programming and human factors
by Jeff Atwood
As we continue to work on the code that will eventually become stackoverflow, we belatedly realized that we'd be contributing to the glut of username and passwords on the web. I have fifty online logins, and I can't remember any of them! Adding that fifty-first set of stackoverflow.com credentials is unlikely to help matters.
With some urging from my friend Jon Galloway, I decided to take a look at OpenID. OpenID aims to solve the login explosion problem:
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.
In the spirit of Show, Don't Tell, here's how it works:
Let's say you're visiting a new website for the first time. As you browse around, eventually you'll do something that requires more than anonymous guest access. So you'll get shunted to the "create a new account" page, in whatever form that takes. I'm sure everyone reading this knows the drill. But if the website is OpenID enabled, you don't have to go through all the typical rigamarole necessary to create a new account. Instead, you can enter your OpenID login:
I'm going to indulge in a bit of hand waving here and assume that you already have an OpenID login. It's not such a terrible stretch, honestly; every AOL and Yahoo user already has an OpenID login even if they don't know it yet.
OpenIDs are technically URLs. Here are a few examples:
That's one usability problem with OpenID: you have to remember a relatively complete personal URL that no two OpenID providers define the same way. Which compares unfavorably to, say, remembering your email address. There are shortcuts around this that I'll describe later, but for now, there's ID selector, which provides a reasonably friendly UI for building an OpenID login URL.
If you enter the right URL, you'll get redirected back to your OpenID provider, where you'll enter your single set of login credentials.
You'll be prompted to add this site to your provider's list of "trusted sites" for your account. Once you do this, you can bypass all of these steps the next time you're on the site.
And, finally, you're logged in for the first time!
If that seems like extra work -- and remember, I'm not counting the time it took to set up the initial account at ClaimID, either -- well, I won't lie to you. It is more work. But it's worth noting that:
It's not exactly frictionless, but it's a heck of an improvement over having to remember 50 different usernames and passwords for 50 different websites, wouldn't you say? I think it compares quite favorably with the current champion of frictionless communication: anonymous comment boxes. They typically have three fields to fill out: username, URL, and email. OpenID requires only one. Your provider can proxy your URL and email back to the blog automatically from your provider profile, if you choose a smart provider with attribute exchange support.
Which brings me to the other problem with OpenID. The quality of your OpenID experience is heavily influenced by the provider you choose. For example, Yahoo! is smart enough to work even if you enter nothing but "yahoo.com" as your OpenID URL. That is, assuming you've enabled OpenID support for your Yahoo! login. Providers can also offer unique functionality that sets them apart, too. For example, SignOn.com allows the use of Information Cards in Windows, so you can log into a website without ever typing in a password! It's a bit of work, as you have to associate the Information Card with your provider account first, but I tried it, and it works as advertised.
My experiments with OpenID were quite positive, but all is not wine and roses in the land of OpenID. Stefan Brands identifies some potentially large problems with OpenID, backed by exhaustive references:
As I mentioned above, I feel most of these criticisms can be mitigated by picking a quality, trustworthy OpenID Provider. Particularly one that uses SSL. Since it's an open ecosystem, I'd hope the more reputable and reliable OpenID providers would rise to the top. And consider the advantages: as an application developer, you no longer have to store passwords! That's a huge advantage, because storing passwords is the last business you want to be in. Trust me on this one.
I also found Jan Miksovsky's criticisms of the user experience of OpenID -- as of 6 months ago -- fairly damning:
And all this is for -- what, exactly? To save me from having to pick a user name and password? As annoying as that can be, it's just not that hard! Remembering an arbitrary user name does cause real trouble, but simply allowing email addresses to be used as IDs can solve almost all of that problem. As more and more sites allow email addresses as IDs, the need for OpenID becomes less compelling to a consumer.For the time being, I can't imagine a sane business operator forcing their precious visitors through this gauntlet of user experience issues just for the marginal benefits that accrue to a shared form of ID. I've read numerous claims that all it will take is for someone big like Google to support OpenID to crack this problem open. Unfortunately, there's no business of any size that can afford to direct their traffic down a dead end.
Most service operators will, at best, offer users a choice between using a proprietary ID or an OpenID, creating a terrible economic proposition for a consumer. Faced with the proposition of: 1) struggling once for thirty minutes to struggle through a process they can barely understand, or 2) spending two minutes on every new site breezing through a familiar process they've done countless times before, normal busy people will choose the familiar route time and time again. I'll bet anything that most people will keep going for proprietary IDs, further deferring the network effects possible from OpenID adoption.
Perhaps the most compelling point Jan makes is this one: it is a bit odd to ask users to associate themselves with an arbitrary URL instead of an email address. I definitely saw some rough edges in today's experimentation, but I'd say the user experience has improved since Jan looked at OpenID. That's encouraging.
