If you've never seen Simon Willison's "The Implications of OpenID", drop everything and watch it now. It explains the benefits and drawbacks in such a clear and convincing manner, bringing up points that I haven't come across elsewhere on the net. Check it out here:

http://video.google.com/videoplay?docid=2288395847791059857

Also, it's kinda cool that you can put two <link> tags in your header to use your own website as a "shortcut" for your OpenID URL. Assuming you have a website, and you're comfortable with the whole URL-as-identity concept.

http://www.techwandering.com/2007/10/19/log-into-openid-sites-using-your-own-url/

So in other words, I could just type in "codinghorror.com" and press "login" and get the correct OpenID provider, etcetera.

Well, you can also choose to always pick the same login, and you only get a password problem. And you can choose the same password also, provided the site let you choose.
Being registered on fifty site does not mean you really need fifty different password and login ...

I wrote an article on the topic a while ago.

Who Should Manage Our Online Accounts?
http://www.diovo.com/?p=93

It's also important to realise that there's no reason for an openID provider to require password authentication. This is alluded to in the post but not in a big way.

For example, your provider could issue you a challenge via IM

Visit LiveJournal (for example)
=> Enter openID, Click login
=> Receive an IM from openIDBot "livejournal.com requested a login for openID http://myprovider.com/myopenid. Reply 'yes' to allow login"
=> Type 'yes'
=> Logged in

I believe OpenIDs should not be a URL system but rather an e-mail address system. In my case, 'gmail' would be my OpenID provider, and I would use my e-mail address to authenticate myself. Like you said, sites already defer authority to the e-mail address provider with password retrieval/resetting features, so it's no riskier.

> Being registered on fifty site does not mean you really need fifty different password and login ...

Assuming that:

1) I can use my email address as the login
2) I can use my preferred password as the password

.. on all 50 of those sites. The odds of that seem extraordinarily slim to me. Sites vary widely in what they will accept as logins and even passwords (complexity rules, length, etcetera).

And then let's consider what happens if I want to change my password. Do I log in to each of these 50 sites and change it?

That said I totally agree with Jan: the "competition" is between OpenID and the inertia around existing per-site login systems.

It might just be me being paranoid, but I don't think openID will work until a small fee is taken to create a user account (thus creating an almost spam free system). I'm talking about a fee of maybe $0.50 for an account, just to stop spammers from creating hundreds of accounts (just cos it will be too expensive).

But then again, who is willing to pay for using it?

1Password FTW! Its a super-keychain that remembers webforms, identities, credit cards, etc, all locked down with a single password. It even adds a button to browsers (and NetNewsWire) for easy form filling. Not free and Mac only, but worth it. And it syncs the keychain to an iPhone or Palm. I think powerful local apps like that, maybe combined with random number one time pass tokens are the future for secure and mostly convenient logons.

Umm... I use Firefox. It remembers all my login and passwords. I have different credentials for every group of page I use, so if ever one account is hacked, these logins might work on some other pages of the same kind, but they will surely not work on most other pages I use regularly. Why should I have to remember these? FF has a Master Password. First time I go to a page that requires login, FF prompts me for the Master Password. Once I typed that it, it will pre-fill all login forms for me.

I can also look up what the remembered password was, just in case I have to.

Further I have a nice extension installed, called Secure Login. What that's good for you ask? Well, first of all, it will not auto-prefill forms. Why not? Because as soon as FF puts something into the login fields, JS code could read the values from there and transmit them over the net. This is too insecure. Instead SL will only highlight the login fields for that it knows data is available (in orange, but you may change the color in the prefs) and only prefill it, if I hit a shortcut (can be changed to whatever you desire) or if I klick the SL icon, either in the status bar (if shown) or in the navigation bar on top (you can configure to show it on either bar, both or none). Another advantage of this extension is: If you have multiple logins for a site (and here is a big advantage of OpenID! As you need different OpenIDs for that), SL will not prefill the most likely one, as FF does by default and only change password to another one if I change login, it will show a sheet window with all available logins and asks me to pick one. Last but not least, I don't have to click on a login-button after SL prefilled the form. I can configure SL to submit the form automatically as soon as it prefilled the login data.

All in all: Using Firefox with a Master Password (making sure your login data is encrypted on your HD) and adding the Secure Login extension prvoides a very easy, painless and secure way to manage your logins and in the end, the only password you need to remember is your Master Password.

How about setting up your personal OpenID provider? If there's anyone you can trust, it should be yourself I guess. Then you can add as much security you want, plus your OpenID looks cool as well ;)

At the last count, I had 56 logins to keep track of. Not just for websites, but also work-related. For most of these logins, I DON'T EVEN KNOW THE PASSWORD. Instead, I used KeePass to generate and store a (strong!) password for me, and use the auto-type function to login. Passwords are stored securely (AES) encrypted. The application and data are stored on my EDC memory stick.

OpenID is nice, but the only real solution in my view is a workable public key infrastructure. Something I happen to be working on :).

I've spent the last few days implementing OpenID on our group of websites.

In the end, it was reasonably easy to integrate OpenID with our existing login system. instead of username/password in our database, it was username/provider - which kept our unique username system going, across multiple providers and our own users.

Wether it's the future I'm not totally convinced. It is more difficult initially to remember your string, and ofcourse, you sitll have to remember your username and password for your provider.

Your point on the providers is an important one. Wordpress is atrocious. If you are not logged in, it tells you to go a different page (with no link to that page) and login, and then try again. Others worked properly - even AOL.

"the only password you need to remember is your Master Password"
That's until you move to another computer, in which case you're a little screwed (and lot's of people log in on lots of different computers all the time).

With regards to using email over url, it would be preferable from the users perspective I guess, but how would you implement it? URL's are used because the service can fetch the HTML from it, parse the data etc. How do you easily do that with email that works across all emails? It would be very difficult.

A lot of the non-dedicated providers (providers that offer other services) like LiveJournal, Vox, flickr, blogspot, technorati etc. allow the users profile page to act as their OpenID URL. This means that if, for example, I were a LiveJournal user all I need to remember to login is the same blog URL that I give to people all the time.

So when are we going to see OpenID on CodingHorror then? ;)

"Wordpress is atrocious. If you are not logged in, it tells you to go a different page (with no link to that page) and login, and then try again."

I suspect that's an anti-phishing precaution.

For a user, this is no more or less secure than using e-mail authentication. I don't think it would be any more onerous to set up another fake identity with an OpenID provider than it is to create another Hotmail/Yahoo/Google account.

In terms of being monitored by third parties, this is a little more explicit than the information that could be gleaned from having your account scanned by your mail provider, but the information it is possible to gather is the same.

One downside is that (at least) two servers are involved in authentication - which may lead to difficulty for users signing in at peak load. The OpenID servers become points of failure during login too, though this would affect a low number of users at any one time.

I think the biggest hurdle is perception - people don't know what OpenID is (I didn't), how to get one or how it is different to MS Passport. The biggest hurdle will be in developing a really good FAQ. Maybe get Joel to write an essay on it.

What if an existing popular sites made its accounts OpenID? Bam, your Google/Youtube account is now an OpenID. Sites can list that they accept "OpenID/Google account".

It'd be much more straightforward if e-mail addresses were automatically parsed as potential OpenID accounts. Suppose for example that the site checked barry@example.com for an OpenID server at example.com.

I'm willing to bet though that most people already DO use the same e-e-mail address and password across multiple sites. It's not centralized (and not perfect in terms of security), but it's simple for the user. Ultimately I think if the user experience is to be improved it needs to make OpenID a lot more straightforward and transparent to the user.

