November 24, 2010
Back in summer 2008 when we were building Stack Overflow, I chose OpenID logins for reasons documented in Does The World Really Need Yet Another Username and Password:
I realize that OpenID is far from an ideal solution. But right now, the one-login-per-website problem is so bad that I am willing to accept these tradeoffs for a partial worse is better solution. There's absolutely no way I'd put my banking credentials behind an OpenID. But there are also dozens of sites that I don't need anything remotely approaching banking-grade security for, and I use these sites far more often than my bank. The collective pain of remembering all these logins -- and the way my email inbox becomes a de-facto collecting point and security gateway for all of them -- is substantial.
It always pained me greatly that every rinky-dink website on the entire internet demanded that I create a special username and password just for them. Yes, if you're an alpha geek, then you probably use a combination of special software and USB key from your utility belt to generate secure usernames and passwords for the dozens of websites you frequent. But for the vast, silent majority of normals, who know nothing of security but desire convenience above all, this means one thing: using the same username and password over and over. And it's probably a simple password, too.
This is the status quo of identity on the internet. It is deeply and fundamentally broken.
But it doesn't have to be this way. If you open your wallet (or purse, or man-purse, or whatever), I bet you'll find a variety of credentials you use to prove your identity wherever you go.
The average wallet contains a few different forms of identity with varying strengths:
- Strong: California driver's license, student ID
- Moderate: credit cards, health insurance card, video rental membership, gym card
- Weak: Albertson's Preferred Card, Best Buy Rewards Zone Card, Coffee loyalty card
(and sometimes even, uh, cards for free lapdances, apparently)
In the real world, we don't regularly hold two dozen forms of identity like we expect people to on the web. Not only would you be carrying around the freaking Constanza wallet at that point, it would be insane. In the real world, we somehow manage to get by with about two or three strong forms of identity, complemented by a few other weaker forms to taste.
I'm proposing that our web wallets begin to mimic our physical wallets. Whenever a website needs to know who I am, they should ask to see my Internet Driver's License.
Now, I don't literally mean a driver's license. I'm using this term figuratively to mean online credentials that I can re-use in more than one place on the internet. If all I want to do is leave a comment on a blog -- like, say, this one -- then one of the weaker forms of identity will surely do. If I'm starting a new bank account, or setting up a profile on a dating website, then maybe a stronger credential from my virtual wallet is necessary.
The core concept that users need to get used to is logging in to a website by showing a third party credential to validate their identity. This idea isn't nearly as crazy as it seemed in 2008. How many websites can you log into by showing your Facebook, Google, or Twitter credentials now? Lots!
The whole online identity situation may seem as impossible as peace in the Middle East at this point. But when faced with a problem that appears intractable, is your solution to throw your hands up, mindlessly embrace the status quo, and wearily sigh "whaddaya gonna do?"
Some people do that. It's their right. Personally, I prefer to be the change I want to see. So for us, on Stack Overflow and the Stack Exchange network, that means aggressively promoting the concept of the Internet Driver's License. Including educating users as necessary.
For example, consider this ATM machine. To use it, do I need to sign up for an account at Shanghai Peking Development Bank? No. I can use any form of trusted third-party credentials the machine supports.
Similarly, to log into any Stack Exchange site, including Stack Overflow, present any OpenID or OAuth 2.0 compliant identity provider as your Internet Driver's License.
When we founded Stack Overflow, we set out with the explicit mission to make the internet better. Adding yet another meaningless username and password to the fabric of the web does not make it better. What does make the internet better is continued pursuit of better, simpler, re-usable forms of third party online identity. That's why I urge you to join me in supporting OpenID, OAuth 2.0, and any other promising implementations of the Internet Driver's License.
Posted by Jeff Atwood
"Internet Driving License" is a horrible metaphor for the problem of internet identity and authentication.
Just to note that there is no Shanghai Peking Development Bank, it's Shanghai Pudong Development Bank; which i would never have bothered pointing out if i had to register here just to comment (so i still illustrate your point).
Oh, I don't know Robert - I quite like the idea of certain sites preventing people from interacting until they've passed a test of some sort :)
In Belgium ID cards are being progressively replaced by eID cards.
With it, we identify ourselves online and use a wide range of gov services, but also anyone who wants to supports it. There is an API for that: http://eid.belgium.be/nl/binaries/eID_Developers_Guide_tcm147-63130.pdf
One ID for everything (administrative gov stuff, banking, club membership, online logins, ...) is our future!
Indeed Stuart. Except that's exactly what Jeff isn't talking about ;-)
Here's where the driver license analogy breaks down: I have physical control over my license, it stays with me. No one can lose my license for me.
Also, I would dispute the assertion that third-party auth makes the internet better, rather it is a transfer of responsibility from users to the third party.