I realize that OpenID is far from an ideal solution. But right now, the one-login-per-website problem is so bad that I am willing to accept these tradeoffs for a partial worse is better solution. There's absolutely no way I'd put my banking credentials behind an OpenID. But there are also dozens of sites that I don't need anything remotely approaching banking-grade security for, and I use these sites far more often than my bank. The collective pain of remembering all these logins -- and the way my email inbox becomes a de-facto collecting point and security gateway for all of them -- is substantial.
If you're a software developer building an application that requires user accounts, please consider using OpenID rather than polluting the world with yet another login and password. I also encourage you to experiment with OpenID as a user. Create one. Try logging in somewhere with one. If you don't like the experience, or if you agree with one (or more) of the criticisms I listed above, how can we collectively fix it? We desperately need a solution to the login explosion, and right now the only thing I've seen on the horizon that has any kind of critical mass whatsoever is OpenID.
If we can't make OpenID work, at least for run of the mill, low-value credentials that litter the web in increasing numbers -- what hope do we have of ever fixing the login explosion problem?
From the post:
As I mentioned above, I feel most of these criticisms can be mitigated by picking a quality, trustworthy OpenID Provider. Particularly one that uses SSL. Since it's an open ecosystem, I'd hope the more reputable and reliable OpenID providers would rise to the top.
That can only happen if it's nearly trivially easy to move an ID from one provider to another. For instance, if AOL.com had a button saying "move this ID to Yahoo.com." Admittedly I don't know much about OpenID, but I just don't see that happening.
If there's even the slightest friction to moving providers, nobody will do it.
Secondly, does OpenID contain a mechanism to merge accounts? One of the nice things about the Hotmail/Passport system is that if you have multiple IDs (old Hotmail address, new Xbox Live account, maybe a MSN Games account), you can merge them all together under the same Passport email address.
It's extremely likely that most people already have more than one of these, for example I have a AOL one (via AOL Instant Messenger), a Blogger one, and a Yahoo one. Can I log on to Yahoo using my Blogger OpenID, and then tell Yahoo to merge the information it has with the information Blogger has?
Until OpenID contains functions to move and merge accounts, I don't see it taking off. Right now, if I make an OpenID with SomeSeedySite.com, then later find out that they support Chinese suppression of free speech, or sell person info to spammers... I'm stuck! I can't move my logins to another provider.
James Schend on May 23, 2008 12:07 PMUgh, this blogging system erased the quote from the article. It was:
As I mentioned above, I feel most of these criticisms can be mitigated by picking a quality, trustworthy OpenID Provider. Particularly one that uses SSL. Since it's an open ecosystem, I'd hope the more reputable and reliable OpenID providers would rise to the top.
In the name of usability, if you're going to put a huge red "no HTML" indicator on the comments field, please let people type greater-than and less-than signs in the post.
James Schend on May 23, 2008 12:09 PMVery informative and well written article and lots of insightful comments. Its awesome to see this kind of dialog going on around the topic of OpenID. I work for a company called Vidoop and we have been working to address alot of these concerns with our OpenID provider myVidoop: http://myvidoop.com
Specifically we want people to feel comfortable using OpenID for more high value transactions and so we have implemented a two factor authentication system called RecognitionAUTH. Without requiring any additional hardware or software we have a image based login system that generates a random passcode for every login. We also offer a password manager for storing/organizing your traditional logins and passwords, support OpenID delegation (use your own domain as your OpenID), have custom activity reports, and more. You can create an OpenID and check it out for free.
We are not the only ones either, I would trust logging in to my bank with a Verisign or myOpenID account. Verisign offers a secure OpenID option using tokens and myOpenID has an out of band phone pin or some such.
If you want to make it easy to refer people to get an OpenID from myVidoop we have an affiliate program at http://affiliates.vidoop.com myOpenID has an affiliate program as well. Joining an affiliate program is a way for the site operator to keep the user from having to wade through all the providers on the OpenID wiki and possibly getting stuck with an unreliable provider.
It is also worthwhile to note that OpenID is only a component in the identity stack, there is an excellent description of everything that goes into someone's identity beyond OpenID here: http://blogs.oracle.com/talkingidentity/2008/05/05
At the end of the day there are certainly many valid critiques of OpenID. Though with so many great organizations involved with OpenID now I expect things will keep improving.
Stefan Brands is selling Credentica, a competitor to OpenID. Credentica indeed has some advantages over OpenID, but it isn't free and doesn't work in Web browsers so it's basically unusable.
Wes Felter on May 23, 2008 12:36 PMIts a basic mistake in architecture that I am quite dissapointed in you for giving it this much consideration.
Trust some company with my username / password? Why would you trust a company when companies certainly are not trustworthy with your data.
A solution that only works for for some sites? Why bother? Encrypt your firefox profile, get a plugin to automatically enter form data and be done with it.