I've been getting quite heaviy in to openId recently as I see it as a fundamental forward step in consolidating online identity. I've written a few posts on the topic over on my blog (...davidwhitney.co.uk/content/blog/index.php/2008/03/26/fractured-online-identities/ , /2008/05/06/stop-holding-my-data-hostage-data-ownership-and-web-30/ and /2008/05/20/web-30-data-silos-and-identity-portals-overthrowing-social-networks/ - mangled to avoid looking like link spam!) and I'm in the first few stages of trying to design an identity controlling platform to centralise personal data and feeds hinged on open id.

I really hope that open id will turn into something that users control on their own (perhaps some kind of physical home device that controls your identity that you plug in to the internet) allowing a user to have complete control, whilst the value proposition for consumer websites is that they don't have to worry about user data, just add the value and the services they perform best. If this becomes as easy as setting up a facebook profile then it's a huge victory for users. Obviously this isn't appealing to data warehousing entities, but perhaps it's a power they shouldn't have over their users anyway.

It really just seems like handing the user control of their identity back is the first step to letting users define what data regarding them the internet has access to, and that's nothing but a good thing. There's a little bit of setup involved, but really it's no harder than setting up webmail, and most people got the hang of that pretty quickly. It's almost an easy sell when you tell people that they only need to maintain profile and contact data in one location- people like ease of use because repitition is boring.

I personally believe people should control the feeds of all data related to them, but that kind of integration is probably a long way off.

I've got to say, I really like OpenID. I especially like how I can just use my blog URL as my ID, and only have to log in once.

As was mentioned above, the idea of setting up one's personal OpenID provider is quite interesting.

This is like Paypal with no money involved. Yes, it is a good idea, but I don't know how good.

OpenID is a nice solution but most people just save the password or use a manager.

One possibility to allow email addresses instead of URLs as the OpenID login string is to do a simple translation: username@openid-provider-example.com <-> http://openid-provider-example.com/openid/username.

That should be username@openid-provider-example.com equals http://openid-provider-example.com/openid/username.

Hi Jeff,

You may find this interesting. But the OpenID experience doesn't have to be untrusted and it can be customized to some extent.

http://www.coderjournal.com/2008/05/easy-steps-blog-openid-gateway/

So you could use the following as your OpenID:

http://www.codinghorror.com or
http://jeffatwood.name

I personally love this method, because it actually gives the .name domains a very interesting and in my opinion good use.

Nick

It is good that Content Management Systems like Drupal are taking a lead in this regard.

OpenId lets you choose who you trust to authenticate you. Sites implementig OpenId simply do not care who you trust - that's your responsibility (kiinda like your password is!). That's why OpenId is a good idea.

Personally, I like to control things as much as possible. Obviously, having to rely on an external provider to identify takes that control from me. This is why I was thrilled to find that I can be my own provider very easily:

http://www.intertwingly.net/blog/2007/01/03/OpenID-for-non-SuperUsers
http://siege.org/projects/phpMyID/

This may not work for all situations (not surprisingly) but well enough for some. Worth mentioning, IMHO, especially with this tech-savvy audience.

I long for the day when I can log into everywhere using my email address, and all chat networks are linked together allowing me to speak to friends on MSN through Skype, or GoogleTalk, etc.

I want a single online identity that can be mine, and used everywhere - rather than having to sign up to everyone's blog to post replies, host photos or whatever.

@Goran:
"OpenId lets you choose who you trust to authenticate you. Sites implementig OpenId simply do not care who you trust - that's your responsibility (kiinda like your password is!). That's why OpenId is a good idea."

No, that's one of the reasons it's a bad idea. It means that if one bad site manages to get your password, then all sites you have a login to will be open to the bad site. In effect, it means that if you compromise the system, you compromise all sites a user has access to instead of just one.

Regards
Fake

@Eric Florenzano: Simon Willison hit the nail on the head with that presentation - it's perfect. Everyone should watch it, especially the critics, it's completely invaluable.

@bandini: Any security expert will tell you that this is a terrible idea. If your login details are compromised, then every single account you have will be compromised because they have your username and password. (Yes, I know what you're thinking: 'but with OpenID...' - read on!)

Furthermore, half the time using the same login credentials don't work. Usernames can often be taken, email addresses can't be used as usernames on some sites, and password rules always vary. I always try to use 24 character passwords with combination of upper/lower-case characters, numbers, symbols - but some sites, even banking sites, will often only allow 8 character passwords.

Using an email address as the URI for your OpenID identifier would seem a logical progression, but email addresses often change. There are millions of people with free Yahoo!, Gmail, Hotmail, etc accounts - and these shut down after inactivity. Plenty of people (unintentionally) let them expire. Many others use their work email address for everything, but what happens when they change jobs? Email addresses are too transient. Something of a more permanent URI is needed - thus the URL. With delegation to your website or blog, you can have one address forever.

Regarding security, several of the "big OpenID players" are looking at security options that far surpass that of one username/password for every site / "email me my forgotten password" emails. eg., myOpenID uses CallVerifID to call you on your mobile phone when you log in. Client certificates are also an option, as are (CardSpace/InfoCard) Identity Cards. So with this particular provider, unless someone has your OpenID URI AND your mobile phone AND is at your computer to gain access to the client certificate (AND optionally the ID Card), NO ONE EXCEPT YOU will be able to log in to your OpenID account and any websites that you use OpenID to log in with. Traditional per-website login credentials simply cannot match this level of security.

Another example regarding security is the VeriSign Personal Identity Provider. You can purchase for about $5 (through eBay/PayPal) a fob that will generate a unique one-time use token for when you log in, in addition to your OpenID URI and password. Again, someone would need to gain access to your URI AND password AND fob in order to gain access to your account.

With awareness and adoption ramping up, it is simply a matter of time before this becomes the norm. People are afraid because this is something new. If OpenIDs were around in the early 90s rather than username/password/email login options, we wouldn't think twice about it.

Find a good provider (myOpenID, claimID, VeriSign PIP are some good ones), have a play around, and enjoy. It does make life so much easier!

"There's absolutely no way I'd put my banking credentials behind an OpenID"

Having my banking credentials behind OpenID would be great, PROVIDED that my bank also asked for my banking password AFTER I have logged on with OpenID. It would stop most risk of phishing as a fake banking site would make my OpenId ask me if I trusted the site.

(Also I would not have to remember by bank acount number.)

@Ian Ringrose: great point. +1 for me, but only if the OpenID provider had exceptional security (SSL, client certificates, multi-level authentication)

I agree with Fake.

The only way to solve it would be to have some sort of browser technology that encrypted the password before passing it to your OpenID server. So, when you create an openID, you give it a password, and it gives you a key that you put into your browser.

When you go to login, you press something on the browser, it takes the site name, your key and your password and creates a hashed value that the site would pass to the OpenID box to authenticate.

To be honest, you may as well use something like Keepass.

Are you sure OpenID is 'Worse is Better' and not more 'Architecture Astronauting'?

I think multiple logins based an single email address is certainly the 'Worse is Better' solution.

Or you could just use the Firefox password storage system - it's basically the same thing as OpenID, but stored on your local machine. This completely eliminates the problem of a 30 minute barrier to entry - Firefox's password storage system is very intuitive and requires absolutely no explaining.

I see some people talking about password repositories such as those built-in to Firefox, but as another person has pointed out, that's no use if you move computer.

A middle ground is to use a password hasher add-on like pwdhash, password_hasher, or similar. These basically create a secure hash (numbers, letters, punctuation, etc) based on a master password and the domain-name of the site you're accessing (e.g., gmail.com, livejournal.com, whatever).

