but that would kind of defeat the purpose.

So… why are you using OpenID?

Tagged as:

  • http://mediarich.net Susan

    Hmm, this info doesn’t convince me. I’m not using OpenID yet, but here’s why I am (still) interested in looking into it more:

    * Centralized identity validation and logon are obvious usability problems.I grow very tired of having dozens of logons and passwords for the dozens of sites I find useful. Users are forced to resort to shortcuts such as using the SAME username/password schemes whenever possible anyway, and/or recording the info somewhere that could be breached.
    * I like the idea of sites leveraging a “best in class” security/registration model anyway.

    As you know, I struggle with the “need for anonymity” argument. I usually feel the (online) world would be a better place if it were more like a small town – in the sense that everything you do and say are attributable to you. We should take responsibility and ownership for our actions — both online and offline. If our government, or corporations, or other power structures have too much power over us, that’s a different problem to solve some other way, isn’t it?

    “One ID / Many Venues” is, I think, what I was hoping for, and still hope for, from OpenID, or something to come that’s even better. The argument that “it’s still breachable” isn’t a complete showstopper for me.

    I have different security requirements for different activities:

    * Commenting, posting, participating in forums and chats (low). Although I don’t want to leave myself WIDE open to impersonation by others, this strikes me as a recoverable problem. Protecting myself from this isn’t worth a ton of effort.
    * Business-sensitive info (medium). I do lots of business through email – a relatively insecure channel.
    * Financial transactions and information (high).

    So I probably wouldn’t enable OpenID for my banking and investing accounts, but if it relieved my user burden and opened me up for participation in more online venues, that’d be a net positive for my business. I’d do more networking, find more business partners and talent, and learn more.

    The Wikipedia entry on OpenID provides some great references. http://en.wikipedia.org/wiki/OpenID

  • http://tolaris.com Tyler Wagner

    1. Protect your password.

    2. Make sure your openid implementation is itself secure. Your LJ login is secure because it uses HTTPS. phpMyID on j-random-server is secure because it uses HTTP Digest authentication. This makes step 1 a lot easier.

    3. If your password is stolen, it is easy to go to your OpenID server or service, and change it. If your OpenID implementation is good, it won’t be easy to change it (such as just by entering the old password, which of course would be bad if you failed step 1 above).

    Yes, this system is bad if your password gets stolen. So it any other situation where that happens. But you aren’t using OpenID to authenticate to your bank, just random blogs and sites that aren’t critically important, right?

    I sure wish I could login with OpenID to post this comment. :)

  • http://tolaris.com Tyler Wagner

    I also wish the line breaks hadn’t been stripped out of my comment above. Sorry. :)