@James Schend, your OpenID can be separate from your OpenID provider, so that you can switch providers without changing your ID. Your OpenID URL can be any web page that you control; you just add some HTML to the headers to point to whichever OpenID provider you trust today.
rfunk on May 23, 2008 1:10 PM@Christian Nunciato, I'd much rather have my password managed by a single site that I trust, and all other sites checking with them, than store a password at each of those other sites. Jeff has blogged previously about how much web programmers get password-authentication wrong -- and even he got it a bit wrong at the time, as I recall. I don't trust my passwords in the code of very many web programmers, so I'm happy to have a system that allows me to give my trust to the few that I do.
rfunk on May 23, 2008 1:15 PMI like OpenID, I really like the Attribute Exchange. My openid provider (which is one I wrote) provides an avatar image as part of the attribute exchange.
So if this website supported openid and used avatars, I wouldn't have to do anything special to get my avatar next to this comment.
Sean on May 24, 2008 4:07 AMDrambuie:
here's how openid works:
I punch in my openid to codinghorror.com. Codinghorror.com fetches the URL I just provided and looks at the sourcecode for that page for the openid server.
codinghorror then connects directly to the openid server and does a public/private key exchange. It also redirects my browser to my openid server.
If I'm already logged into my openid server, it asks me to confirm that I want to login to codinghorror. Then it redirects me back to codinghorror.com, passing along a "authentication succeeded" or "authentication failed" message that it signs with the key from the keyexchange.
Codinghorror now knows that I "own" the identity I provided. Noone else can use my url as their identity because the openid server identified in the linkrel tag on my website won't authenticate them.
Sean on May 24, 2008 4:19 AMI dont think I'll ever leave my whole internet-identity to a 3rd-part to handle. A local program that handles all my logins (both web and desktop applications) is better. All passwords are stored locally and can be on an USB-drive. No way I'll use the same account on more than one site. It's not secure enough.
And those 5 minutes it takes to create an account on every new community I choose to join is nothing that bother me. And it's generally good that I have to confirm a new join by reading my email and click on an confirm-link.
I use to change my regmail after registration so that its impossible to use "forget password" if hackers hack my email account. I just store all my passwords on an crypted USB-drive and also use my fingerprint reader s that I dont have to know or remember my passwords. In a worst case scenario where I lose my usb-drive and backup, and my finger print reader software stop work its allmost allways possible to reset your password by contacting the community and proofe you are the "right" person by IP-check and lookups in loggfiles.. I have never lost an account yet.
As you said, it's not so much the password and username generation as it is remembering them.
Unless you use a public access terminal, you can always just let your browser remember the passwords and usernames on less security intensive sites.
secondarily, carry a book with your logins stored in it!
writing logins on the first page, passwords on the last, and on a third page marked with a casual list of the websites on the marked page.
Technically you can do this with any book, and use a scrap third paper with all the sites on it as a bookmark itself.
personally, I prefer doing it with my contact address book. random notes and email lists aren't likely to seem out of place (you can disguise any site as an email address... Think about it. :P).
People aren't likely to figure out, regardless of your method, and quite frankly, few people in your day to day life care about your passwords.
I just believe that there's plenty of ways around this, and do not like having, well, yet another login to remember my logins.
Postindustrialist on May 24, 2008 7:06 AM@Arron
For Firefox, the Master Password is offered to protect that. If you set it (the checkbox is on the left side right above the Show Passwords button), then try your trick, it'll ask for the master password before letting you see the passwords.
OpenID is a technology that is not needed. I didn't see even one case in the article or comments where OpenID is needed.
I saw very few comments on existing software solutions (firefox and roboform). Roboform also has many free (somewhat) equivalents, so price shouldn't be the objection.
I use Roboform Portable, for example. It has a lot more security than any form of OpenID can ever have. And, this approach could much more easily be a universal solution, with more advantages, especially with security.
Perhaps at it's inception, it seemed as viable a choice as the other two similar ones above, but technology has evolved enough already to make it a waste of time to persue.
One of the largest problems with our profession is the enamoration with technology for it's own sake. Not to mention the marketing profession creating new solutions and then looking for a problem set to match up.
Stephan on May 24, 2008 7:46 AMAre those of use without personal websites going to be left out in the cold? I don't think I understand this 'URL as a username' thing at all.
bp on May 24, 2008 1:48 PMThe problem with openID is that it's only us geeks that know about it.
Same problem that another decentralized chat-protocol, Jabber, has. http://www.jabber.org/
Carzy Ivan on May 24, 2008 1:51 PMOne of the largest problems with our profession is the enamoration with technology for it's own sake.
Stephan, in the context of the rest of your comment, I find this statement overwhelmingly ironic.
Yes, who needs a distributed web-based system, when people could simply install programs and use encrypted USB drives?
Jeff Atwood on May 25, 2008 3:05 AMDoes the world need another password? no more then the world needing yet another website with the same goal as 9 billion other ones ...