This post also doesn't address what I thought was Rob Conery's best argument, that it is entirely plausible to end up with multiple accounts at the same site be using multiple sign in providers. Not so much "single sign on" at that point.
Kevdog: If you're so big on responsibility, why not run your own OpenID provider? It's not hard, and if you run it on a box that lives in your house then you can even have physical control over it too.
Regarding the use of multiple sign-on providers: I went to the doctor once and said "Doctor, it hurts when I hold my arm up over my head and twist it around like this!" And the doctor said: "Well, don't do that, then."
Pierre: As a citizen of the United States I find myself dismayed at the thought of using the same credentials when I log onto a website in order to make a comment, and when I get pulled over for driving too fast. I dunno, maybe Belgian cops are all trustworthy, and you'd never have to worry about it potentially being trivial for them to identify your political opinions et cetera? But that's a lot more information than I'm comfortable with the idea of J. Random State Trooper -- you know, the one who's twenty-two years old and white and shaves his head and listens to Glenn Beck on the radio -- being able to find out about me while I'm sitting on the side of the road waiting for him to turn me loose.
@Kevdog: The problem with multiple sign in providers is partially solved when your application does a quick check on email-address. If you already have an account with that email-address you can join these.
I can log in with Facebook, Twitter, Google, Wordpress.com and OpenID. But i only have 1 email address for all of them so that whould be a good solution, at least for me.
We have internet driving licence in Sweden. It's called BankID and you can use it to log into your bank, insurance, tax-declaration, student registry and some other governmental services.
It's pretty good for the high trust services like these but i wouldn't use it for a random internet forum/facebook etc. I want to be more or less anonymous there. I don't even think it's possible for any random developer to get access to it through API or something like that, it's designed only for banks etc, as opposed to the belgium eID Pierre posted about.
@Aaron It's not because you can use the same credentials to access different services, that those different services can all of a sudden access all your information across each other. That's a popular fallacy.
A good idea pushed to the limit doesn't result in a great one. It would degrade and become mediocre. The last thing I want is to give up the greatest gift of the internet, my anonymity, and expose my true identity on every website that asks me to login for no apparent reason. Expect IDL forgery to become commonplace and rightly so I must say.
The solution is not to enhance our identification mechanisms but to limit identification to when it's truly needed. Take you website for instance, why are you forcing me to login to leave a comment when a Name text box suffices?
@ Aaron Em: Just because a website authenticates against some third-party agent (before accepting your comment) doesn't necessarily mean the third-party can track your identity back to your comment.
Oh dear. The European Computer Driving License actually IS a scheme to show you passed an exam (to 'drive' your computer, presumably). http://www.ecdl.org/programmes/
What about Facebook or Twitter connect? Those sites are much more prominent amongst the mainstream, while oauth/openid have been struggling to "cross the chasm" from the beginning.
+1000 for the expert Photoshop mockup.
Posted using my OpenID :)
@Vicentvw: Twitter uses OAuth. Facebook as also pledge to support OpenID: http://developers.facebook.com/blog/post/246
I agree with this post; which doesn't mean OpenID should be a strong authenticator, I should be able to create accounts without them being linked to my real identity.
The whole use of your (Belgian) eID for online shopping and whatever idea has always been enormously short-sighted and needs to die in a fire. I'm Belgian and while giving the cops my eID is one thing (for them, it really is the same as a driver's license), handing private entities a singular tracking identifier of me is something I will never submit to. Not that using it for tracking would be legal, but when did that ever stop anyone?
It's a similar problem with OpenID. Usually when I post something somewhere with OpenID, you can follow it back to that identity. It's not just the owner of the blog that can see who I am (or at least one identity of me), it's whoever cares to crawl back down the link to my identity page. Which makes it a really good way to create targeted marketing user profiles.
Now @Aaron, there really is very little chance Belgian cops could get at much more information than American cops could using your driver's license. The data collected from your eID, i.e. an identifier used to log you into that forum, lives in a private database that they simply don't have access to. Even their access to government owned databases is in theory heavily regulated. I've heard of at least one example of a guy getting a not-so-friendly visit by the FBI after some anonymous comments on a forum, so you might want to watch what you say either way. Especially now that anti-terror laws mean you can be put away for years for what are basically thought crimes.
In practice, cops do often violate the restrictions based on them (most common example, opening up the files on celebrities that commit suicide). At least we know about it (access is logged meticulously), but unfortunately we don't really do anything about it, which is a cautionary tale for anyone supporting giving the government (any government) more access to your data.
So in the past 10 minutes I created a Google ID under the name of Big Foot, and logged in here to post a comment. Where exactly did my identity come into the picture?
Facebook and Twitter are quickly becoming the dominant identity providers.
This is plenty enough in most cases.
For special cases, a classic email based id should be OK.
ie: Twitter for professionals, Facebook for kids, email for geeks.