For example, with pwdhash, all I need to do is press F2 with focus on the password field before entering a password, type in the pass then click the login button. The add-on hashes the string entered into the password box before the form is submitted.

If you're not near a computer with the addon, pwdhash (and probably others) have a web-site that you can use to generate the hash and copy/paste it into a password field. Providing you have a fairly unique ID, then all you need to remember is one password, but all the sites logged into have different (and strong) passwords.

@anon: you should read the comments before posting. Someone already pointed out that this is not an option when using more than one computer. And lots of people do just that.

Regards
Fake

Mind telling us why OpenID is better than Microsoft Passport/LiveID/whatever, which has been around a lot longer and is actually associated with an e-mail address rather than an arbitrary URL?

I also use 1Password... Yeah it doesn't work on other machines, but they're releasing on online version soon that will take care of that. I'm not sure I'll use it, but I don't really need it anyway. So, assuming I stay local to this machine, it's going to remain a better solution than OpenID. (I've landed on a few OpenID sites - I chose not to use it.)

"Sorry! You will not be able to login to this website as it is using an older version of the the OpenID technology. Yahoo! only supports OpenID 2.0 because it is more secure. For more information, check out the OpenID documentation at Yahoo! Developer Network."

The http:// prefix is not required, as per the OpenID spec. This at least makes it look simpler, eg.

http://mxcl.livejournal.com

vs.

mxcl.livejournal.com

My OpenID is thus merely methylblue.com.

The biggest issues in my mind, are the usability one, since users are redirected to a completely different site to log in - this is disorientating. And that there is a single point of failure, if my provider went down for a day, or much worse, forever, I'd be a very unhappy Internet user.

Which is one reason you should always delegate the OpenID through your own, or some other URL I guess.

The point of openid is not to be secure or to help you to login to all your banks. The point is to save you time registering on 100 tiny little sites which all want you to register. Forums, blog comments, food sites, preferences, etc... things nobody cares to steal from you and you wouldnt care if they are... all require you to register, confirm your email, active, etc. All that pain in the ass is solvable with a single openid.

OpenID has never been positioned as replacement for failed MS passport. It's just an easy way to "autocreate" and account on a site that supports it.

OpenID is bad for mobile users (i can't see me typing those damn long OpenID-Urls with my cell phone) and bad for privacy:
I like it that i have multiple identities all over the web. What I say and do here does not have to be linked to what i say somewhere else.

if you can't trust the providers available in the wild, you can run your own server : http://wiki.openid.net/Run_your_own_identity_server

I think ultimately this is going to be an example of "worse is worse".

For the run-of-the-mill user they don't remember 50 login id's and 50 passwords. They've got 1. an email address (for those sites that accept it), 2. a "handle" ("clintp" for those sites where the handle isn't already taken), 3. an "alternate handle" ("clintp32768" for those sites that have lots of ID's), 4. a "secret" id ("chickenlover69" for sites where they want to remain somewhat anonymous).

And for passwords? Realistically, 3 or 4 at most. The passwords will get recycled among those few login ID's.

And this represents a user of some sophistication. Lots of others will remember the login ID's to their favorite sites, but for the less-used they'll rely on sticky-notes and archived e-mail "welcome" messages.

OpenID is fighting 15 years of habits developed by users on the Internet for something that is:

1. Clearly more complicated to set up.
2. Another "tech fad" lacking critical mass.
3. Harder to explain to those that need an explanation.
4. Yet Another Centralized Password System -- and we all know how well those ultimately work out. (*cough* MS Passport *cough*).

It's a solution for a problem that doesn't really exist for users.

Nice article cool!

Jeff,
As a web developer, I'm concerned about developer incompetence. I must confess that I don't completely understand how OpenID is supposed to work, but I'm concerned that some naive developer is going to do something incredibly boneheaded and virtually give away my credentials. So, my question is this: how much work does a developer have to go through to support OpenId, and is it easy to screw up? Or does OpenId somehow idiot-proof the process?

Centralized usernames/passwords is a good idea, but I'm not sure why it has to be an ugly URL to use, username or email would be a lot nicer. And isn't this pretty much what Microsoft is trying with their Windows Live ID? Until we get one standard for everything, I can't see this working out really well.

How does this work with maintaining the login information for a user? Most of my sites require security roles which need to be checked on each page. I like to go back to the database on each page load to check these (I normally save session variables with username/passwords and then authenticate on each page)... I don't feel really good about simply setting some field as "Logged On".

I do have about 5 or 6 sites of my own, but this discussion has me thinking I should perhaps try and setup all those site to use the same login.

I still don't understand the desire to translate emails into OpenID url's. Surely to the user it's "What I use to login", it just happens to be currently it's prodominently email or username, but there's no reason that can't change. As has been said before, a lot of people understand the concept of the url to their personal site, be that myspace, facebook, livejournal or whatever and these will hopefully eventually all be usable as an OpenID.

OpenID sounds interesting. You can have your "designer URL" point to OpenID provider (with presumably "ugly" naming) as long as you can host static HTML on the former. This delegation or indirection allows you to switch providers, at the cost of having to consult two servers instead of just the latter one.

From reading the comments, I see you can even be your own OpenID provider (thanks mantrid). I assume then that means if you are paranoid enough to do that, then you must run it on your own hardware, not a shared web hosting service. Is this correct?

The Google App Engine offers this type of functionality. You can use their user base as your own.

So With OpenID you can create your own server, have to type longer URL's and it stores all your ID's in one place ....

... How is this 'secure'? It's simpler maybe (and that's debatable?)

Putting the password for a Forum I go to occasionally anywhere near the details of my on-line banking is madness ....

Plus:
What happens if the OpenID server is offline?
What happens if you no longer own your OpenID domain?
What happens if you need to change you OpenID?

If you are worried about security:
Put a bootable Linux on a memory stick with kiosk mode browser and you have a secure portable simple system ....

After reading this post and doing some research, I've decided to setup my own OpenID server on my website (asmor.com). Beats the hell out of the other options!

Sigh... Now I'm stuck at the long wait for the DNS info on my new subdomain to propagate...

I think SlashID offers a compromise between the two worlds: you still have to go to a third party (SlashID.com) to get an ID, but it's a simple username and password, unlike OpenID's URLs as identifiers. At the moment, SlashID is a centralized system unlike OpenID, so there are chances of an SPOF, but the SlashID guys say they're working towards a de-centralized system. Sounds good to me.

http://slashid.com

Open ID as idea is pretty cool but executions leaves to desire. Its just another additional thing to carry/remeber. I'd suggest using something everyone has and what also takes into consideration mobile users: mobile phone and mobile phone number - allmost everyone has it, its constantly carried with.

I use roboform. granted I only use 2-3 computers at most and I keep an encrypted copy of my roboform data on a thumb drive in case I need it someplace else (hasn't happened yet).

Not a perfect solution, but it remembers for me.

Also, if I am on a site that requires a login and I don't want to register for yet another site, I just go to bugmenot.com and find a UID/PWD that will work. Great for loggin in to newspaper and maazine sites that want a (free) account to read stuff.

WA

OpenID is one of those ideas that us geeks really latch onto, but we forget that users aren't geeks. It imposes a change from the status quo, more steps to remember and a potential for capturing their real login info from their OpenID provider if they aren't careful about SSL.

I don't see this as a problem that needs solving. Firefox remembers my logins just fine, I can use my email to recover them if lost and my firefox profile is easily backed up and transferred to other machines.