Jminadeo on May 25, 2008 5:12 AMWhile OpenID may not be acceptable for larger sites, I certainly think that it is a boon for smaller sites. Instead of having to enter credentials for every (insert blog name here) users can just use the OpenID URL, which is exactly the point. Furthermore, some popular content management systems (such as Drupal) now have built-in OpenID support, making it no more than a couple of clicks for a site administrator to enable OpenID support. The power of OpenID is similar to the power of open source software; it allows for many small parties to band together to become more influential as a whole. While it still has problems, some simple changes (such as changing logins to an e-mail address format) would give OpenID a lot of sway.
Kyle Cunningham on May 25, 2008 7:43 AMActually, needing authentication to contribute increasingly bars me from participation on several websites. At work I plan to implement a single sign-on strategy for all our infrastructure eventually (hey, first I need to drag them into the 21st century and get nightly automated build and regression testing implemented).
All solutions I've encountered are inelegant, and it takes extended interaction with a site to convince me of the benefits of registering. I suspect that, at some point, I'll just maintain my own blog and write all my comments to everything I spot on the web *there* instead.
Oluseyi on May 25, 2008 9:31 AMOpenID is a great concept but the solution to the glut is really not that complicated. Why not use the same email address as a username and a (same) strong password for all sites? (eight characters, some caps, some numbers, maybe some special characters).
Looking at Windows Live login, which took about a decade to work correctly, I have to wonder how much money and brain cycles are wasted on essentially mundane matters (strong password should be a mundane matter by now).
Great post, very refreshing after previous two posts :)
SamG on May 25, 2008 10:33 AMA lot of people here doesn't seem to have a clear idea about how openid works. That includes Jeff himself, when he quoted Dare about why openid will not be adopted by big players.
Look, there is no such thing as a "pseudo" account or whatever that Dare likes to call it. If your app supports openid, your users will still create their accounts at your site. Period.
Having openid just makes the process easier for the users, because
- they don't need to have another set of username and password
- their identities (name, address, sex, etc), if stored in the provider, can be automatically captured by the app
- they only need to sign in once to the provider and will then able to bypass login for all the trusted apps
As an user of Opera, I have been able to enjoy some of the above benefits by using Opera Wand. Hopefully the adoption of openid will make other browsers more bearable to use :D
j-kidd on May 25, 2008 1:28 PMI can't help but think that it may be more successful if the official OpenID website actually had some information about OpenID and how it works rather than just a sales pitch which encourages you to get an OpenID with no idea as to what it will involve or how it will work when you use it.
Visiting a few providers, I encounter the same problem: I am offered a sign-up process but absolutely no information of how it works from the user perspective or how my identity would be protected.
@[ICR]: What do you mean by move? You mean buying a new one? No problem, I migrated my Firefox profile already from my original computer to a new one in the past and recently again, no issues with that, all my passwords are there.
Or did you mean sitting at "someone's else" computer? You really dare to type your OpenID password or any password on someone else's computer? Wow, you are brave. If he has a keylogger running, you just gave him access to ... well, in my case to a small hand full of sides, in your case, thanks to OpenID, to pretty much everything. Very brave of you to always trust anyone to not do that.
Mecki on May 26, 2008 6:29 AMRoboform, bitches!
Actually it is lacking compared to openid, in one respect: you still have to create an account on every site. I like the idea of not having to do that.
spemless on May 26, 2008 8:39 AMSite-wide login is a great idea, but from what I'm reading OpenID is a pile of dog crap.
The biggest single thing I /don't/ want to do is to allow easy linking if identity between websites. If anything my email and my real OpenID should be protected and only known to the OpenID provider. Dozens of annoying account creation screens are lame, but they'll still exist. Sure I suppose a court order can be given to an OpenID provider to provide a list of accounts, but that would be pretty rare and as I see it allowable assuming due diligence of the courts.
Also, for the security minded, OpenID could allow you to have a sub-password per site, but let that be up to the user.
From what I can see, the only bonus from a single signon comes from storing some contact information that you give to some sites. i.e. Amazon and billing address, current CC info, etc. Not having to update it all of the time, and hopefully having it securely stored by the provider. The consumer sites using OpenID then don't need all of that information all of the time, and their policies would erase the data after a certain timeframe.
In the end though, what'll happen is it'll be like every stupid facebook application that needs to know everything about you before you can use it, so what's the point of having checkboxes to tick if they're always ticked and you completely give away all that information instead of at least being able to obscure your online identity, even if just a little.
The only place it doesn't matter is when it's all the same company. google* or MSDN, but I'd never, ever use their 'single sign-in' anywhere else. (until they're bought I guess)
noman on May 26, 2008 8:41 AMWhat Jon Cram said, it's to technical atm.
What is the major reason why everyone is using msn these days instead of icq ass even though icq had tons of users before even msn was thought of.
1. You can pick your own, easy-to-remember, loginname instead of having
to remember a random 14-digit number.
And you guys who promote roboform etc? How do you login when you don't have acess to your own computer? At our school we can't access the usb-ports and i doubt you can at most internet-cafes eighter.
Erikperik on May 26, 2008 9:15 AMAnd you guys who promote roboform etc? How do you login when you don't have acess to your own computer?
