OpenID Gets Explained, Maligned, and Dropped

by Lisa Hoover - Jan. 07, 2009Comments (16)

Lots of people talk about the OpenID Web site login solution under development by the OpenID Foundation, but not everyone understands it. A handy new Web site aptly named Open ID Explained launched recently that aims to separate fact from fiction and educate the masses about what this project means in the larger picture of Web site user authentication.

Clearly, the project has fans, but not everyone is jumping on the OpenID bandwagon. In fact, some are jumping off.

Citing Wikipedia, OpenID Explained claims there are over 27,000 enabled sites, the number will keep growing, and Internet travelers ought to get in on the ground floor of what's sure to be widespread adoption.

"OpenID is different from how you log in today and will probably throw you off a little bit. We're here to help you learn what makes it useful and how to use it," says the Web site's home page. After a thorough explanation of the concept (complete with visual aids), visitors can learn details on how to get an OpenID and how to use it to log in to Web sites around the Internet. There's also a section for Web developers who want to learn how to add OpenID to their sites.

Many popular Web sites and companies were quick to embrace OpenID, including SourceForge, Yahoo!, and LiveJournal. when it first came on the scene. Now, the interest in the project seems to be waning. Free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.

"Out of over a million accounts, less than 200 registered users used OpenID...The costs to continue supporting OpenID are significant. It takes extra time for development and quality assurance testing each new release to make sure that OpenID works with the changes that we make. Given the low amount of usage, it makes more sense to focus these resources on building new features or improving existing features that are used by the majority of users," writes a Wetpaint site admin known as "Jeremy."

Network World's Dave Kearns also suggests that OpenID has lost its mojo. "OpenID spent the month of December embroiled in internal squabbles as the OpenID Foundation conducted elections for its board of directors. The results were due on New Year’s Eve... [but] the conversations about the election on the OpenID 'General' mailing lists (masochists can consult the archives here) shows why this group continues to be the most dysfunctional of all the open source software 'families'!"

Of course, not everyone is down on OpenID. The developers at Amarok are big fans and devoted an entire blog post outlining reasons to love the service, including its convenience and its increased ability to protect your privacy.

So, where do you fall on the OpenID like / dislike spectrum? Do you use it and appreciate it, or does its implementation limit and confuse you? Let me know in the comments.


Browse Blog

Randy Clark uses OStatic to support Open Source, ask and answer questions and stay informed. What about you?



16 Comments
 

If it were available on the sites I use I would definitely use it. I am tired of changing passwords on 50 separate sites. I would be much easier to have one login and password that I change more often.


0 Votes

Also, it looks like Facebook Connect (or something like it) could become the standard. That makes a lot of sense too, and is a great idea. Google also has their offering, so in time, most sites will provide both standards.


0 Votes

The problem with OpenID is in its implementation, forwarding back and forth between sites. From a user interface perspective, it's too complicated to be useful or adoptable. I've worked with a couple OpenID libraries, and it's even worse on the back end. I can certainly understand the "high support costs" cited.


If folks want one unified ID/password, a system is going to need to be developed that is completely transparent. No shuffling between sites. Just enter in ID/password and everything is done under the hood/behind the scenes to authenticate, and the user is logged in as if they had an account on the site itself. Until that happens, wide-spread adoption by non-geeks is going to be near-impossible.


0 Votes

OpenID is fantastic! It's supported on many of the sites that I use (some which I didn't expect) and I've used it for sites that I create myself. It's nice.


One thing which might hold adoption is that it's hard to find a good way to associate an OpenID on a site where you already have an account. If users are unable to easily migrate to using OpenID in place of more traditional login credentials, it's going to hurt adoption and deployment.


0 Votes

The flagrant failure of OpenID appears to be one prediction i'll get right.


simply put, it's way too confusing. but then again, i've only built like, 8,000 web apps, so the creators of OpenID probably knew a lot better than me what would work for normal human beings.


0 Votes

First off, I believe OpenID is great, but there are some issues:


1. Maturity. The libraries supporting OpenID are not very mature. Not in the sense that they don't work (the ones I've tried does), but in the sense that they don't support all the usecases that are probably necessary for succss. The ones I'm thinking about are: a) When logging in, an ability to chose which local account you wish to associate with the OpenID identifier you use. b) Actual transfer of additional data (age, nickname etc.) from the identity providers. The standard supports this and it is clearly useful, it just isn't supported in practice. c) The ability to let a user identity at a site (an identity consumer) be associated with multiple OpenID identities. This is useful because it allows you to be less dependent on a single OpenID provider for access to services. Again, there is nothing in the standards that prevents this, it's just not implemented yet.


