One of the biggest challenges facing OpenID is it’s a solution (universal identity management) looking for a problem to solve.
Sure, it’s a pain having to remember different usernames and passwords (unless you lazily use the same ones for everything) but most people don’t see it as a huge issue, which means OpenID has failed to gain much traction. And to be frank, that won’t change much even with major players such as Google, Yahoo and AOL starting to climb on the OpenID bandwagon recently.
All, however, is not lost because there is a “killer app” that could propel OpenID from a curiosity into a mainstream tool.
The genesis for this optimistic outlook is PageOnce, which I discovered yesterday on TechCrunch. PageOnce is a personal application portal where you can access all your online accounts (e.g. GMail, Facebook, LinkedIn, Visa, MySpace, Citibank, Netflix, etc.). This is a concept that, in theory, sounds great because it would eliminate the need to visit multiple sites at a time when we’re using an increasing number of online services.
The biggest hurdle is you have to provide PageOnce (or any other personal app portal) with all your username and password information. This makes me uncomfortable because it means you have to have complete faith in PageOnce’s security – something I think that many people would be loathe to do, especially with financial information.
This is where OpenID comes into play. Rather than giving PageOnce all your username/password information, you could use OpenID as a way to submit your information efficiently and securely. Of course, this is based on the assumption OpenID can evolve to address security issues such as attacks from phishers, as well as concerns about privacy.
Sure, there are a lot of “ifs” surrounding the emergence of personal portals and OpenID but if both ideas are going to gain any kind of traction with consumers, it would be a good idea if the players in both camps started working together to present a united solution.
More: Here’s a good video about digital identification from Sxip’s Dick Hardt, while MediaShift’s Mark Glaser has a lengthy post on how to protect your online privacy.
11 Comments
Mark, I agree. I have a beta account with PageOnce – and leaving aside it’s North American slant – and I have not really tried it out fully due to not having faith in security of the site. This isn’t a fault of theirs, but one of my not wanting to risk anything just for the sake of trying out the site fully.
would you use pageonce ??
I mean you got your gmail account frozen (reset). The Ebay account setting changes recently correct ??
So is openid, in your personal opinion mature enough to level all your personal info into one service provider ?
Pete,
I wouldn’t use PageOnce if it meant handing over my username and password information. In theory, OpenID could (and I stress could) be a good tool to address this issue but admittedly it has a long way to go before I’ll really jump on the bandwagon.
It seems to me that OpenID suffers from even greater security risks than PageOnce does. Once somebody cracks your OpenID password, they have access to every website that supports it, even ones that you might have never visited.
You make an assumption in the first paragraph–”most people don’t see it as a huge issue”–that needs more attention. First, have you got any proof?
More importantly, even if people don’t perceive it as a ‘huge issue’, that doesn’t meant that it’s not a problem worth solving.
Darren:
Guilty as charged! Good points on both fronts.
Mark
Integrating the OpenID to PageOnce is a great idea.
And adding a way to view your information for websites which support OpenID authentication instead of username and password is on our roadmap
Guy:
Glad you like the idea.
To be honest, OpenID continues to struggle partly because it’s not even offered as an option many places, although that may be changing as companies such as Yahoo get on board. If people get exposed to it, try it and use it, then there will be a bigger community that can, hopefully, improve OpenID.
For the application you are thinking of, what we should consider is OAuth (oauth.net) and not OpenID. Even though OpenID allows one to have a single “username” and “password” across multiple sites, you end up sharing the credential information potentially compromising security. On the other hand OAuth allows a user to get a more restrictive permission token from the contributing site and pass it on to the consuming site. The restriction could be on the scope of access and/or duration of validity etc. Additionally, use of OAuth does not require use of OpenID and so can be used immediately. You can read an explanation of OAuth from users’ perspective at http://www.hueniverse.com/hueniverse/2007/10/oauth-end-user-.html
Aswath,
I’ll check out OAuth. Thanks, Mark
Ken makes a good point that if a central OpenID username/password is compromised to an attacker, the attacker gain access to all of that user’s accounts.
The team I work with has been working to solve this problem. Our implementation of OpenID binds a users openID to a security device, like a smart card or USB token, TrustBearer OpenID. So this removes the need for username/password altogether and improves account security.
2 Trackbacks
[...] The Killer App for Open Id Added on 02/16/2008 at 12:48PM The Killer App for Open Id [...]
[...] social networking by stevepepple on February 17th, 2008 There’s an interesting discussion on Mark Evan’s blog about the potential of a killer application for OpenID: One of the biggest challenges facing [...]