Agreed; and:
How many average people do you know... (auto mechanics, factory/warehouse employees, chefs, etc. etc. etc.) that want to carry around a usb device everywhere they go so that they can check their e-mail or post on their facebook or whatnot? It's absurd.
Steve-O on May 26, 2008 9:52 AMJon Cram writes: "normal users don't get web addresses." It is true that the OpenID community can do a lot to make this technology more accessible. One small step in the right direction is a universal OpenID login widget: ID Selector (www.idselector.com). If websites implement this tool, all users get a consistent experience where they don't need to remember the full OpenID URL syntax, just their account name. Further, on a return visit, users get "single click login" with no URL to remember or type in.
Brian Kissel on May 26, 2008 9:52 AMOpenID is another thing i won't use. First of all it's a real single source of risk. On some OpenID providers you can see all websites which are linked to your OpenID. That means if someone hacks that account, he can access every website with your personal information. That is worse than an email account. Normally with an email account he can't really know for which website the adress is used for (or do you store every website with login name in your emailaccount?).
I use different mail addresses for joining a site based on a few things:
1. Do I want to login multiple times or is it more a one time shot to try out the service
2. Do I really trust the site
3. Do I except spam (and spam could also be a newsletter)
...
For this, I would need multiple OpenID's. So why should I bother with OpenIDs, if I can simple remember a handful of logins passwords based on how I use the service? If it's a one timer, I can simple forget it. If I really use the page more often (~12 pages) I can remember the logins.
The second big issue is:
I don't want to be trackable. No user specific advertising. Not the same login name for every site I use. No pseudo-social networking over the web. This privacy issue is not only on provider site. You can simply write a bot which goes over different sites which are using OpenIDs and match usernames. You can use it for personal advertising and user statistics on your OpenID site. And to be true, I believe that most yahoo users will use their normal login name as OpenID. So you know where to spam to. I don't want wo see the aoutmated generated IDs. Do you want usernames like DSAFHREBV_34214_GSDFG ?
OpenID is not about having a single password. OpenID is about deferring the identification procedure to a user-chosen server
(who might use a single password, but that just an option).
OpenID is always to the advantage of the user, never to the site,
which do not have any trust link with the openID server.
There a basically three kind of web site with password:
1) site that force you to create an free account whose security whose security is useless to you (e.g to read the NY times)
2) site whose security is important to you more than to the site
(e.g. your gmail account, your blog)
3) site whose security is important to both party (e.g. your bank account especially if the bank have to indemnify you from Internet fraud)
Comments seems to suggest openID is useful for 1) and 2) and dangerous for 3). Actually it is useless for 1) good for 2) and 3) if you use your own server.
In case 1) you would prefer not to have to create an account in the first place. If the site would allow openID, then you could just use
a 'bugmenot' ID that always authenticate.
In case 2) openID allows you to implement an openID server that use whatever security procedure you prefer over the login/password gig.
This assume the site implement openID correctly and does not add
security issues.
In case 3) the bank should supplement the openID procedure with its
own security procedure to protect against insecure openID server.
In any case running you own openID server is almost a must to make
the concept useful and keep your privacy. Note that such server only need to run when you access openID using site and not 24/24.
If you do not want the trouble to run your own openID server, then a password manager is probably better suited to you.
Storing all you login/password in your Gmail account is about as safe
than using Yahoo openID server, and better protect your privacy
(Google having no way to know how you are using them, while the openID server will know).
On the other hand, if you run your own server you can implement whatever authentification scheme suit you, from a single password,
multiple password to use-smartcard-on-computer-in-the-basement-behind-thick-iron-gates.
No one seems to have mentioned that in addition to multifactor authentication, Verisign also has the firefox Seatbelt plugin, which makes using OpenID very easy.
Jake on May 27, 2008 6:30 AMI have two logins for different kinds of accounts. One for high security (bank accounts,etc) and one for low security (blogs, etc). That way if I come back to a blog I haven't used for a long time I know what my login info is.
BrianK on May 27, 2008 7:55 AMCommenters advocating using a USB stick with KeePass or equivalent now need to worry about what happens if you travel abroad. If you take the stick with you, many countries' Immigration Agents are allowed to take it away and copy it, and even require you to provide your master password. If you refuse you could be labelled a Terrorist and thrown in jail until they decide to let you go; that country's government now has full access to all your accounts.
Andrew J on May 27, 2008 10:08 AMOk so now how is this better or more secure or so - on compared to just using the same ID and PW on all the little low-level security type sites? I mean for the consumer? Seems to me a waste of OUR time. If I'm not really worried too much about security, I have a small set of IDs and PWs I commonly use in a mix- match way so I can if i forget "hack" my own account, lol!I would not trust this for something involving money or detailed personal info anyway. The Idea that someone could get control of my login info at thousands of sites is way off the chart scary! And what would changing that account entail?
Sorry I don't see it being a good alternative, just an alternative, and that is not enough to make me want to take the time to bother with it!