Why even have passwords? Everyone forgets them all the time anyway and uses the "i forgot my password"-function so just send us the login-link without forcing us through all these steps to recover our password.

Disposable loginlinks sent to your email ftw.

1. Instead of username/password you just fill in your email and click send.
2. Wait 5secs for a mail with a one-time-use login-link, valid for ~10mins, to drop down in your inbox.
3. Click this link and you are now logged in!

This assumes that most users have their email-client running all the time.
Then all you have to remember is your mail-account and mail-password.

How about a fingerprint sensor on my mouse? Then I don't even have to remember my name. Maybe in 10 years...

Why do you need any credentials at all?

The thing I keep missing about OpenID is that it seems to have mechanisms in place to help users trust the provider(s) they choose, but I don't see where web sites can trust the providers that their users are using.

I don't want a hacker to set up an OpenID provider on a zombie server somewhere, and then use logins from that provider to log on to my site and dump spam all over the place, let alone conduct financial transactions. How do I, as someone who'd like to allow OpenID logins on my site, verify that the providers are legitimate?

In my experience, most sites/blogs that support OpenID are using it as an alternative to logins such as the one on this comment page. Seems pointless, since it's just as much work as typing in your name/email.

Are there any major blogs that allow commenting with OpenID in lieu of account creation?

Interesting because stackoverflow.com is a site for advanced computer users. For 90% of the population the "Remember Password" check box in IE or FF takes care of the login issue, but stackoverflow is really for those 10% who consider security when browsing the web.

Still seems like a lot of work for a marginal benefit but I'm curious to see how it works out.

I think a lot of people are missing the point of OpenID, or aren't understanding what it's about.

As a consuming website (a site accepting an OpenID login), you don't have access to the user's credentials aside from (a) their OpenID URI, and (b) whatever is sent via SREG (simple registration) or Attribute Exchange (both of which allow the user to specify, via their OpenID account, what - if any - addition information above and beyond their OpenID URI is sent to the consuming website).

@Fake51: A decent OpenID provider will allow you to pick a STRONG password - randomly generated, 16+ characters long, upper/lower-case characters, numbers, symbols, spaces. Such a password makes it very difficult to "guess" with a dictionary attack.

@anon Wrong - signing up to a new site without OpenID will still require you to key in all the supposed required information in setting up a new account, which will not be stored in Firefox (the inbuilt password manager only stored the username, password, and associated site). Unless you are referring to data stored within Firefox's form cache (which any good person will regularly clear out), then you've missed the mark here.

@Aaron G: Microsoft Passport/Live is a centralised proprietary authentication system owned and run by Microsoft. OpenID is a decentralised system based upon open standards and is not "owned" by any single person or company. Yes, your login details are "centralised" at your OpenID provider, but they are "decentralised" from the consuming websites.

@alphager: You say you don't want to type those, "damn long OpenID-Urls with my cell phone". Say your email address is with Yahoo!. How is typing in mynickname@yahoo.com much different or longer to me.yahoo.com/mynickname (a whole 3 characters longer).

@Clinton Pierce: Whilst you make a point, this is the exact type of behaviour people should be changing. Having 1-4 usernames and 1-4 passwords with one email address is inherently insecure. Generally, email is inherently insecure (unless signed with a PGP/GPG key.. and how often does that happen in the wild?). At least OpenID provides the option of security features that would usually mean an intruder would need to either (a) know the person (eg., to get mobile phone or fob), or (b) have access to their PC (for ID Cards (eg., CardSpace) or client certificates), or (c) both!

@Kris: URL vs email? As I said above, they're not that different (replace '@' with '/').

@Jaster: no banking websites accept OpenD (yet?), probably never will. There is nothing to say that if this changed down that track, that you couldn't run two OpenIDs - one for day to day use, and one for secure mission-critical applications such as banking. Yes, that means two identities - but it's still better than the current 50+ many people have. Even now, many people (certainly OpenID-proficient/keen) have OpenIDs with many providers. These can be tied together (to an extent - if one wishes it to be so).

@Olavi: Nice idea, but almost every site that provides interaction with mobile phones is US/Canada/UK limited - leaving most of the world in the dark. It would require too many contracts with network providers and too much stuffing round to get off the ground. Even established websites can't offer decent worldwide mobile phone interaction with their websites to a user's mobile phone.

@Wayne: bugmenot = FTW!

@bcl: New versions of web browsers are looking at SSL and user "awareness" more carefully. eg., changing the colour of the address bar based upon a good/bad SSL connection/certificate. Regardless, OpenID will always ask a user to accept/reject a login request for a new website. If this is asked on an already accepted/rejected site, then the user should be aware that something is amiss. Likewise, if the user is NOT asked on a new site, they should also be aware. People can't afford to be complacent online - and many people (especially gen y'ers or technically-illiterate-yet-still-remain-online) already are.

The main thing to remember here is - you have choice. You have the ability to choose whichever OpenID provider you want. Check out their features, check out their security measures. Do you trust them? Do they support delegation? If not, move on. I use myOpenID and trust it. Why? It's run by a company of good folk who have a key involvement and investment in the OpenID community, and are responsible for many of the open source libraries available.

@D. Lambert: You can request additional information when a new user logs into your site the first time using OpenID (or every time really I suppose). Ask them to perform a challenge request (eg., CAPTCHA) at your site after OpenID verification/login.

@Josh Stodola: Then you need to read the "Fingerprint Charade" by Kim Cameron at the Identity Blog - http://www.identityblog.com/?p=981 :)

/shutting up now!

You talk about the complexity of setting up your OpenID provider... but that's a one time cost. The additional overhead once you already have an OpenID provider is practically zero.

If you have your own domain, you can also delegate your OpenID so that I can keep the same OpenID URL (my domain name), but delegate the responsibility to a different provider next week if the one I have this week turns out to suck.

Although I support OpenId as an application developer, my experience as a user has been quite bad so far!

That's why for the moment, I'm all in favour of password managers:

http://evolvingworker.com/2008/4/4/in-favor-of-password-managers

I use 1password on Mac, RoboForms on Windows. I believe they're both largely worth their price. There is also KeePass which is free.

'"the only password you need to remember is your Master Password"
That's until you move to another computer, in which case you're a little screwed (and lot's of people log in on lots of different computers all the time).'

This is ture, but as someone else pointed out, just put Keepass on your thumb drive, that's what I do and the problem is virtually solved, at least between the two or three Windows boxes I log into.

The problem with this approach is that I'm screwed when I login to a Linux or Mac box, which I do quite frequently as well.

What we need is a cross-platform app to run off of a thumb drive that will store usernames and passwords for us.

The security to this approach lies in that fact that YOU have control over your thumb drive, you're not reliant on a third-party's security or lack there of. You're also able to use different usernames and passwords for different sites.

Hmmmmmm, I think its time for me to figure out how best to go about doing this...........

I'd have to say that associating yourself with a strange but relatively short URL is not significantly different than with email. Email *is* a URL - we just don't use the "mailto:" convention because the "@" syntax is unique among URL formats. Adding "http:" is a little extra typing, but the only real difference is that the position of the user identifier and host domain aren't consistent in the definition of OpenID - but they will be consistent for the user, as your openID provide won't likely change much.

Using the URL only seems strange to us because we are so used to using our emails as logins in so many places. I'm willing to bet that if you taught a new user how to use the OpenID format, they would adopt it as quickly as we have adopted any other convention.

My problem: I have multiple OpenID IDs. I had an account with Yahoo, an account with AOL, an account with Livejournal, and so on. So now I have several "single" sign-ons. There's no obvious way to consolidate all of them together into the mystical single sign-on.