These issues reflects the simple fact that the web is not yet used to using a separation between identity providers and identity consumers, and there are several details that needs to be fixed before the experience becomes flawless ;) I still believe this can happen, it might even happen with OpenID as a carrier.


2. Lack of support for trust relationships. This is a more serious issue. If you run a site, how do you decide which ID providers to trust? Example: If I run a newspaper and I wish that everyone allowed to comment on articles must be above the age og 18. Even if an identity provider provides an age, as the OpenID standard open for, why should I trust that datum? The solution to this problem is not covered by the OpenID standard, and probably can't be since it involves a trust relationship between the identity provider and the consumer. Unless a way is found to make it simple to enter into this type of relationships, nobody with a need for trustworthy identities will have a strong incentive to use OpenID; since the trust relationship will be bilateral anyway, there probably won't be many of them and then the benefit from using a standardized protocol won't be that big.


I believe that this issue needs to be adressed. There are many ways in which that could be done: Standard trust contracts could be produced to simplify the production of bilateral trust agreements. Alternatively a "trust network" could be established, letting some set of authorities authorize identity providers (for instance; a national tax authority could authorize the identity providers that are allowed to identify people when filing their income statements). It is completely unrealistic to believe that there will ever be a single source of all authority, a tree with multiple roots, or possibly a web of trust are more viable models. However, this -needs-to-be-in-place- for a separation of identity provision and consumption to be successfull for sites that put any value on actual identities.


That's what I believe anyaway ;)


0 Votes

I've posted a blog a couple of months a go .. titled


Why openID will fail ..


http://www.krisbuytaert.be/blog/node/740


0 Votes

OpenID has serious security problems. See

http://idcorner.org/2007/08/22/the-problems-with-openid/

In particular, it's too easy for evil sites to steal your password.


Google is running a trial of OpenID support in

a way that tries to address that problem, see

http://google-code-updates.blogspot.com/2008/10/google-moves-towards-sin...


Disclaimer: I work at Google, but not on anything related to OpenID


0 Votes

Facebook Connect will succeed where OpenID has failed.


I live in a state where people can "choose" an electricity provider and service plan. Well, you can easily spend 20 hours trying to find out what some of these plans really cost, and then find you're only going to save 10 cents a month.


OpenID is like that. If I am going to use a federated ID system on my site, it's because I want to get a higher sign-up rate than I'd get if I ran my own ID system. If I tell people: oh, get an OpenID, go read this web site (and this one, and this other one too), you can pick one of any 20,000 providers, I'm sure I'd have a sign up rate indistinguishable from zero.


Facebook Connect, on the other hand, is simple. Log in with your facebook id. 120 Million peole already have facebook accounts, if you don't, just register on Facebook. You tell people specifically what to do and they can do it -- there's nothing to "understand." Open ID might excite the people who read TechCrunch, but they're the only ones.


0 Votes

I have no desire to join Facebook, and shouldn't have to in order to establish a network identity. What I want is an open, brand-neutral, decentralized identity management system designated solely for that purpose.


As for managing site sign-up, there are various mechanism that make it very easy for people to register for OpenIDs without having to make a research project of it.


0 Votes

I have no desire to join Facebook, and shouldn't have to in order to establish a network identity. What I want is an open, brand-neutral, decentralized identity management system designated solely for that purpose.


As for managing site sign-up, there are various mechanism that make it very easy for people to register for OpenIDs without having to make a research project of it.


0 Votes

Reason for its low adoption? Simple. My grandma, your grandpa, his uncle, her aunt...will never get what OpenID is. And the abstruse login id (that looks like random string URL) given by some providers (like yahoo) is not helping at all.


and what's so hip about OpenID anyway? Don't get me wrong. I love the idea, but I'm posing that question from the perspective of an average teenager who's not necessarily a nerd or a geek that's always in front of the monitor screen.


0 Votes

OpenID is a pain to implement and support. It has a confusing UI for users. that said, it is the best we have today! OpenID is about empowering users and making the web a better place to live and work. Distributed features like this one (authentication) are the future of web based applications.


0 Votes

another academic experiment....


0 Votes

i don't use it. something about one provider knowing all the sites i log onto bothers me. i really don't want all of my flaming, troll posts associated to one nicname.

or should i say i don't want one regretful post besmirching a good nicname.


0 Votes

Nice article. You might want to see my views on openid here.

http://santrajan.blogspot.com/2009/04/my-2-cents-to-openid-foundation.ht...


0 Votes
Share Your Comments

If you are a member, to have your comment attributed to you. If you are not yet a member, Join OStatic and help the Open Source community by sharing your thoughts, answering user questions and providing reviews and alternatives for projects.