OpenID: Is it Time to Care Yet?
January 18th, 2008 (11:00am) Mike Gunderloy 8 Comments
We last took a serious look at OpenID about a year ago. At the time, we pointed out that “you’d have a hard time finding any of your favorite web apps” on the list of sites that support OpenID logon. Our commenters were in favor of client-side solutions such as 1Passwd or Roboform.
Lately, though, there’s been a spate of OpenID news, highlighted by the announcements that both Yahoo! and Blogger are joining the list of OpenID providers. This means that you can use your Yahoo! or Blogger credentials to log on to sites that take OpenID (though neither one accepts OpenID logins in return; Blogger lets you use an OpenID login to leave comments and Yahoo! says they’re working on it). But is this enough to drive OpenID adoption?
So far, at least, it seems that OpenID remains a marginal technology. While the latest announcements make it easier than ever to get an OpenID identity, it was pretty easy before: AOL, WordPress, Live Journal, VeriSign, and others were already on board as providers. Yahoo! says they’ve tripled the number of users out there with OpenID credentials, but that figure really doesn’t mean anything when the vast majority of those users don’t even know they have an OpenID. How many AOL users, to take one predecessor in this space, have ever used their AOL identity to log on to an OpenID consumer site?
The biggest problem remains the lack of OpenID consumers - sites that let you log in using your OpenID. While Web 2.0 aficionados will find some of their usual haunts on the list (including Ma.gnolia, Plaxo, and Basecamp) the fact remains that it’s still much easier to get an OpenID than it is to use it. The OpenID Directory lists a mere 446 sites as of this writing.
There are also some questions as to the security and privacy of OpenID. OpenID advocates say that these concerns are overblown or solved in the latest version of the spec, but certainly they have been debated; Stefan Brands rounded up a long list of problems with OpenID, and David Recordon responded at length (the comments to both posts are worth reading as well). It seems clear, at least, that not all OpenID implementations are created equal, and that those who are worried about these issues need to seek out a provider such as VeriSign or myOpenID that is committed to staying on the cutting edge. But it’s unlikely that the average user will realize this, and I fear we will see some highly-publicized OpenID phishing incidents when and if adoption truly takes off.
As it stands, OpenID is a convenience for users who are in the habit of logging on from many different computers (and so not in the target market for client-side solutions) and lucky enough to use some of the leading-edge OpenID consumer sites. For the rest of us, it’s so far an interesting technology, but not yet a compelling one.
8 Comments Post your own comment
Aaron B. Hockley says: January 18th, 2008 11:30am
There are some good WordPress OpenID plugins. It would be nice if WWD had one to allow OpenID comment authentication.
Aaron B. Hockley says: January 18th, 2008 11:31am
Another comment-related request: comment feeds please :)
Chris says: January 18th, 2008 12:46pm
Good news on the comment feeds. Since this site is using pretty permalinks, just take “/feed” on the end of any article for a comment feed link.
http://webworkerdaily.com/2008/01/18/openid-is-it-time-to-care-yet/feed
is the feed for this article. :-)
Chris says: January 18th, 2008 12:47pm
… I forgot to mention: That’s a WordPress convention, it won’t work for every blog out there!
Aswath says: January 18th, 2008 1:01pm
I think the problem is the marketing of OpenID. Contrary to the widespread perception that the benefit of OpenID is SSO, OpenID will be used by those application providers who benefit from outsourcing the authentication procedure. An immediate example will be age verification, as many SNs will be forced to do after the recent MySpace agreement with the attorneys general.
Aaron B. Hockley says: January 18th, 2008 1:33pm
Chris, thanks for the response on comment feeds. It’d be nice to have a link on the page somewhere so it’s easier to subscribe, but good catch that it can be done manually as you describe. I should’ve known that myself.
Peter says: January 18th, 2008 6:12pm
My concern over OpenID is that it is effectively the same as using the same logon and password at every site. If my OpenID is ever compromised (by whatever method you want to imagine) EVERY account linked to it is compromised.
Sure having multiple logons and passwords is more complex, but if one is compromised, none of the other accounts are effected.
Two factor systems can help, but I still see this as an inherent security flaw in OpenID.
alex says: February 12th, 2008 4:24pm
@Peter many (if not most users) are already using the same user name passord combination on all their sites. Which means they are only as secure as the weakest link. And there may be some black sheep among those site owners, too.
Secondly you can use a proxy url (like you own domain) and map it onto any openID provider. So in case your provider is compromised or unavailable you can switch easily an quickly to another one - and that will also switch all the services you are using.