Next idea?
So you'll use OpenID for stackoverflow? Thanks!
LKM on May 27, 2008 1:46 PMWell, Jeff, you state: "There's absolutely no way I'd put my banking credentials behind an OpenID. But there are also dozens of sites that I don't need anything remotely approaching banking-grade security for..."
In other words, there's no incentive for using anything other than minimal security for the sites where OpenID works best and therefore why not use the SAME username/password for all of them? I don't care if my MapMyRun account is compromised. Who's going to hack into it, anyway? What are they going to do, make my Sunday runs another mile longer? Tee-hee-hee! Jokes on me!
Mark Culley on May 28, 2008 3:40 AMI like the idea of OpenID, but I'm curious if you have any response to the security issues Stefan Brands discusses over on The Identity Corner (http://idcorner.org/2007/08/22/the-problems-with-openid/)?
Psidefect on May 28, 2008 7:06 AMI'm not sure OpenID saves the consuming site that much trouble.
1. You still have to offer non-openid profiles (usernames and passwords), because not every user will (know they) have an OpenID or be prepared to use it.
2. Worse, I suspect you'll find it necessary to support a profile record with *multiple* OpenID records attached. Because people won't be consistent in which one they use. So they'll, over time, want you to remember multiple OpenIDs for them.
@Stephan: "One of the largest problems with our profession is the enamoration with technology for it's own sake."
Amen.
If we think of the number of sites that require registration in terms of gas prices, the Internet is well over $4/gallon.
But why are the only people talking about logins techies? My parents never complain about multiple logins. It's just part of using the Internet and something they've become accustomed to.
"Hey Mom, choose an OpenID provider."
Heh yeah, right.
a href="http://freakonomics.blogs.nytimes.com/2007/09/11/is-openid-the-solution-to-online-identity-theft/"http://freakonomics.blogs.nytimes.com/2007/09/11/is-openid-the-solution-to-online-identity-theft//a
"...almost three-quarters of identity theft victims incur no damages from the crime"
My guess is that it's not really a problem we think it is.
Rob S. on May 30, 2008 2:01 AMIf you're implementing OpenID, still get the user's email address and still let them have the "reset by email" option.
Why? Because users are stupid and will open accounts with OpenID servers at urls that don't own.
OpenID works well if it's your domain name and you can transparently switch providers in the background, but not at all if you're using a 3rd party URL you have no control over.
engtech on May 31, 2008 10:40 AMThis may be a naive solution to the identity problem, but can someone tell me what is wrong with the following simple solution?
A user simply has to enter his or her email address on the logon form. The site then sends a one time password to the email address. The user then enters that one time password and, voila, they are signed on to the site.
flipdoubt on June 1, 2008 4:10 AMIt's not just a matter of trusting the provider. You also have to trust in the honesty of all the key IT people working for the provider, none of whom you've ever met. You also have to trust in their competency. And if their site is ever hacked, your entire online identity is free for the taking.
I prefer to keep a file on my USB flash drive. Since all my passwords generally are variations on the same theme, I keep in this file not the passwords themselves, but what varies on each one. Then I also encrypt the file, and have an app on the flash drive that accepts a super-strong master password as part of the encryption key for the file.
Maybe it has a few potential flaws, but they all depend on a number of improbably "ifs", almost all of them under my control.
Cory J on June 4, 2008 10:24 AMSo far I have been enjoying the stackoverflow podcasts and after the discussion on OpenId I thought I'd find out if Community Server supported it (as that is what my blog is written using) as I never worked out how to allow anonymous moderated comments.
In the process I found this interesting post, its targeted at Community Server but I think that its theory is useful for all the readers on this topic.
So if you follow his advice which I have done you can reuse your blog address as your OpenId url.
http://dotnet.org.za/armand/archive/2007/02/08/OpenIDCS.aspx
Anthony Main on June 4, 2008 12:43 PMOh, come on. How hard is to have a logins.txt file on your desktop in site:user:pass format lines?
Clever guy on June 6, 2008 1:36 PMOh, come on. How hard is to have a logins.txt file on your desktop in site:user:pass format lines?
Oh, come on. How hard is to have a build a trojan that steals the files on your desktop?
OpenID has been proven too insecure for even trivial applications. Given the setup complexity involved in this type of system one shouldn't even bother.
Cardspace/Infocard seems a bit more serious effort that I'd like to see implemented - infact I looked at what it would take to implement but it was all so confusing that unless they make a perfectly presented step by step implementation video I fear others will also find it quite involved.
ubergeek on August 27, 2008 10:35 AMOpenID is a nonsolution to a nonsolution to a nonproblem. For the vast majority of Web sites that require credentials, there is no benefit whatsoever to the user in having a unique username protected with a secret password. There is, however, a benefit to the Web sites: They get an opportunity to build a database of confirmed-active e-mail addresses that they can sell to spammers. The popularity of Bugmenot is an obvious consequence of this situation.
