Loading ...We’ve seen announcements from Microsoft, AOL and Digg, and many in the blogosphere are now predicting 2007 will be the year OpenID takes-off. I’ve got my OpenID with the public https://www.myopenid.com/ server. And thanks to this tutorial, NeilCauldwell.com is now configured as my relay OpenID server, which means that I can log-in to any OpenID friendly site just by typing in ‘NeilCauldwell.com’. But do I ever use it? Put it this way - I’ve tested my relay server via the aforementioned tutorial; it worked. I then went back to Outlook, Facebook, 8apps and Newsgator, all of which were already in authenticated sessions from many hours ago, and carried on with the same application ‘workflow’ (did I say Facebook?) as before.
I’m already signed-up with all the services I use on a regular basis, and have a password manager that handles the usernames. In it’s current state, OpenID isn’t going to do much for me, unless I increase the number of web services I use on a regular basis, start trialling more new services, and logging in & out of authenticated sessions more frequently. This will be the case for many perspective OpenID adoptors. Why sign-up to OpenID when your favourite sites are bookmarked by the browser, and authenticated by a password manager? Password managers may be in-secure, but OpenID has yet to address its’ own security concerns.
OpenID is too complicated in its’ current form, and could only get worse if the likes of Microsoft and AOL decide not to authenticate OpenIDs from third party servers. This would become a complete nightmare for OpenID adoption - I can assure you that most of people I know would never get their head around it;
- They already have logins for their favourite web services, and don’t need to sign-in to any new services - why would they want to learn another sign-in process to a service they are happily using?
- Even if they have an OpenID, they still need to create and fill-out a unique profile within each service they use. This means OpenID creates a double login procedure. As we already know, once is bad enough.
- If they sign-up to a service that only supports OpenID’s from certain servers, OpenID isn’t even open. At least with a proprietary sign-in process you be under no illusions that the username you created with service ‘x’ would work with service ‘y’. But if the big players decide to mess about with server authentification, your OpenID may or may not work at another site. This is where it becomes a complete mess.
Unless OpenID can answer all of the above concerns, the outlook doesn’t look great. I still hold hopes for a single authentification system on the web, but I honestly believe a social network, such as Facebook (18 million users and counting, and a serious average stay per user), could be just as significant in this endeavour as OpenID.
Hi Niel. This is a good write up on a subject I am interested int. Several points to make in response to your post:
1. Your second bullet regarding a double login procedure is directly addressed by the current specification. As designed, you enter information with your service provider and the sign in passes the information from the identify server to the web site.
2. Using your site as an example, it would have been easier for me to enter this comment if you had an openid consumer set up on your site. That way I would have entered only my claimid information above.
I’ll not argue your point regarding the use of openid on existing sites. If you continue to use the same sites on an ongoing basis then that’s ok for you. I believe if you tracked your participation in other sites on an ongoing basis I think you would find out you are subscribing to new sites on a periodic basis. If you’re required to enter passwords on any of these sites then you are either a) keeping track of multiple passwords; or b) using the same password on many sites. Both alternatives present risk.
Thanks Dave.
The second point references the need to create a user name on each service you intend to use OpenID with - last time I checked (which happened to be with Magnolia), I still needed to create unique details, i.e. user-name, preferences, and several other specifics that needed to be completed, in order to use a new service. Now, this wasn’t really a problem for me, and I understand why it needs to be done, but I know several people for whom it would probably be more trouble than it’s worth. I apologise if I’ve misunderstood this - has the latest specification of OpenID addressed this, therefore putting OpenID’s in web app schemas as unique identifiers?
I had intended to use the WordPress OpenID plugin, but it feels like overkill when a user has to go through a page refresh just to log-in via OpenID; if they’re already on a comments enabled page (such as this one) they can just type a comment and hit submit - and that’s without the page refresh.
Even if you only need to fill in an OpenID once, I imagine many people would feel they’re registering for a service for which they aren’t many instant benefits. However, if we were to build in more social features (more images, personal preferences, contacts etc) into OpenID, they would be a much speedier adoption. As it currently stands, we’ll probably need another YouTube/MySpace phenomenon, which insists on OpenID from the first registration, before OpenID hits the mainstream.
This is mostly in reply to your last comment.
Ma.gnolia’s OpenID implementation sucks. I blogged about it on several occasions. Try this seamless registration I’ve created.
Although the WordPress plugin has many problems (I had to disable it on my blog), a page refresh isn’t one of them. You type in your comment, you enter your OpenID, you submit.
Jyte might be the killer app you’re after.
As for Facebook, what if it became an OpenID provider?
I’m glad to hear that Ma.gnolia’s OpenID implementation sucks; I was expecting so much more from my first OpenID sign-in!
As for the killer OpenID app, I was actually thinking that Twitter could have been the one - it even made the Financial Times yesterday. Maybe it’s not too late to get OpenID onboard before the mainstream gets hold of it….
I’d love to see Facebook become an OpenID provider, but at the rate it’s currently growing, I doubt the CEO Mark Zuckerberg is at all concerned. Facebook has a whole load of buzz surrounding right now, including details of an upcoming interface redesign. Zuckerberg would be doing OpenID one massive favour by integrating it at this stage.
It would be great to see Twitter become an OpenID provider.
I think I could use Facebook’s API to do it and OpenID this one massive favor…
You’d be making quite a difference if you could get OpenID working with Facebook. And aren’t Twitter releasing an API soon too? Why not give them both a shot?!
Web standards bare many resemblences to hardware formats, such as consoles and media players - if you can get a killer application to go with it, it’ll pretty much decide the fate of the format. Without the killer application on which to piggy-back, a format just won’t sell. Facebook and Twitter could quite easily be the applications to push OpenID to the mainstream.
Hi Neil,
I stumbled upon your blog when I was searching for Facebook and OpenID. Very interesting article.
I work for a company called Vidoop and our main technology is called Vidoop Secure which eliminates passwords as it is the weakest link in user authentication. We decided to implement that technology with OpenID and created myVidoop, which is Vidoop’s OpenID service.
Currently, myVidoop is in its closed beta phase for scalability reasons, but it’d be great to have you as one of our beta testers and get your feedbacks on our OpenID service and the strong user authentication system.
Please email me if you’re interested in getting some invitation codes. I think myVidoop would be able to solve your question about OpenID’s security.
best regards,
Koesmanto Bong
www.vidoop.com
[…] OpenID suffers from usability problems. Neil Cauldwell in a piece titled “OpenID is too complicated” says: “I can log-in to any OpenID friendly site just by typing in ‘NeilCauldwell.com’. […]