"Identity" has to do with the ability to connect, not to our "essential being" or the control we may think we have about our environment. There are good and bad connections though, and to discriminate them is probably the most important thing to learn. In fact, there aren't many other things that important in life, and most of them are just a matter of chance
Of course, if I can't control my identity, no one (no other... identity) should have that power in my stead.
An account on a website is more like a loyalty card than a driver's license. And I just checked... I have 34 pieces of "ID" like that in my wallet and on my keychain. No, 36, I forgot the access cards around my neck.
I don't want a single ID. I have multiple IDs. It's none of your business what MMOs I play, and I have no interest in sharing just how geeky I am with random high level druids on some game, so googling for my RPG character won't pull up messages posted with my real name, and vice versa. And if I have to carry two "loyalty cards" to make sure of that, that's fine.
I personally DO NOT WANT THIS. I don't want all my internet accounts to be linked together. I don't want to FB connect the world. I don't want any random Googler to be able to procure a profile of me and my interests in a 2 second search. Internet is freedom only while its anonymous.
Websites that use OpenID/FB Connect have been nothing but a pain in the ass. Want an account from me? Sure, here is an email and password (a la Mint.com), because thats all you need, not my ID ("Open" or otherwise). That's exactly two fields that are actually *required* to "identify" an account. You want to please your users? Make those the only required pieces of information to register. Its way faster and simpler than OpenID, your users will appreciate it.
If your website uses OpenID or FB connect as a primary means to "register" that's about a 90% chance right there that I wont be using it.
Honestly, Jeff, I don't know why you preach this tech so much. I consider this one of the few big design mistakes of SO. I never have used my OpenID anywhere else and I had to make two already because my Verisign OpenID provider was an exceptional pain in the ass to use. Then you, the developer, had to go and code up a way so that your users could change their openids or assign multiple ids or switch between them. Why?!!! Where is the so called convenience for you or me?? If you just required an email and password (and perhaps a username, since its a publicly facing acct) for SO neither you nor me would have these problems.
So stop it. OpenID is a terrible idea. Its used by companies that want to own and track your "online presence," to the user it brings no convenience whatsoever.
Whenever I think about OpenID I feel it comes dangerously close to a walled garden. Jeff even had a post about this a while back:
If everyone is forced to adhere to some universal internet sign-on policy it kind of defeats the freedom of the internet. Having to keep track of multiple usernames and passwords is a bit of a hassle but I don't think this is the answer.
To quote Jeff from the article I mentioned "The lesson I take from this is that no matter how wonderful your walled garden is, it can't compete with the public, open internet.".
The concept of "Open ID" (and I use that term generally) is more or less a server side version of a password vault, with arguably more security concerns around social engineering. You are putting a lot of trust in the sites that host your identity and presumably, their admin/help desk folks that may or may not be able to back door to your identity to "troubleshoot problems".
As this method becomes popular, it will also add another means to phish. Or malicious virtual lap dance sites may just collect your user/password anyway on the way to verifying if your login actually works at the authenticator's site.
That said, is it any worse than using your same email/password on various sites that maintain their own identity management? (Which a LOT of people do, including techies that should know better). I bet if Jeff implemented his own user/password sign in where he actually stored the password at both here and stack overflow, he would have the gmail, yahoo, hotmail logins of a LOT of users.
Web accounts in general have two parts: Authentication and Authorization.
OpenID passes the Authentication part off to a random third-party.
It's the perfect case of favoring convenience over security.
As a web developer, I feel this falls too far on the convenience side, and I'm unwilling to potentially compromise my system's Authorization scheme by allowing untrusted third-parties for the Authentication phase.
Convenience over security is also a major reason as to why Windows post-NT still has a checkered security history: Windows 2000/XP and its "create all users as Administrators" default on standalone or non-Active Directory networked computers.
Btw, great job on having stack overflow change the lives of developers. Win!
Facebook has definitely become my internet driver's license. I'm using it right now!!! Twitter is still a little obscure in my opinion. The problem is, I don't feel very secure giving that license to everyone. They can get a lot of info about me when I FB connect. Scary . . .
The commenters proclaiming doom because somebody can find out everything about you have forgotten a simple fact: You can create multiple identities.
If you don't want your posts on a forum about spanking your wife in a furry bunny suit to be associated with your professional blog, use a different ID. That's the beauty of OpenID, you can create precisely as many identities as you need and, sites willing, use the right one for the right job.
Sounds exactly like cardspace and info cards. Although it never took off.. .for three reasons I think...
1. It was window's only... although there were mac and linux implementions.
2. The info cards were not portable but installed on a specific PC.
3. No major web sites really implemented it. Heck, even microsoft still stuck with passport nee live id.
@Gordon. What if I don't want ANY of my online identities to be associated to each other? Also, how would the scheme you describe be different from the "traditional" scheme of having a different account for different sites?