The real solution is to design your site as if there was no such thing as login credentials, except for the administrator, unless your site handles REALLY FUCKING SENSITIVE information.
i still need help as i only understand oof the information iv read so what do i do to resolve my problem with my internet username and internet password im only a beginer please help me
mr shaun hague on January 25, 2009 4:08 AMlets move on and learn more about internet problems or should i say a brain drainer
mr shaun hague on January 25, 2009 4:16 AMJust tried to sign up for StackOverflow - just as a data point, looked way too hard (for after 1 in the morning). No chance I could ever talk my parents through it (I know they're not your target market, but I use that as my benchmark for understandability).
Usernames and passwords I'm prepared for; editing one of my websites to add link tags for delegation or signing up at yet another provider to get yet another token isn't something I was interested in doing.
Friction claims another victim. Maybe when I'm more awake.
Is that a deliberate technique to weed out lesser mortal programmers? :)
TristanK on February 11, 2009 6:45 AMOr you could just use the Firefox password storage system - it's basically the same thing as OpenID, but stored on your local machine. This completely eliminates the problem of a 30 minute barrier to entry - Firefox's password storage system is very intuitive and requires absolutely no explaining.
anon on February 6, 2010 10:24 PMMind telling us why OpenID is better than Microsoft Passport/LiveID/whatever, which has been around a lot longer and is actually associated with an e-mail address rather than an arbitrary URL?
Aaron G on February 6, 2010 10:24 PMI think ultimately this is going to be an example of "worse is worse".
For the run-of-the-mill user they don't remember 50 login id's and 50 passwords. They've got 1. an email address (for those sites that accept it), 2. a "handle" ("clintp" for those sites where the handle isn't already taken), 3. an "alternate handle" ("clintp32768" for those sites that have lots of ID's), 4. a "secret" id ("chickenlover69" for sites where they want to remain somewhat anonymous).
And for passwords? Realistically, 3 or 4 at most. The passwords will get recycled among those few login ID's.
And this represents a user of some sophistication. Lots of others will remember the login ID's to their favorite sites, but for the less-used they'll rely on sticky-notes and archived e-mail "welcome" messages.
OpenID is fighting 15 years of habits developed by users on the Internet for something that is:
1. Clearly more complicated to set up.
2. Another "tech fad" lacking critical mass.
3. Harder to explain to those that need an explanation.
4. Yet Another Centralized Password System -- and we all know how well those ultimately work out. (*cough* MS Passport *cough*).
It's a solution for a problem that doesn't really exist for users.
Stuart: I don't want choice. I just want it to work. I trust MS to have a secure logon system and more importantly, to not go offline, because otherwise all of their monolithic services like Hotmail would also be offline.
It's not that I'm carrying the water for Microsoft specifically, it's just that the more a company has riding on their own authentication system, the less likely it is that the system will have problems. Yahoo has proven themselves to be unreliable in the past, and all of these other mickey mouse OpenID providers have yet to prove to the world that they're scalable and reliable (or that they even care to be). Google would probably be OK too, but this is one of the rare cases where Google actually arrived late to the party.
The fact that OpenID is completely, uh, open, and that there's no barrier to entry whatsoever, is precisely the reason I *don't* like it. This isn't the bazaar, this is the front door to my life or my application and I'd like to make sure that the lock is half-decent. Of course it's just my opinion, but I think Passport *is* the "worse is better" choice in this case.
Decentralized data and distributed applications are wonderful. Decentralized *security* scares the hell out of me. But who knows, time may prove those fears to be unfounded.
Aaron G on February 6, 2010 10:24 PMIf you're implementing OpenID on .NET, be sure to check out the dotnetopenid project [ a href="http://code.google.com/p/dotnetopenid/"http://code.google.com/p/dotnetopenid//a ] and read Scott Hanselman's excellent walkthrough of several common scenarios [ a href="http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx"http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx/a ].
Jon Galloway on February 6, 2010 10:24 PMI have to agree with Stephen. Your basically doing a lot work for people who don't organize thier account(s). 50 accounts, try using the same ID and password for each one!!
Maintain 3 different accounts:
Personal Account(s) - Yahoo, etc.
Work Account(s) - Developer sites, etc.
Secure Account(s) - Online banking, etc.
Each account grouping all use the same ID and password. Separate out the personal and work stuff from the secure items, so it Yahoo or StackOverflow.com gets compromised, then they can't empty out the bank account. Easy to manage, right?
But of course, the password Nazis like to have thier fun so this doesn't always work out.
I've never liked the following about passwords:
Enforced password complexity - I feel that if you enforce password complexity, you actually make the system less secure. Why? If you force users into a set of rules, you know what? They will not be able to remember 1!@jkT6Eq as thier password. What do they do? They will write the password down and put a sticky note next to thier computer with the password on it so they can log in. Let them type in something meaningful to them. Now the cleaning crew can log into your internal network.
