OpenID deserves to die

May 27th, 2008

Here's my perspective on it. We all have ideas, some good and some bad. Now it's understandable that people who have invested themselves into a bad idea, especially if they thought it was good, are reluctant to walk away from it. It's painful to have to realize that. But the flip side is that we have to maintain the myth of Santa Claus because, well, so many kids believe in him that we can't let them down. Bad ideas deserve to die for the good of everyone.

The first thing a good idea must have is a real problem to solve. OpenID does very well here. The point of OpenID is to solve our common problem of the internet age: many websites, many accounts, many usernames and passwords. This is probably why OpenID still appears to some people as being a good idea.

Here's how they do it. Instead of keeping track of your accounts on all the sites you're a member of, just let one site keep all your account records (sound ominous yet? it did to me). Now, whenever you want to login to one of your sites, instead of using your username/password for that site, you use your OpenID login, which looks like this: This url is effectively your OpenID provider, ie. the site you use to keep track of all your accounts. So now the site you're logging into sends you to your provider, where you login with a username/password belonging to the account on the provider site, and that logs you into the site you were visiting. So in other words, your account on the provider is the gatekeeper to all your accounts. Sounds simple, right?

I remember when I first heard about this idea years ago. The first concern I had was that in order for this to work, I need a provider to keep track of all my accounts. So I asked myself the question: whom do I trust do this for me? The answer came back: myself. I don't know about you, but the idea of some third party storing all my logins doesn't make me feel warmy and cuddly. As it happens, the open in OpenID means you can choose any provider you want, including yourself. You just set up some php scritps and voila, you can use as your provider. So basically, instead of storing your accounts in some "account manager" program on your computer, you do the same thing on your server. This is where the concept of OpenID died for me. I don't want to have to depend on my own OpenID provider to work in order to use other sites. I don't want to add a dependency on my ability to login to some other site contingent on the assumption that my own site is available and working properly at all times (which it isn't, I have a little downtime like everyone else).

If you don't want the hassle of being your own provider, you can pick a provider from a list. This is not an attractive fallback option, because now your account on the provider is your key to all your other accounts. If I have an account on some site and I forget my credentials, big deal, I only lose that one account. But if I lose my credentials on the provider, I lose everything.

In theory, OpenID tries to improve your overall security. The hassle of keeping track of accounts is known to us all, and we get around the problem by reusing the same (or similar) credentials on a lot of sites. This is obviously bad for security, because if someone gets your password to one site, they can access all your other accounts that use this password. So security people will always recommend that you use distinct credentials for every account. Suppose you do this, and you use OpenID to alleviate record keeping. Now, OpenID actually works against you. Your account on the OpenID provider is the key to everything. With a different password on every site, you're that much less likely to remember what it was, therefore your account on the provider is proportionally more valuable.

There is a strange irony at play here. Supposedly, the more accounts you manage with OpenID the more useful it is. But on the other hand, the more accounts you manage with it, the more you depend on it, and the more you make it the one gateway to all your online identities for a potential attacker or for abuse by a dishonest or incompetent provider.

Most importantly, however, OpenID's solution to the login problem isn't a very clever solution at all. Typing is not a big improvement over a username/password form. My browser already gives me the option to login without typing anything.

Those are my reasons why OpenID is a bad idea and should have died years ago. If you want more, Stefan Brands has an exhaustive laundry list of problems with OpenID.

:: random entries in this category ::

3 Responses to "OpenID deserves to die"

  1. I also have problems with openid. First I think it needs to be on a centralized server. Yeah, you can use your own but how many people besides us geeks do. Also I could never trust the security. Centralized login/passwords are what it's all about and it's a good idea but how secure are they?

    If you need OpenID cause you use multiple pc's - get a laptop!

  2. J says:

    I like the idea of OpenID. Just in practice it is not working so well.

  3. Samat Jain says:

    There are a lot of problems with OpenID, but I'm not following the ones you make.

    So, you said the concept died when you needed to put faith into a service provided by some third party provider, or a service you have to provide yourself. I don't see how this is different than anything else on the Internet... particularly e-mail. Most people use a 3rd party provider for e-mail, and those who do not want to trust those providers (including myself) host their entire e-mail stack themselves. If you're comfortable with the way e-mail works on the Internet, then you should be comfortable with the way OpenID works. (This touches a legitimate OpenID problem: it does authentication, not identification, so it does nothing to prevent abuse from spammers. That's another topic, however).

    I don't know about you, but I have a lot of logins. With OpenID, I only need to remember my authentication with my OpenID provider, something that I would use so frequently that it'd be difficult to forget. Because it's centralized and I only have one to remember, I can change also it's credentials more often and do all those good security practices that few ever actually do.

    Now, onto the real benefit of OpenID: it's a framework. It puts a lot of power in the hands of the provider, but that's the point. That provider (which you can control) can perform any kind of whacked-out challenge to verify you imaginable. Some things that exist today (or could exist):

    Verify a user by some second factor, such as an RSA SecurID token, or a browser certificate (done by Verisign's PIP).

    Verify a user by a key file stored on their computer, such as their GPG key. Provider could leverage something like FireGPG and GpgAuth.

    Verify a user by their fingerprint or some other biometric. Provider could interact with some other software controlling another authentication device.

    So, the point is, OpenID is a lot better than anything else we're doing now, and it enables sophistication and better security.

    Yes, all of the above could be done with some kind of fat client (i.e. in-browser) password manager, but guess what, we've had decades to do it and no one has come up with a good solution (and it's still not secure---the weakest link is still the password!).