« Death of the Cashier | Main | Follow Me, Follow You »
OpenID’s Struggle for Acceptance
By Mark Evans | August 12, 2008
OpenID is one of those concepts that, in theory, sounds good but in practice has failed to gain much traction.
Sure, OpenID has gained some high-profile supporters such as Google, IBM and Yahoo but there doesn’t seem to be much, if any, enthusiasm among consumers. In other words, there’s few people clamoring for a single sign-on system to replace the username/password regime that currently exists. A couple of days ago, the New York Times had an opinion piece that dismissed OpenID as little better than username/passwords.
“OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site,” wrote Randall Stross, an author and professor at San Jose State University.
Nevertheless, OpenID is one of those ideas that refuses to go away. For example, I received an e-mail from MyOpenID breathlessly talking about how the number of OpenID enabled Web sites has climbed to 18,000 from 500 over the past two years. Let’s be honest, 18,000 is a pretty small number in the scheme of things.
“Notable sites are realizing the benefits of accepting OpenID,” the e-mail pronounced. “Sourceforge, the world’s largest open source development site, recently started accepting OpenIDs. As stated in their announcement, “OpenID is getting tremendous traction and we are happy to be jumping into it. It’s bringing us back in touch with fresh web (2.0) technology”.
This kind of marketing crap is part and parcel of the OpenID’s futile campaign to gain acceptance. Everyone talks about the benefits and advantages yet few people seem to be using it.
Sounds a lot like Bluetooth or the Betamax.
Technorati Tags: passwords, OpenID
Topics: Web 2.0 |
August 12th, 2008 at 9:38 am
People want a single sign on. This is why people save passwords in their browsers. No one can remember all their usernames and passwords and they need help.
OpenID is just a simple chicken and egg problem. If you can only sign on to a couple of sites then OpenID is more of a pain then a help. Of course until a lot of sites use it there’s no point wanting OpenID. And if no one wants OpenID then no site will add it.
If the chicken and egg problem can’t be solved then OpenID is dead. Some clearly think it can’t. I and other OpenID advocates are hopeful it can. But I’m not dumb. I can see it’s not a blazing success. Though I think it could be.
But either way people want a single way to remember all usernames and password. In recent brainstorm sessions I have come up with what I think would be my perfect login system. I start up firefox… enter a single password… and Firefox, through a standard API, logs me in to all the sites I use in the background. Perhaps it has a lot of security problems… but when it comes to convenience it sounds awesome to me.
But if OpenID truly fails then we need a different approach. We need a system that can retrofit on top of the Username and Password system that I can explain to my mom and she will understand and be able to tell others. It has to be dead simple.
August 12th, 2008 at 9:51 am
Stefan,
I agree there needs to be a better way to manage the multiple passwords that everyone has these days. Personally, I’ve used Roboform and 1Password, and been happy with how both of them work.
Mark
August 12th, 2008 at 2:22 pm
Nice post, since I work for Vidoop (we deal with OpenID) I am slightly more optimistic about the future. I am also in a position to say that there is work being done to address your concerns.
Couple points to make, first is that with OpenID you only have to enter your password on your OpenID provider’s site. Randall makes it seem like your OpenID provider is some random site, when in actuality you get to vet your provider ahead of time. I would rather have my account info stored with a company who is focused on security. A site that accepts OpenID logins (e.g. Ma.gnolia) never actually sees your password.
@Stefan - What you suggest, logging into your browser, exists (albeit in tech preview form today). Check out the work happening at http://labs.vidoop.com on Identity in the Browser (IDIB).
@Mark - We are pragmatic and have developed a pretty neat password manager plugin available at http://myvidoop.com. It is also an OpenID provider with strong authentication.
OpenID is not just about SSO, it’s about where the web can go with an identity layer. What new services and features can be built, etc… there is an excellent post about OpenID and how it fits in to the Identity services stack here: http://blogs.oracle.com/talkingidentity/2008/05/05/
Cheers,
Kevin
p.s. Betamax did have better picture quality
August 12th, 2008 at 2:29 pm
Kevin,
Thanks for the insight. I’ll check out myvidoop.com.
Mark
August 13th, 2008 at 2:08 am
My take on OpenID is somewhat at odds with mainstream proponents of OpenID. While they seem to stress on SSO, I view OpenID facilitates RPs to outsource authentication to third parties. Which authentication mechanism will be used by an IP and which IPs will be acceptable for a given RP are outside the scope of OpenID specification (contrary to common perception that all RPs will accept all IPs). I have previously stated that this is like credit cards. But mainstream OpenID proponents emphasize SSO exclusively and the critics point out faults in that goal.
August 28th, 2008 at 7:16 pm
The main problem with OpenID is that most implementations are flawed. Although it’s suppose to be a standard, the actual implementation accepts many possibilities, specially when dealing with certificates et al. making it not_so_standard after all.
We need one OpenID provider to rule them all