You shouldn't have to do extra work to remain anonymous; "anonymously" should be the default and the most convenient way to register. Creating a new OpenID for every website is not more convenient than supplying acctname/email/password for every service that you want to use. Hence, in my book, OpenID should be an alternative option to an existing registration system, at best, for those cases where you care more about convenience than remaining anonymous. (ex. Hacker News)
@Gordon Tyler - But we already have functionality where we can create as many ids as we want. We create individual IDs for as many sites as we want already. Even multiple IDs for the same site if we desire!
That's hardly the beauty of OpenID, it's the beauty of what's been implemented for years now. OpenID is supposed to try and reduce the amount of accounts you need to have. Once you start talking about creating multiple OpenIDs for different purposes you're actually moving away from what OpenID is trying to accomplish.
I have some issues with OpenID.
If a provider goes down, is hacked or changes their format, you're sunk, not just one one site, but on every site you used.
Users are unfamiliar with the concept, they might forget which provider they used to login in with at one time and login with a different provider the next time. The site has no way of connecting the identities.
Using your drivers license metaphor: I don't want every blog I comment on to know my weight, address, or even my full name, I want a way to control who gets what information.
I agree that this single credential idea is good and has a lot of potential, but I am wary of evangelizing it to the world before it is ready. If people use it and dislike it, it could crush this idea forever. It's like nuclear power, the accidents that occurred in its infancy set adoption of the technology back by decades. Wait until you get something that's idiot proof, then I'll evangelize it.
Ok, so I wanted to sign in...
- I click on the link, and go to TypePad WTF? what is TypePad...
- Oh, there's a link that I can select other ID providers...
Hmmm, Have I used Facebook, Yahoo, or Google with this site before?
I think I use my Yahoo ID for Stack Overflow, so I'll try that.
- Enter email.
- Now - which standard password did I use? (got it on the second try ;)
- Ok, signing in - Uh Oh - "Error: Bad Gateway" - blank page.
- Now what? I click the back button. Look around... "I am signed in as Steve" Yay! I did it!
- Whew! Even with an array of OpenID providers, this is pretty broken.
I didn't use my open ID provider because, to the best of my knowledge I have to enter some hideous string to use it. If I could enter an OpenID username/password, then I would use it... As it is, it is unworkable for me, cause I have to look up the string in a file somewhere.
However, it seems to me that because all of my email providers (I have Yahoo and GMail), and my Facebook and Twitter accounts are OpenID providers, I don't really need to think about all this so much, as I have an array of usable ID's available. The problem is being solved behind my back. So, the evangelizing mostly applies to website developers, who now need to implement the OpenID signing for maybe ten providers, and most everybody is happy.
p.s: @Robert Baker: if you are going to complain about the driver's license metaphor, maybe you should suggest a better one. IMO "drivers license as a default identity credential" is a pretty decent metaphor. Just ignore the fact that it is also a license to operate a motor vehicle.
p.p.s: OMG the furry bunny suit!
No, Steve, "drivers license as a default identity credential" is a pretty stupid metaphor, outside the United States. In many countries, there's a government-issued ID that everyone must have since very early in their life . Also, in the US, everyone pretty much relies on cars, which is not a universal fact either.
I don't think anyone in Argentina will accept your drivers license as a generic identity credential.
at first i didn't like the openId requirement. "How hard is it to track user names and passwords?" I thought. And said. Repeatedly. Until Jeff told me to STFU and go somewhere else. Not really. But almost.
But now that there's, what, 500 stack sites, having a single sign-on for all of them is convenient. Kudos!
The problem with current Internet Driver's License systems like OpenID and OAuth is that they still rely on the user storing a username/password on a site somewhere--and then using that site as an authentication authority.
What we need is a widespread adoption of GPG/OpenPGP. If everyone had a public/private keypair, we could authenticate using cryptographically secure signatures, which would remove the need for us to hand over the private keys to our identities to 3rd parties. Granted, power users can already setup their own OAuth/OpenID servers but that system still lacks the key signing circle of trust that GPG has built in.
Besides, I'd love to sign my tax documents with a GPG signature instead of send along a plaintext SSN, which is absurdly passed around and stored in countless databases already.
So let's get some developers to relaunch http://www.gpgauth.com/ -- that's my vote.
@Nicolás Alvarez: The States issue State IDs that look almost identical to Drivers Licenses. Driving is not mandatory to having a license.
@Nov8r: Having a network-wide login doesn't require it to be implemented using OpenID. It just means you need access to the same database.
@Nick & @Sean, the problem with the current system is that you have no choice. You *have* to have a separate identity on every site even if you *want* to share an identity across some subset of sites.
I also don't see where the claim of lack of anonymity comes from. The only truly anonymous way to participate on a site is if it allows participation without login. Otherwise, you're identified in some way or another. Heck, your IP address identifies you unless you're paranoid enough to use TOR.
I think this OpenID thing is still new. I think that, at some point in the future, OpenID providers may start providing easy ways to generate new "anonymous" identities that you can use to login to sites that you don't want to connect to one of your main identity. Think of it like one-time use credit card numbers.
Is that a real wallet? Wow, somebody spends a lot of time/money on "entertainment."
OpenID = good. There is better. One step at a time...
I believe there's a parallel issue that a lot of these accounts exist purely to harvest email addresses from users. If I'm correct in this assumption, we could do away with a lot of user/pass combos if the harvesters just gave up on the idea of collecting them.
@Nick: Do you create a new email address for every site that you visit? How is that any different than openid? Knowing that I'm "the url http://burntpopcorn.net" when I log in doesn't mean that when I log in from one place or another that they won't magically be able to link that together any more than when I logged in with my email address.
@antic: what do you mean you just need to use a username/password to log in? How do you know that I don't require two-factor authentication to log in to my openid provider? One like: http://code.google.com/p/google-authenticator/ . That's one of the *benefits* of openid in my opinion, because you can make your account as secure as you need it to be. Don't you hate logging in to sites where they have ridiculous login requirements that don't seem secure at all?
I do currently support openid. I actually ended up changing my comments bit on my own blog to intense debate for 2 reasons.
1. It supported multiple login methods (most of the key ones).
2. It was controlled by a 3rd party.
3. It reduced load on my providers server by keeping that stuff on another system.
Of course that is still up in the air at the moment due to a number of factors since it is on another provider's server it could potentially affect the appeared performance of my site to visitors.
Support auth methods
Wordpress.com (it's a wordpress powered blog so it makes sense ;)
There's a few things going on here:
a) convenience across sites
All these parameters have different pro's and con's.
@ some earlier posters on the privacy angle and anonymous logins for different sites, check out a startup called Abine.
I've been using OpenID for years now, via VeriSign's PIP thing (Symantec now owns it). I use my personal website address as my OpenID identifier. I know not everyone owns a domain name and can host it, add appropriate markup to the page to get it to work, etc. but I will say that I have never had problems with it and absolutely love it. I use VeriSign's "SeatBelt" plugin for Firefox and it all "just works" for me.
That said, I care more about the idea and benefits than any given implementation. As someone else mentioned, this is a step in the right direction.
If people don't like it, feel it is horrible, etc., that is fine - but rather than just complaining, work to make something better. Don't tear something down that is currently working unless you are building something else up to replace it.
This is one of the biggest problems for everyone on the internet. Programmers must unite with standards!
Identity theft is rampant, and I wouldn't trust anyone with knowing too much about me.
Banks and government agencies aside ...
- no one knows my full name
- no one knows my real birthdate (except the friends who show up to buy me drinks).
- no one knows my mothers maiden name
- no one knows my social security #
- no one knows my real postcode (unless they actually deliver goods)
- no one knows where I was born
This also goes for random people and surveys, and any store cards / loyalty cards I may get.
Why? I'm not paranoid, it's just that they have no need, nor right to that information. I don't have a big ego where I want to be able to google myself. Who I am is my business.
All that aside, I don't see what's wrong with OpenID. It's fine because I can set up a number of different profiles for an email address I use for random activities (like SO or posting here).
From my perspective, OpenID solves
- the insecure storage of credentials
- easily mapping credentials to other held data (although likely not the case in practice)
- 100 different implementations of password reset, forgotten password, insecure passwords in plaintext emails, etc
A commenter said:
Here's where the driver license analogy breaks down: I have physical control over my license, it stays with me. No one can lose my license for me.
But - hey, maybe it should be exactly like a drivers license. Physical.
I use my own name everywhere on the Internet. I have lots of accounts. Logins tire me out. Now I use LastPass which is convenient, but doesn't always work well. I use mainly 1 week and 1 strong password.
My idea would be to use 1) login 2) password 3) random challenges for more security info 4) Paypal has a great device which gives me a 6 digit number to type in appended to my strong password. 5) a biometric --thumbprint for now and voice print later
Basically you need an ID name, a mental secure phrase, a random number generator (like Paypal) and a biometric. And the random number must be reinput about once every hour. This would produce pretty good security, but would still be a bit of a hassle.
OpenID is not the answer.
How can we trust OpenID when it is backed by Google, Facebook, Microsoft etc who have no interest in peoples' privacy?
You cannot trust your open ID provider not to cancel your ID without notice, locking you out of your online life, and ignore your emails completely. OpenID.net did it to us when we dared to criticise them.
David Recordon (Facebook & OpenID) has ignored a superior technology that was offered free, but cannot be controlled by the OpenID masters, why?
Simple fact is that OpenID is open in code only. It is funded by all the companies that cannot be trusted with private data and loaded with their staff. There is an open and user-centric solution which is being ignored by blogs promoting OpenID.
@Steve: Regarding your PS to me: 'Bring me solutions, not problems' is such an obvious fallacy. I'm ashamed to admit I don't know the proper name for it.
OpenID is not a login protocol. It's a homepage / URL verification scheme. Bending it for something else might make technical sense, but it's hardly userfriendly. URLs are not designed as user identifiers, and the builtin address bar magic doesn't help it.
It's working on Stackoverflow because people have a lot more technical competence. For anybody else, only user@something accounts are viable. But it's way too late for OpenID3 to fix that; nevermind the anti-privacy features built into the protocol.
It's more than clear from this and most threads about identity on the internet, that identity authentification/verification/authorization is a very emotional hot button for a number of people. And just as clearly, quite misunderstood by many of those most concerned by it.
It's good that you're trying to find metaphors which help people understand it, Jeff.
Our new German password will allow you to prove your identity to a website. Unfortunately the internet is quite global and a one country solution won't help much.
In the end it however should be a role of a government to be a trusted third party for identity.
Although I use openID for SO, it's the only site I use it for and I can't see it ever achieving mass adoption (normal internet users don't understand it, advanced internet users barely understand it and don't agree on its benefits).
OAuth2 is a bit better (at least normal users understand it) but personally I'd rather not have Facebook or whoever know what other sites I use.
My personal solution is to use 1Password for all sites - I register with an email address and a randomly generated password. 1Password remembers all the logins and provides them automatically (and syncs using Dropbox).
Third-party login modules seem very vulnerable to identity theft:
1. evil website offers to sign you in with 'gmail'
2. shows facsimile of the gmail login page, collects your password
3. evil site now owns your identity
Of course, if you use the same password everywhere, the same thing might happen, but if you don't it won't.
You have interesting timing. I very recently started building a blog network that uses Facebook for all authentication (sign-in/post, comments, etc), wall posts, etc. That part works; alas, it's far from complete.
Well, this is the first time I am trying out OpenId. I'm a "newbie". I think it's funny that some have commented that governments should be the 3rd party keepers, as they are so trustworthy. This kind of goes against my grain, but if you want to trust them with even more than they already have...
btw, it seems my name isn't showing up well!
So in other words you're advocating for Microsoft Passport.
I was going to remark that the fact that you own a Louis Vuitton wallet (whether faux or real) renders all your arguments worthless. :) - but then I realized it wasn't yours.
The ToS say:
"Six Apart reserves the right to update and change this TOS from time to time without notice or acceptance by you"
The privacy police says:
I don’t want to have to agree to that bullshit just to comment on some blog. OK, but just this once I will. (Note to everyone concerned, a commenter shouldn’t have to agree to anything to merely comment, except at most the ToS posted by the website to which they are commenting.)
I am then asked if I want trust "https://www.typepad.com/" (by my ID provider). Wait a minute! I don’t trust them, I wanted to post to coding horror, what’s up with that? OK, I hit no, and, huh? I’m sent to the main page for TypePad. Where the blog post I was reading? A bit more hassle and I click yes. Yay, I’m signed on.
OK, now for my post...
OK, I wanted to say that an ID card of some sort, such as OpenID can be great. But when I am carded ‘cause I look under 25, the booze store doesn’t record details of who I am, it just confirms I’m over 18. When I get stopped driving my car, the police don’t record my details unless I’ve actually committed (or am accused of committing) an offence. When a shop asks me for details “for warranty purposes” I refuse. I give fake information, or don’t answer in as many other places as required.
I also wish to say that the comments above about anonymous OpenID are good.
Oh, and if you don’t trust a big company, run your own OpenID (or multiple ones). You could, for example, use phpMyID <http://siege.org/phpmyid.php>.
OK, click preview, umm, dudes, my URLs! < and > aren’t valid in URL’s, so why is your URL catcher including them? It’s a standard way to surround URL’s (especially those that contain spaces or other weird chars). I’ve removed the final > now.
Here is how the first URL was meant to look like:
my ID URL (<http://phpmyid.com/>). Wait,
Oh, and apparently I know have a TypePad profile. http://profile.typepad.com/6p0112791e8d9628a4
And can jump through hoops to deactivate it.
This is bullshit. Sorry Mr Horror, but I doubt I’ll be posting any more on your blog. Your comments in a previous blog about anonymous comments are off the mark. I have, in the past, thought about commenting (with insightful comments, and/or interesting links) but have refrained from doing so because of the absurd stuff I’ve documented in this post. I’ll be deactivating that account as soon as I post this...
Others bring up an important failing of OpenID.
Since you like the drivers license analogy. One thing California doesn't do is go out of business and render it impossible for you to use that piece of authentication, nor do they suddenly change their terms of service and start charging you a monthly fee for having that authentication mechanism that you use for absolutely everything.
So all websites that use OpenID should have a redundant OpenID provider, or some sort of password. But that's just about as lame as using a password program to manage all your website passwords, which then makes you say Why Bother!
I personally DO NOT WANT THIS. I don't want all my internet accounts to be linked together. I don't want to FB connect the world. I don't want any random Googler to be able to procure a profile of me and my interests in a 2 second search. Internet is freedom only while its abercrombie anonymous.
Aaron Em: The card is only your username. You still have to enter the password. If you want to stay anonymous like Waoo suggests, don't use it. I would like to use it for everything, I'm a big fan of SSO (And OpenId since it's exactly the same concept)
You should go check out https://www.nemid.nu/om_nemid/about_nemid/ - there you have your Internet Driver's License for Danish citizens. It's the Danish government who have issued every Dane using online banking with a keycard which they are obliged to use whenever they need to get in contact with online services. For instance: Me and my wife moved recently and I used my NemID account to log in with the same user to various services and change out address, daycare options etc. That is one possible implementation of your vision I think - what is your opinion about NemID?
I'd prefer the authenticator method (like some games/banks are using). If you haven’t seen these then its a small device about the size of a usb stick which is paired with your online account.
You simply press a button to receive a random number which is effectively your password. This means that its almost impossible to guess or steal your password from a dodgy site as it changes every minute or so.
Armed with this and your email address gives a security level that I would be happy to log into many sites without the worry of my password being stolen.
I'm sure this could somehow be used to hide who you are as well. A service where it automatically creates a random acount for you to use on login for a specific site so you can seperate your activities and stop anyone data farming all your details from one logon id.
I'd happy pay a small fee for one of these devices for my online licence.
That is already the present in Denmark. At least for banking and contacting the authorities (including tax paper work and similar). The solution is far from good in my view but it is a secure solution with one set of credentials for multiple sites. Other websites (than financial institutions and govermental offices) could opt to use it but it's not widespread (if spread at all)
My online identities are all only as secure as the email address I choose to associate them with, thanks to the ubiquity of the "forgot password" link.
Is it not then easy enough to create a form of secure login wherein a site will just ask for the email address you register with them then send a "login" button to that account, thereby combining the "single login" convenience of OpenID while offloading the security concerns to the user and his email account? Of course, not everybody has access to their email everywhere they would use such sites, but as an option to fit the OpenID's goal of a single identity, would it not suffice?
> Although I use openID for SO, it's the only site I use it for and I can't see it ever achieving mass adoption
That's ironic, considering the very comment you just left could have been through your OpenID.
> So all websites that use OpenID should have a redundant OpenID provider, or some sort of password.
This also happens with email/pass -- that's why you have to set up "what was your first pet?" and "what's your favorite movie" question on a lot of sites.
"Otherwise, you're identified in some way or another. Heck, your IP aaddress identifies you unless you're paranoid enough to use TOR."
But there's a difference between leaving an IP address, and leaving a link to your facebook profile as I am doing now. (Which is okay for this site, less cool for hornyasians.com)
Please don't continue to promote the idea that a driver's license is suitable as an ID. In fact, the problems with the physical driver's license show that the concept of an "Internet Driver's License" is fundamentally flawed. More important, the flaws are in the concept itself, there is no fix. That means, not just tossing out the metaphor "Driver's License" but that the very idea of a global ID needs to be scuttled.
Us Americans are (ab)using it as ID, but it was created for one purpose, and one purpose only: to allow you to drive. Why do I need to get a driver's license to board an airplane, or have to admit that I'm not qualified to drive a car by showing a non-driver ID? Driver's licenses have the same fundamental problem as Social Security Numbers (originally only account numbers with the promise that they would never be used for any other purpose).
Abusing Driver's Licenses as IDs and now even as immigration documents leads to all kinds of problems:
- Lots of uninsured and unlicensed drivers who would be perfectly qualified to drive but aren't eligible for some other bureaucratic reason.
- Identity theft.
- Lack of privacy. When I use the driver's license as my ID, my home address and date of birth is publicly visible even when there is no need to know. Some states even require the Social Security Number right on the driver's license!
There is one thing worse than having the multitude of user names and passwords - and that is having a single overreaching user name and password.
Fortunately, it's not likely going to happen. Microsoft tried with their Hailstorm/Passport. OpenID is an improvement, but still has many of the same problems.
You wrote: If people don't like it, feel it is horrible, etc., that is fine - but rather than just complaining, work to make something better. Don't tear something down that is currently working unless you are building something else up to replace it.
Sometimes the "tearing it down" is a value in its own right. If the "new, better" idea is worse than the status quo, then tearing down is the best thing to do.
There are 2 critical points to this that must be enforced no matter what is decided/done/implemented to resolve this question.
1) CHOICE MUST REMAIN - Choice bythe useras to which routeto take must remain. The choice to either continue using multiple distinct ID's/accounts or to use some single account like Open ID.
2) DECOUPLED PROFILES Between On line and Real World - The ability to seperate your on line identoty(s) from your real world ID (i.e. seperating your website logins from your drivers licens and credit cards) must remain an option.
If some users want to cinnect the 2 so they are one thats fine but IT MUST be a choice.
The fastest way to tyranny by an ever aggresive and power hungry government is to make iot easier for them to associate your online activities with your real world ones and to control both thru licensing and restriction of said licensing.
The author may have used the term License to mean an associating of an ID an not an authorization to do something but you can bet your bottom dollar that a power hungry politician would love nothing more then to control your access to and what you can do on line.
While I very much understand the problem, the third party login makes me concerned, right now it means I have to trust a 3rd party with not only my login info, but also my comings and goings on many different sites. I would rather not have to give that info to Facebook or really even Google (though I would choose Google over Facebook). It makes a private company far too powerful an entity on the Internet,
Someone just referred me to this article on StackOverFlow.
I just want to say that this example is misleading. True, a debit card can be accessed anywhere in the world (such as open-id), but when you retrieve cash from Shanghai, China, that ATM is actually talking to my Bank here in the States. The cash will be charged TO MY BANK plus service charge. That ATM is simply giving me cash on behave of my bank, that "acting in behave" is what the service charge is for. The debit card itself identifies not only me/my bank (make sure we are valid, i.e, I don't have a expired card and my bank is real, but more importantly, how to talk to my bank for transactions and charges.
In web term, OpenID and OAuth, it's not true at all. The content is local to the website, it's not acting on behave of my OpenID PROVIDER, NOR it's talking to my OpenID provider for detailed transactions such as contents I read, stuff I did at a local website.
If ATM is truly like OpenID, that means, I can take my debit card, go to a foreign ATM (being a valid user at a valid bank), after this authentication process is passed, I retrieve the cash out of that ATM and voilla. My bank doesn't know about it, I get the cash. I'm a billionaire after a few ATM tries.
Just to add a bit more "background" processes going on between an ATM and my bank.
After the transaction is over and my bank charges me for the amount + transaction fee. Because my bank has to PAY the foreign bank for the money I retrieved plus maybe half of that service charge and the other half of the service charge is for my bank to process this whole thing.
If OpenID is truly like Debt cards, then all consumers should be required to post back the actions to the providers or some other types of information exchange to make it worth awhile both for the consumers as well as providers.
A debit card itself means nothing if ATM and the BANK don't have an agreement.
I prefer to give the visitors of my website a choice: use OpenID if you like, if not... there's always the "standard" site login. Personally, I'd like to remove the standard site login completely (as I really like the idea behind OpenID), but I understand not everyone is ready yet.
I'm totally in agreement with the point of the post, but I do want to point out that it makes more sense to describe this item as a "passport" than as a "driver's license", since the possession/use of it doesn't imply that someone has any particular level of aptitude in Internet. Calling it an "ID" would be even more appropriate.
I almost never see openid anywhere (Except on some blogs) and when I see it, I just dont bother commenting. I still have to enter my passwords into a dozen different places. The only place I saw log in with facebook was dailymotion. This site offered to let me login with facebook, but the button didnt show up so I had to register yet another username and password combination.
I can aggree it's hard to remember so many passwords. I wish there was some sort of standard. Never heard of typepad until I had to register to make this comment.
Just wanted to say thank you for implementing OpenID as the authentication platform for SE sites.
The low barrier of entry is one of the primary reasons that I log in to comment/contribute as often as I do. I only wish the Linux and Open Source development world would wake up and do the same. Nowadays, if a site requires registration to join the conversation, I don't waste my time.
Aside from the attaboys, there is one other key issue that OpenId addresses. Email addresses are not a good form of identification. The sad fact that many people use the same password for their email addresses as they use on many other accounts creates a massive security risk.
A really common attack vector is:
- gain a password for the account
- use that password to login to their email (email was the account username)
- scan email messages for information about accounts on other sites
- request password be sent to email from those other accounts
- gain access and change passwords on all accounts to limit legitimate access
By removing password storage and not requiring email credentials, the security risk is limited to the OpenId account itself and OAuth servers where the OpenId account is stored.
It's staggering for me to think of how many accounts known or unknown that I have used similar authentication info on over the years. If my password variations were compromised, there's no way I'd be able to find all of the accounts to update the auth info.
I think shouldn't be too long that there will be a third party company standing up and create some sort of finger print identity API.
The beauty of this solution is that you are the identity, there is nothing to remember and you can have multiple identities if you will(using multiple finger for multiple web sites).
I also agree with this post; which doesn't mean OpenID should be a strong authenticator.
You can come to http://www.greenlaserpointer.org to choose the best Laser Pointers and Portable Lasers.
This is for making available the objects that are required by a beginner or an programming expert to go a level above in its skills, to modify the programming world in its own way. Best of Luck : VcubeS code (powered by VcubeS Planet)