is OpenID really that bad?

Question

I have seen this question on Quora where lots of people seem to agree that OpenID is bad, even going as far as stating that:

OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have

Then I've seen articles and tweets referencing that question saying that OpenID has lost, and Facebook won.

It's sad to read as I quite like the OpenID (or at least idea behind it). I literally hate getting yet another login/password for page (I'll forget it anyway) - it's a pretty serious issue for me and I know lots of people with the same problem. Thus I thought that OpenId is a great solution but I'm not sure anymore.

So the question is should I still bother to implement OpenID or it's not worth it? What is the most robust and convenient (from the user perspective) way to identify and authenticate an user?

Answer 1

This discussion always comes up due to one largely ignored fact: OpenID was never designed as login protocol. That's a later misattribution.

OpenID was conceived as homepage URL verification service. And for that it was workable. But due to lack of alternatives it was quickly repurposed as general login protocol. Some features were crafted on (simple reg, attribute exchange) to facilitate that better. But at its core OpenID is an URL authority verification scheme.

This is were the usability and implementation blunders come from. The multi login advantage is only of significance to technic-affine users, not a real simplification for ordinary users. (Don't get me started on robustness; just salvaged my Stackoverflow login.)
But still there is no widespread or technically superior alternative (there were some prior OpenID but lacked buzzword and marketing uptake). As an avid open source supporter I would even consider Microsofts Passport or Cardspace whatever thingy over it, but it's currently not an option.

Back to your question: Stick to OpenID. For ordinary users make oldschool username/password pairs possible, and OpenID optional. Maybe OpenID3 finds widespread adoption and fixes some of the issues. Or maybe something else comes along. The general idea behind the concept was cool.

Answer 2

Can't you implement BOTH?

Everyone picks the option based on his preference and paranoia state.

OpenID provide great convenience. It also provide even more massive security risk.

[User risk] What if Facebook/Google/etc. decide your account has been compromised and you need to give your phone number or a passport copy to reenable it? Would you go for it?

[Company risk] What if Facebook/Google/etc. decide to shut down their service or start charging for it? Then as a site owner you're massively screwed.

[Data espionage] Why let them gather the detailed statistics from many consumer site and help them build personal profiles of people? Who knows what they'll do with it? Sell it, use it to adjust their marketing tactics, submit it to CIA?

Man, it's so basic and simple - avoid getting dependent on anybody and decide for yourself what when and if will happen to you.

Answer 3

Actually, I think the main problem with OpenID is not the implementation or the user-friendliness of it is bad. Nor do I think it's the security problems with OpenID, per-se. I think the main problem is that it's a solution in search of a problem - a problem which, for most users, is really not a huge deal anyway.

A better solution to the problem of having to remember lots of passwords, etc is to use a password manager application. A password manager will even simplify the registration process for you, as it'll automatically populate all of the common fields (name, etc) and generate a random password automatically. About the only thing you'll have to do, typically, is verify your email address.

Answer 4

The problem with openid, or more general, with having a selection of account providers on the website to login with onto your website, is that users tend to forget which provider they chose before. One day they can use google, next month they can use facebook and three months later maybe twitter. For the website, it will look like three different users. In such a case the users get frustrated, because they can login to your system, but not to the same account as previously.

Answer 5

The main problems with OpenID, as I see, are two:

• A) It's not user-friendly for non-technical guys
• B) It's not as widely used as the alternatives

On A, for a user seeing a button "login with facebook" is easy and simple to get. Seeing a control with 10 icons (Google, Yahoo, AOL, etc) it's confusing. Even more the fact that the "login" is a URL, something many people don't know it exists as all they do is type a search in Bing/Google and follow the links. I know many people that when they go to Facebook, they search for Facebook in Google and click the link, don't try to explain the concept of domain to them!

On B, Facebook is the standard. It's a bit like PayPal and the alternatives: for an e-commerce PayPal may not be the best option price-wise due to it's charges on transactions, but if they don't use PayPal they are risking many potential clients. About login is the same: Facebook opens your web to 500 million users which are active internet users and tech-savvy enough as to probably 'get' your site. Honestly, why should you spend more time supporting other things? Spend that time developing the product!

Due to B, A becomes worse as the users kind of expect the Facebook login, and Open Id confuses them more.

And I don't start with the issues already discussed in Code Horror about users login in the same site with different Open Id accounts and the issues this may raise...

All in all, I like the idea on Open ID, but (sadly?) Facebook has done it better.