Password Changes Every X amount of days - This is especially annoying. Why do I have to change my password to the system, is the system that insecure?? Usually, after a few changes, I run out of meaningful word combinations and I just make something up and write it down so I can remember it.
Other ones are system generated passwords, length, and character requirements.
Moronic, these policies are.
A password does nothing to authenticate the true identity of the user. All it does is it puts up a barrier for entry. Just by typing in my ID and password does not verify that the user who typed it is the one who actually created the account. It just verifies the piece of stored information.
I'm not sure what the solution in the future is (hand prints, eye scans, etc), but I hope it will not be IDs and passwords.
[] Remember Login
JAtkinson on February 6, 2010 10:24 PMI posted something on craigslist the other day and I didn't have to create an account. All I did was provide an email account. Craigslist sent me an email with a link to a site that would allow me to edit my posting. This is such an easy solution, especially for sites where you only use it once or twice a year. Then if I get tired of just using email to manage my postings, I can create an account.
I think the solution is to design your website so that a user doesn't need to create an account until he/she is using your website frequently enough that he/she can remember the username and password.
Jon on February 6, 2010 10:24 PMOpenID needs to be more easy to use before being widely accepted, no matter how much I'd like to see a single online identity become a standard.
Everyone reading this article is highly capable of 'getting' computers and any associated complex concepts and in spite of this OpenID manages to cause us problems. Us, and we're the ones that should 'get it'. Some commenters have clearly stated that they don't quite understand it. Did anyone really 'get' OpenID first time round? Really get it?
Under wide-acceptance conditions /everyone/ should 'get' OpenID first time without question. At worst, /we/ should all 'get' OpenID first time round with no exceptions. We don't. This should be a big warning.
We're not our users. We'd all like to see OpenID working. But it won't, because we're too focused on the techy bits, the security concerns, the features and the 'wow - it works' to notice the obvious flaw staring us in the face: normal users don't get web addresses.
Tell a user a web address is 'subdomain.example.com' they'll repeat back 'subdomain@example.com'. Without 'www' included, most users don't really get web addresses. They'll not get how a web address relates to them. They'll not get OpenID. They'll confuse email addresses with OpenID web addresses. They'll not get OpenID. This is a shame, but is what will happen. Normal users won't get it.
No matter how good the OpenID specs and infrastructure are, it will fail for the above reasons. We might even get people implementing alternative single identity concepts to address deficiencies in OpenID. We'll replace the multiple-sets-of-usernames-and-passwords problem with a multiple-sets-of-single-online-identity-solutions problem.
Let's not let our desire to get a standard single online identity cloud our judgement here. Users don't get web addresses and as such OpenID will fail.
Let's get some decent user testing and research done now before we go too far in backing a flawed horse. Let's identify the flaws quickly and do what we do best by designing intelligent solutions that can be used, not merely ones that function. And repeat until it works.
OpenID is a good starting point, but not the end point a lot may want it to be.
This is a shame, but it happens. Now's the time to fix it not implement it.
Jon Cram on February 6, 2010 10:24 PMI didn't read much of the comments, but just wanted to say that there _are_ some potential security risks (mostly phishing stuff) with OpenID:
Beginner's guide to OpenID phishing:
http://marcoslot.net/apps/openid/
OpenID: Phishing Heaven: http://www.links.org/?p=187
Integrating OpenID and Infocard: http://www.identityblog.com/?p=659
OpenID Phishing Demo: http://idtheft.fun.de/
Most of that stuff can be prevented if the user is aware of how it works, but as you know and Marco Slot explictly says: educating users is not an option!
I don't think that systems like OpenID are generally insecure, but I think its more complicated than everyone says it is.
Simon on February 6, 2010 10:24 PMGood article on a problem with OpenID. As it becomes more successful, it further reduces the security of our online accounts.
Part 1
http://my.opera.com/usability/blog/2009/03/16/openid-forging-the-ring
Part 2
http://my.opera.com/usability/blog/2009/03/17/openid-the-ring-to-rule-them-all
Facebook wants to "own" your identity to collect your browsing behavior and then sell it to advertisers or to sellers who wants to make suggestions to you based on your friends behaviors. It's like cable providers who are also content providers: an inherently corruptive combination. Delegating identity to third parties is a great idea, but FB is not a *third* party.
Vladimir Kelman on December 30, 2010 9:55 AMEither way, I store it in my safe, to which only I have the wow power leveling(http://www.playerassist.com/wow-us/wow-power-leveling.php).
Sexy girl! on May 30, 2011 8:51 PMI have noticed that recently a lot of sites allow you to log in through Facebook. More people have a Facebook than an OpenID so I can see the advantage there, but it makes me a bit nervous since Facebook is not a site that's been designed to allow you to log in to other sites: it is primarily a social networking site. I'd rather use an OpenID that is specifically designed to work as an OpenID, as I'd think its protocols would be more secure. As it is, I'm not sure I can trust that logging in through Facebook is secure.
Mtgandp on June 13, 2011 4:00 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |