You don’t want to type in two different userids/passwords for the same item, and no browser is ready to do such a thing, anyway. A solution would have both sites accepting a common id, and the mashup server could verify the id against both original data servers, thus the hope that OpenID (or something like it) could solve this problem in a way your alternative solutions don’t. Not that I know that OpenID can solve the problem, the point is that some kind of authentication service is necessary in order that the Internet can take this next step.

For example, as Scott Kveton points out above, your OpenID is an “index to you” on the public web. That’s a double-edged sword, but it does present an important “I need it” and “I can use it” advantage; with an OpenID consolidating your relationships with sites and providers, you now have a way to aggregate and manage your online reputation. This means that OpenID can serve as the basis for lightweight, efficient reputation and trust decisions that will gain you entry (and by the same token, possibly deny it to you, so you’re accountable — another important feature of the system) to resources quickly and easily based on the information you can supply with your ID.

As far as the trust issue goes, we have in place what we expect to see in an emerging marketplace for a technology like this. Big service providers like Yahoo! and AOL are equipping their users with OpenIDs and providing solid warrants for trusting the integrity of the logins (*as* logins) they verify. Pure play OpenID providers like JanRain (where I work) and Vidoop provide full-featured profile management for OpenID, along with security and communications “extras”. Other providers exist in more informal arrangments; you can spin up your own OpenID provider on your own laptop if you want with minimal effort.

The diversity in this space is a strength, not a weakness. If OpenID defined a military-grade biometric authentication system, or an Experian credit bureau scrub, the costs and logistical demands of the system would keep it from ever getting of the ground. Like PGP, rather than SSL, OpenID is decentralized, and looks to the marketplace for organic “circles of trust” to form naturally, rather than by ordaining “trust roots” that control the hierarchy. That makes things a bit more chaotic in the marketplace, but much healthier in the long run for trust to be managed and delivered at best cost and quality.

I log on to gmail when I open my browser. If I did that with my openid then openid sites would seem much easier to use. With openid in so few places it does seem like a pain every time I use it. And if it was built in to the browser it could just auto log me in.

In general Openid has been on full court press for a while now and is not *needed* in any one place yet. But hopefully the point where openid is easier then 20 different username/password combos is not too far off.

At the very least I feel the best result have come from openid when hard criticism come out about real problems. And while I think It’s real and valid it does mean that the problems can’t be fixed.

With MyOpenId I always sign in with a certificate and not a regular password.

That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…

I don’t think that’s a fair characterization of the concerns over this. I am really wary of any solution that could be a single point of failure with wide reaching consequences.

OpenID is like using the same logon and password everywhere, which is a very bad security practice. If your OpenID is compromised (by whatever method you want to imagine) you are pretty well screwed.

I can see OpenID being used for low-value accounts like blog comments and the like, but I don’t think it will ever become mainstream in high-value and/or financial transactions.

It took me 5 minutes to set it up, and I’m glad there are more and more sites that accept it. Specially when there’s something to try out and the only thing you have to do is provide your OpenID.

There is a realization that is occurring among users and developers of OpenID and that’s that OpenID is a very important building block but not for the reasons we all originally thought.

I think the real strength in OpenID lies in the fact that a user can now point at a single URL as their own. Not only do I have a place on the Internet that I’ve proved I “control”, its also a single point of contact, a place to store my friends, messaging, etc. These applications are coming and I think those are what will drive OpenID.

One interesting side effect of the OpenID as a URL is that reputation is going to be baked into the Internet. You’ll be able to reference everything you’ve done on the public Internet because it will be indexed by your personal URL. Like it or not, that’s going to happen (I personally love it).

Bear in mind, most users won’t know or care what an OpenID is. Users want solutions, not a bunch of technology. Once somebody can make OpenID more usable and tied to other real solutions that’s when its going to take off.

Finally, the reality of the situation is my mom never got SMTP, she got email. The same will be true with OpenID.

I’ve been told that WWD can’t do OpenID right now because you’ve chosen a hosting platform (WordPress.com) that restricts your features, but I would assume that if WordPress.com starts accepting OpenID there wouldn’t be any reason you would actively refuse it, would you?

In response to “I don’t need it”… you’re right, there are already password managers. But if more sites supported OpenID, you wouldn’t need a password manager in the first place. Wouldn’t it be nice to manage one OpenID instead of using a password manager to manage a bunch of standalone passwords?

“I can’t use it” You can’t use it everywhere yet. But there are quite a few places you can use it. And there are (a few) sites that require it. Ma.gnolia is probably the biggest, but also Pibb, Treasurelicious, Twitterwhere, and Twitterfeed (that I know of).

“I don’t trust it” Looks like a bunch of FUD to me. I fail to see how it’s any less secure than a bunch of standard usernames/passwords (and the reality is that many people use the same password everywhere). The “average user” won’t use it any more or less securely than they currently manage their passwords. But some OpenID providers (such as Vidoop) create a more secure environment than a standard password.

I don’t think that OpenID is a magic solution to all identity and password issues… but given that it’s fairly easy to support, it seems that web/technology services ought to at least offer it as an option for those users who want to take advantage of OpenID.

Thanks for your post… the more discussion, the better!