Personally, I prefer e-mail address. Because I own my own domain, every site gets a different e-mail address, and I use a catch-all to get them. This makes filtering a lot easier (sent to X@Y.com), helps see who sells my e-mail address (hey, I'm getting spam sent to X@Y.com. I wonder how they got X's name!), and still gives me a rememberable, unique username for each site. Not all sites are as kind about username, though.

This has the typical e-mail-as-gateway problem. Essentially, I'm not sure how you get away from reducing passwords causing points of failure to be more important to secure.

Stuart: I don't want choice. I just want it to work. I trust MS to have a secure logon system and more importantly, to not go offline, because otherwise all of their monolithic services like Hotmail would also be offline.

It's not that I'm carrying the water for Microsoft specifically, it's just that the more a company has riding on their own authentication system, the less likely it is that the system will have problems. Yahoo has proven themselves to be unreliable in the past, and all of these other mickey mouse OpenID providers have yet to prove to the world that they're scalable and reliable (or that they even care to be). Google would probably be OK too, but this is one of the rare cases where Google actually arrived late to the party.

The fact that OpenID is completely, uh, open, and that there's no barrier to entry whatsoever, is precisely the reason I *don't* like it. This isn't the bazaar, this is the front door to my life or my application and I'd like to make sure that the lock is half-decent. Of course it's just my opinion, but I think Passport *is* the "worse is better" choice in this case.

Decentralized data and distributed applications are wonderful. Decentralized *security* scares the hell out of me. But who knows, time may prove those fears to be unfounded.

This may sound devilishly naive of me, but how is having to remember passwords a problem? Are we really becoming that lazy?

Case: A man stores all his valuable phone number contacts in his cell phone. He loses the phone and the SIM card. He no longer has the ability to contact anyone of import because he never learned those numbers. We now want instantaneous communication with everyone we've ever met, through IM, text messages, emails, message boards, chat lines, et al. But we don't store any of this knowledge. It's just more noise.

If a site requires me to login, and it's something that is ever-so painful for me to do, I just won't create an account. If it's something important to me, then I do. I generate a random password in my PasswordSafe (one I don't even know) and just pop it in there, unless a password is automatically generated by the system. Either way, I store it in my safe, to which only I have the key.

This is a long discussion about a non-problem. There is no login explosion. If you think there is, then you've created too many accounts. Take a break, go outside.

Say it with me: THERE IS NO LOGIN EXPLOSION. Unless there's also a phone number explosion that we, as developers, need to contain. And an email address explosion. And a designer clothes explosion.

Scott - "Are there any major blogs that allow commenting with OpenID in lieu of account creation?"

I've seen a few major blogs that support openID login for blog comments. Here is one I read frequently.
http://www.hanselman.com/blog/

And his article and podcast on enabling openID.
http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx
http://www.hanselman.com/blog/HanselminutesPodcast50OpenIDMicrosoftAnnouncement.aspx

If you're implementing OpenID on .NET, be sure to check out the dotnetopenid project [ <a href="http://code.google.com/p/dotnetopenid/">http://code.google.com/p/dotnetopenid/</a>; ] and read Scott Hanselman's excellent walkthrough of several common scenarios [ <a href="http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx">http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx</a>; ].

Am I the only one that has no problem remembering his login information?

I have to agree with Stephen. Your basically doing a lot work for people who don't organize thier account(s). 50 accounts, try using the same ID and password for each one!!

Maintain 3 different accounts:

Personal Account(s) - Yahoo, etc.
Work Account(s) - Developer sites, etc.
Secure Account(s) - Online banking, etc.

Each account grouping all use the same ID and password. Separate out the personal and work stuff from the secure items, so it Yahoo or StackOverflow.com gets compromised, then they can't empty out the bank account. Easy to manage, right?

But of course, the password Nazis like to have thier fun so this doesn't always work out.

I've never liked the following about passwords:

Enforced password complexity - I feel that if you enforce password complexity, you actually make the system less secure. Why? If you force users into a set of rules, you know what? They will not be able to remember 1!@jkT6Eq as thier password. What do they do? They will write the password down and put a sticky note next to thier computer with the password on it so they can log in. Let them type in something meaningful to them. Now the cleaning crew can log into your internal network.

Password Changes Every X amount of days - This is especially annoying. Why do I have to change my password to the system, is the system that insecure?? Usually, after a few changes, I run out of meaningful word combinations and I just make something up and write it down so I can remember it.

Other ones are system generated passwords, length, and character requirements.

Moronic, these policies are.

A password does nothing to authenticate the true identity of the user. All it does is it puts up a barrier for entry. Just by typing in my ID and password does not verify that the user who typed it is the one who actually created the account. It just verifies the piece of stored information.

I'm not sure what the solution in the future is (hand prints, eye scans, etc), but I hope it will not be IDs and passwords.

Jeff, perhaps you should read the Laws of Identity on Kim Cameron blog: http://www.identityblog.com/

> How much work does a developer have to go through to support OpenId, and is it easy to screw up? Or does OpenId somehow idiot-proof the process?

OpenId will generally be far more secure than the average developer implementation of username/password. Assuming you choose a provider that uses SSL.

> My problem: I have multiple OpenID IDs.

How is that a problem? You have several different forms of identification in your wallet and house right now. Passport, driver's license, birth certificate, credit cards, etc, etc. All useful in different (and sometimes very narrow) circumstances.

@Jon Raynor, you managed to answer your issues with OpenID with your complaints about passwords. OpenID can solve your password problems; your OpenID provider doesn't need to use passwords if it has some other means of authentication.

[] Remember Login

Open id is good. In order to remember the url use your own blog url as open id. Use delegation if required.

I've got the impression that most people criticising OpenID here don't really grok the concept. Jeff, perhaps you could write a bit more about it – or simply post a link to the Identity 2.0 talk by Dick Hardt (which admittedly is *not* OpenID but the thrust goes into the same direction). A lot of the complaints here – centralizing credentials, giving away trust or control, etc. are exactly the opposite of what OpenID might establish.

A lot of (if not all) the security concerns people are mentioning are answered by the Simon Willison video linked in the first comment above.

In particular, he points out that emailing a token to the user when they forget their password is exactly equivalent (as far as security) to using OpenID -- in both cases you're trusting your security to a third party that the user trusts.

So if you don't trust a Yahoo OpenID, you shouldn't email a "use this one-time token to login" to any Yahoo email address either.

I find it funny that so many people say "use the same username and password for all your sites!"... Yeah, you could do that for convenience, but that means you trust the owners of each of those sites to not try to use your same username and password on other common sites for their own nefarious purposes.
OpenId is great, it shouldn't replace dedicated logins for things like bank accounts yet, but for the majority of sites out there, it's a great concept.
One way to improve it would be to work on some sort of browser integration with it... Maybe make a Firefox Addon that handles the login a little better and more secure than just counting on the user to verify that they are redirected to their openid site and not a phishing site.

Hmm.. I didn't see anyone mention Password Composer (http://tinyurl.com/bhg3p). The passwords it generates aren't cryptographically strong or anything, but nothing stops you from changing the Greasemonkey script if you need that. I have no idea what my passwords are anymore... and if I need them, I can ask for them to be displayed (click on the "*" while typing the password and it will be revealed in clear).

It also solves ICR's problem: "That's until you move to another computer, in which case you're a little screwed (and lot's of people log in on lots of different computers all the time)."

I just need password composer installed on Firefox on all those computers. It works by combining the master password and domain name... so NO password is stored anywhere.

Does that mean if your favourite site adjusts its domain name, you're kind of screwed?

I second (or rather fifth, sixth, seventh) those who've pointed out KeePass (or its ilk) as a perfectly reasonable, safe, secure option for managing one's passwords. The model's a great one: I own the app, I own the password file (which is itself password-protected -- symbolically analogous to my OpenID url), and it creates excellent, strong passwords for me -- all I have to do is open, find, copy-paste, and I'm golden. It's not one click, but it's rarely more than a few. KeePass, essentially, *is* OpenID, only it's in my pocket, behind my firewall, and physically locked up in my house, rather than floating "out there" in the cloud somewhere, waiting to be compromised.

Identity services like OpenID don't seem to solve much of a problem, then. As users, we already *have* the option of using one username and password for everything. Better we don't, of course -- better (IMO, though it seems pretty obvious) that we keep our identities more, rather than less, fragmented, and hence more secure, if only for there being so many more locks to negotiate.

As such an obvious

I think the point that needs to be driven home here is the one that no-one has mentioned yet: audience. stackoverflow is designed for the tech savvy, and setting up/using a OpenID is not beyond the comprehension of the users.

But it does become 'just another n/p' if that user doesn't already have an OpenID account.

From the post:
<<As I mentioned above, I feel most of these criticisms can be mitigated by picking a quality, trustworthy OpenID Provider. Particularly one that uses SSL. Since it's an open ecosystem, I'd hope the more reputable and reliable OpenID providers would rise to the top.>>

That can only happen if it's nearly trivially easy to move an ID from one provider to another. For instance, if AOL.com had a button saying "move this ID to Yahoo.com." Admittedly I don't know much about OpenID, but I just don't see that happening.

If there's even the slightest friction to moving providers, nobody will do it.

Secondly, does OpenID contain a mechanism to merge accounts? One of the nice things about the Hotmail/Passport system is that if you have multiple IDs (old Hotmail address, new Xbox Live account, maybe a MSN Games account), you can merge them all together under the same Passport email address.

It's extremely likely that most people already have more than one of these, for example I have a AOL one (via AOL Instant Messenger), a Blogger one, and a Yahoo one. Can I log on to Yahoo using my Blogger OpenID, and then tell Yahoo to merge the information it has with the information Blogger has?

Until OpenID contains functions to move and merge accounts, I don't see it taking off. Right now, if I make an OpenID with SomeSeedySite.com, then later find out that they support Chinese suppression of free speech, or sell person info to spammers... I'm stuck! I can't move my logins to another provider.

Ugh, this blogging system erased the quote from the article. It was:

As I mentioned above, I feel most of these criticisms can be mitigated by picking a quality, trustworthy OpenID Provider. Particularly one that uses SSL. Since it's an open ecosystem, I'd hope the more reputable and reliable OpenID providers would rise to the top.

In the name of usability, if you're going to put a huge red "no HTML" indicator on the comments field, please let people type greater-than and less-than signs in the post.

Very informative and well written article and lots of insightful comments. Its awesome to see this kind of dialog going on around the topic of OpenID. I work for a company called Vidoop and we have been working to address alot of these concerns with our OpenID provider myVidoop: http://myvidoop.com

Specifically we want people to feel comfortable using OpenID for more high value transactions and so we have implemented a two factor authentication system called RecognitionAUTH. Without requiring any additional hardware or software we have a image based login system that generates a random passcode for every login. We also offer a password manager for storing/organizing your traditional logins and passwords, support OpenID delegation (use your own domain as your OpenID), have custom activity reports, and more. You can create an OpenID and check it out for free.

We are not the only ones either, I would trust logging in to my bank with a Verisign or myOpenID account. Verisign offers a secure OpenID option using tokens and myOpenID has an out of band phone pin or some such.

If you want to make it easy to refer people to get an OpenID from myVidoop we have an affiliate program at http://affiliates.vidoop.com myOpenID has an affiliate program as well. Joining an affiliate program is a way for the site operator to keep the user from having to wade through all the providers on the OpenID wiki and possibly getting stuck with an unreliable provider.

It is also worthwhile to note that OpenID is only a component in the identity stack, there is an excellent description of everything that goes into someone's identity beyond OpenID here: http://blogs.oracle.com/talkingidentity/2008/05/05

At the end of the day there are certainly many valid critiques of OpenID. Though with so many great organizations involved with OpenID now I expect things will keep improving.

Stefan Brands is selling Credentica, a competitor to OpenID. Credentica indeed has some advantages over OpenID, but it isn't free and doesn't work in Web browsers so it's basically unusable.

Its a basic mistake in architecture that I am quite dissapointed in you for giving it this much consideration.
Trust some company with my username / password? Why would you trust a company when companies certainly are not trustworthy with your data.
A solution that only works for for some sites? Why bother? Encrypt your firefox profile, get a plugin to automatically enter form data and be done with it.

@James Schend, your OpenID can be separate from your OpenID provider, so that you can switch providers without changing your ID. Your OpenID URL can be any web page that you control; you just add some HTML to the headers to point to whichever OpenID provider you trust today.

@Christian Nunciato, I'd much rather have my password managed by a single site that I trust, and all other sites checking with them, than store a password at each of those other sites. Jeff has blogged previously about how much web programmers get password-authentication wrong -- and even he got it a bit wrong at the time, as I recall. I don't trust my passwords in the code of very many web programmers, so I'm happy to have a system that allows me to give my trust to the few that I do.

Here's a simple idea...

Extend the mail protocols. Instead of signing up with a Id provider, everyone either has an email account, or can get one for nothing.

When a site needs to identify you, they ask for your email address, forward you to that server for verification, and then you can be forwarded back.

The infrastructure for determining your mail server from the hostname already exists. Further if there is any one provider that already knows everything about you, it's your mail host.

This isn't complicated and could easily reach a large audience.

To be honest I'd rather you used Microsoft's Passport or the Google API or something else that I likely already have, OpenID although a great concept has actually just created another Id I need to remember

I really wouldn't feel safe having just one login for all my accounts. If it gets compromised, then everything gets compromised. I'd rather have separate login credentials for each account/website. Remembering these credentials is not hard at all either, even for dozens of accounts.

Just invent a quick algorithm you can do in your head, which produces a password based on some master password and the purpose of the account. For example, if you choose a teacher's name as your master password for all accounts (e.g., Mrs. Krabopple), then for logging into Amazon your account password could be something like AmaKraboppleZon - throw in a little 1337 $p33k for numbers and symbols, and you have a complex password that's hard to crack but easy to remember.

I have been fighting with this same problem. After years of my internet activity I have collected quite impressive amount of different user names and passwords I had to remember... and I have been trying to, really hard...

I know know that I shouldn't store them in in word document (even compressed and passworded - brut-force still rules) ad I decided one day that I will write an app helping me to solve this problem.

Maybe it will help you as well. It is free.

http://www.aristo-samar.com/pc.en.aspx (seventh project down)

If you will like it I will appreciate your comment.

Greets
Mariusz

Keith Bertelsen:

"My problem: I have multiple OpenID IDs. I had an account with Yahoo, an account with AOL, an account with Livejournal, and so on. So now I have several "single" sign-ons. There's no obvious way to consolidate all of them together into the mystical single sign-on."

That's because all of them are talking the talk but not walking the walk. As users we should accept nothing short of full <a href="http://wiki.openid.net//Relying_Party_Best_Practices">Relying Party</a> status. It's particularly sad in LiveJournal's case, given that the technology originated there.

The blog engine silently stripped out this link from my comment, which was tied to the words "Relying Party". A preview button would be helpful.

http://wiki.openid.net/Relying_Party_Best_Practices

@anon & everyone else who says just store it in your browser.

Go download cain&able or if your in firefox go to Tools -> Options -> Security -> Show Passwords > Show Passwords (bottom right) -> Yes

How do you feel about storing your password in you browser now?

BTW: I am a FireFox fanboy, I just think people should know.

WOW after the dozens of times I've entered the 'Captcha' here I managed to get it wrong twice today.

@Stuart: Great link, and good point. What about some sort of eye sensor (http://www.youtube.com/watch?v=OPLdzv7A3zI). Or perhaps voice recognition...?

I've tried it, and its a freaking pain in the arse. Never tried it again. Too complicated. At least MSN Passport (live id now, or whatever MS has rebranded it to this day) at least worked seemlessly.

And btw, doesn't this seem EXACTLY like using the same password for every site.

Say, isn't that supposed to be bad???

Jeff, after watching Dick Hardt Identity 2.0 presentation I see OpenID as a mere step for a more sane Identity Management Paradigm...also, their mozilla plugin Sxipper (http://www.sxipper.com/) do tend to make things easier.

@MDRisser: Try KeePassX (cross-platform open source port of KeePass Password Safe). The only issue is - how secure is your KeePass password? What if you lose your thumb drive? Will someone be able to crack your password by guessing it, dictionary attack, etc?

@Aaron G: Choice makes OpenID so great though - YOU get to choose a provider you trust, you aren't reliant on just ONE company to do the right thing for you and being locked in if things go south. A decent OpenID provider will provide banking-grade SSL security and multi-level authentication, making it almost impossible to hack your account unless they either (a) have access to your computer, or (b) have access to you (ie., someone you know). Not even banks provide that level of security with online banking. You need to look around/into this more, because the lock as you refer to it, well it's pretty damn good.

@PaoloB: Say you have 50 accounts. That's 50 usernames, 50 randomly generated ~160-bit passwords to remember. Most people would struggle with that. (Obviously I'm referring to a security-conscious person here - not someone who uses a couple of usernames/passwords for everything!)

@JAtkinson: [] Clear cookies [] Clear form data OR use a different computer. uh oh. Plus, most websites that use the "remember me" option expire the login after a couple of weeks at most.

@Vinnie: Great point! And how often do we sign up for an account somewhere, then after a while... along comes the spam. They've sold our email address (indication of poor trust) OR their database has been hacked (indication of poor security). What's to say that our password hasn't been acquired as well. A decent OpenID provider will eliminate these issues.

@Keshi: That would be extremely rare. Almost never see a site change its domain name. Even if they did, a decent provider wouldn't change the identity URI that people use.

@Christian Nunciato: Yes, but you still have that overhead every time you sign up for a new account of entering all those details YET again.

@Ian00: You trust a company every time you create a new account though.. how is this much different. Except with what you're alluding to, that trust is fragmented across possibly dozens or hundreds of sites instead of just one.

Everyone needs to go watch Simon Willison's video, whether you love or hate the OpenID concept, whether you use it every day or don't even know what it is. It answers all your questions.

Time to get off this merry-go-round!

Why bother with all that rigamorole when there is a perfectly good and elegant solution available for free (or cheap if you use it for a lot of passwords)?

I use a product alled roboform (http://www.roboform.com/) to store all my passwords and as a bonus it also has the following nifty features:
* When you do have to fill out a registration form, it remembers all your info and auto-fills it with one click.
* It will autogenerate and fill in a password so you don't have to make them up for every site.
* It stores the PW list encrypted on your hard drive (or thumb drive) and optionally lets you have a single master password to get access to all your sites. Seems more secure than having your PW list stored out on an HTTP server somewhere.
* A side benefit I discovered as a web developer is that it makes it really quick to test web forms of your app so you don't have to fill them out and re-fill them out over and over during testing.

This little cheapie widget totally changed my life. Despite "admin-itions" against re-using the same credentials, I used to do it just to keep track of it all. Now I have strong passwords even for sites where I could care less if someone hacked my account.

PS: No, I don't work for them. I just like to promote really good software when I see it. I am also a huge fan of BeyondCompare and HyperSnap which both fall in the reasonably priced, extremely useful software category.

All the people saying MS Passport/Live is a better, more trustworthy option to OpenID - it only works on MS sites. They used to allow third-party sites to accept Passports, but in like four years, they only had about 50 non-MS sites on board and so canned the idea. In a quarter of that time, OpenID has more than 100 times the number of sites on-board that can consume OpenIDs, and it's growing daily. (okay, not entirely sure about the numbers, but they're probably not far off)

I posted something on craigslist the other day and I didn't have to create an account. All I did was provide an email account. Craigslist sent me an email with a link to a site that would allow me to edit my posting. This is such an easy solution, especially for sites where you only use it once or twice a year. Then if I get tired of just using email to manage my postings, I can create an account.

I think the solution is to design your website so that a user doesn't need to create an account until he/she is using your website frequently enough that he/she can remember the username and password.

It is not clear from this article what the difference is between having an OpenID which is 'trusted' (and only requires a URL to login) and having a website that only requires an e-mail address with no password.

What stops someone guessing your OpenID URL when it is 'trusted' and you no longer have to provide credentials to access a site?

Surely, anyone can guess your OpenID easily enough, at which point non-security-critical websites could bypass the whole process by making passwords optional, thereby making OpenID redundant.

You know, all this talk of OpenID made me want to use one of my OpenID to create a new journal.

So, knowing that LiveJournal supports OpenID, I waltzed over to its sign up page: <a href="https://www.livejournal.com/create.bml">https://www.livejournal.com/create.bml</a>;

See anything missing from that form?

That's right, Livejournal DOESN'T ACCEPT OpenID for journal creation, only for posting comments: <a href="http://www.vgmusic.com/~rbemrose/images/screenshots/lj-openid.png">http://www.vgmusic.com/~rbemrose/images/screenshots/lj-openid.png</a>;

If Livejournal won't eat their own dogfood, as a developer, why should I?

"Perhaps the most compelling point Jan makes is this one: it is a bit odd to ask users to associate themselves with an arbitrary URL instead of an email address"

What's the difference between yourname@someprovider.com and someprovider.com/yourname or yourname.someprovider besides the order? Both seem equally arbitrary. The only advantage is the standard formatting for e-mail addresses.

Personally, I prefer info cards over OpenID. However, neither is really ubiquitious.

This is why I use RoboForm password manager. Others in the comments have recommended simmilar. I don't know any of my passwords but a few like my email and my bank. However, there is a portable version of RoboForm, RoboForm2Go which makes this all portable. You just plug your S3 USB key into any PC and roboform is attached to the browser.

There is also an alternative site, https://mashedlife.com/ . This place is similar to OpenID however the places you login to don't need to support OpenId. It is like RoboForm but on the web. So, you don't need your USB key. Of course, you have to trust them since they have all your passwords... but if you can trust an OpenID provider, why not them?

BOb

I have three sets of passwords: one for sites I care nothing about, one for sites I care about, and one for high security sites such as banking, Amazon, and Ebay (and each of these is a little different).

I agree, I hate the process of having to create yet another account. Every single damn BBoard in existence seems to want me to create an account, sometimes even just to view the posts already on there.

I'd love to have a standardized system for logging in, especially across BBoards.

OpenID looks like it's a bit too clunky to work, though. Microsoft Passport, as much as I hate to say it, looks like the better solution.

Are those of use without personal websites going to be left out in the cold? I don't think I understand this 'URL as a username' thing at all.

The problem with openID is that it's only us geeks that know about it.

Same problem that another decentralized chat-protocol, Jabber, has. http://www.jabber.org/

I like OpenID, I really like the Attribute Exchange. My openid provider (which is one I wrote) provides an avatar image as part of the attribute exchange.

So if this website supported openid and used avatars, I wouldn't have to do anything special to get my avatar next to this comment.

Drambuie:

here's how openid works:

I punch in my openid to codinghorror.com. Codinghorror.com fetches the URL I just provided and looks at the sourcecode for that page for the openid server.

codinghorror then connects directly to the openid server and does a public/private key exchange. It also redirects my browser to my openid server.

If I'm already logged into my openid server, it asks me to confirm that I want to login to codinghorror. Then it redirects me back to codinghorror.com, passing along a "authentication succeeded" or "authentication failed" message that it signs with the key from the keyexchange.

Codinghorror now knows that I "own" the identity I provided. Noone else can use my url as their identity because the openid server identified in the linkrel tag on my website won't authenticate them.

As you said, it's not so much the password and username generation as it is remembering them.

Unless you use a public access terminal, you can always just let your browser remember the passwords and usernames on less security intensive sites.

secondarily, carry a book with your logins stored in it!

writing logins on the first page, passwords on the last, and on a third page marked with a casual list of the websites on the marked page.

Technically you can do this with any book, and use a scrap third paper with all the sites on it as a bookmark itself.

personally, I prefer doing it with my contact address book. random notes and email lists aren't likely to seem out of place (you can disguise any site as an email address... Think about it. :P).

People aren't likely to figure out, regardless of your method, and quite frankly, few people in your day to day life care about your passwords.

I just believe that there's plenty of ways around this, and do not like having, well, yet another login to remember my logins.

I dont think I'll ever leave my whole internet-identity to a 3rd-part to handle. A local program that handles all my logins (both web and desktop applications) is better. All passwords are stored locally and can be on an USB-drive. No way I'll use the same account on more than one site. It's not secure enough.

And those 5 minutes it takes to create an account on every new community I choose to join is nothing that bother me. And it's generally good that I have to confirm a new join by reading my email and click on an confirm-link.

I use to change my regmail after registration so that its impossible to use "forget password" if hackers hack my email account. I just store all my passwords on an crypted USB-drive and also use my fingerprint reader så that I dont have to know or remember my passwords. In a worst case scenario where I lose my usb-drive and backup, and my finger print reader software stop work its allmost allways possible to reset your password by contacting the community and proofe you are the "right" person by IP-check and lookups in loggfiles.. I have never lost an account yet.

@Arron
For Firefox, the Master Password is offered to protect that. If you set it (the checkbox is on the left side right above the Show Passwords button), then try your trick, it'll ask for the master password before letting you see the passwords.

OpenID is a technology that is not needed. I didn't see even one case in the article or comments where OpenID is needed.

I saw very few comments on existing software solutions (firefox and roboform). Roboform also has many free (somewhat) equivalents, so price shouldn't be the objection.

I use Roboform Portable, for example. It has a lot more security than any form of OpenID can ever have. And, this approach could much more easily be a universal solution, with more advantages, especially with security.

Perhaps at it's inception, it seemed as viable a choice as the other two similar ones above, but technology has evolved enough already to make it a waste of time to persue.

One of the largest problems with our profession is the enamoration with technology for it's own sake. Not to mention the marketing profession creating new solutions and then looking for a problem set to match up.

A lot of people here doesn't seem to have a clear idea about how openid works. That includes Jeff himself, when he quoted Dare about why openid will not be adopted by big players.

Look, there is no such thing as a "pseudo" account or whatever that Dare likes to call it. If your app supports openid, your users will still create their accounts at your site. Period.

Having openid just makes the process easier for the users, because

- they don't need to have another set of username and password

- their identities (name, address, sex, etc), if stored in the provider, can be automatically captured by the app

- they only need to sign in once to the provider and will then able to bypass login for all the trusted apps

As an user of Opera, I have been able to enjoy some of the above benefits by using Opera Wand. Hopefully the adoption of openid will make other browsers more bearable to use :D

> One of the largest problems with our profession is the enamoration with technology for it's own sake.

Stephan, in the context of the rest of your comment, I find this statement overwhelmingly ironic.

Yes, who needs a distributed web-based system, when people could simply install programs and use encrypted USB drives?

While OpenID may not be acceptable for larger sites, I certainly think that it is a boon for smaller sites. Instead of having to enter credentials for every (insert blog name here) users can just use the OpenID URL, which is exactly the point. Furthermore, some popular content management systems (such as Drupal) now have built-in OpenID support, making it no more than a couple of clicks for a site administrator to enable OpenID support. The power of OpenID is similar to the power of open source software; it allows for many small parties to band together to become more influential as a whole. While it still has problems, some simple changes (such as changing logins to an e-mail address format) would give OpenID a lot of sway.

OpenID needs to be more easy to use before being widely accepted, no matter how much I'd like to see a single online identity become a standard.

Everyone reading this article is highly capable of 'getting' computers and any associated complex concepts and in spite of this OpenID manages to cause us problems. Us, and we're the ones that should 'get it'. Some commenters have clearly stated that they don't quite understand it. Did anyone really 'get' OpenID first time round? Really get it?

Under wide-acceptance conditions /everyone/ should 'get' OpenID first time without question. At worst, /we/ should all 'get' OpenID first time round with no exceptions. We don't. This should be a big warning.

We're not our users. We'd all like to see OpenID working. But it won't, because we're too focused on the techy bits, the security concerns, the features and the 'wow - it works' to notice the obvious flaw staring us in the face: normal users don't get web addresses.

Tell a user a web address is 'subdomain.example.com' they'll repeat back 'subdomain@example.com'. Without 'www' included, most users don't really get web addresses. They'll not get how a web address relates to them. They'll not get OpenID. They'll confuse email addresses with OpenID web addresses. They'll not get OpenID. This is a shame, but is what will happen. Normal users won't get it.

No matter how good the OpenID specs and infrastructure are, it will fail for the above reasons. We might even get people implementing alternative single identity concepts to address deficiencies in OpenID. We'll replace the multiple-sets-of-usernames-and-passwords problem with a multiple-sets-of-single-online-identity-solutions problem.

Let's not let our desire to get a standard single online identity cloud our judgement here. Users don't get web addresses and as such OpenID will fail.

Let's get some decent user testing and research done now before we go too far in backing a flawed horse. Let's identify the flaws quickly and do what we do best by designing intelligent solutions that can be used, not merely ones that function. And repeat until it works.

OpenID is a good starting point, but not the end point a lot may want it to be.

This is a shame, but it happens. Now's the time to fix it not implement it.

Does the world need another password? no more then the world needing yet another website with the same goal as 9 billion other ones ...

Actually, needing authentication to contribute increasingly bars me from participation on several websites. At work I plan to implement a single sign-on strategy for all our infrastructure eventually (hey, first I need to drag them into the 21st century and get nightly automated build and regression testing implemented).

All solutions I've encountered are inelegant, and it takes extended interaction with a site to convince me of the benefits of registering. I suspect that, at some point, I'll just maintain my own blog and write all my comments to everything I spot on the web *there* instead.

OpenID is a great concept but the solution to the glut is really not that complicated. Why not use the same email address as a username and a (same) strong password for all sites? (eight characters, some caps, some numbers, maybe some special characters).

Looking at Windows Live login, which took about a decade to work correctly, I have to wonder how much money and brain cycles are wasted on essentially mundane matters (strong password should be a mundane matter by now).

Great post, very refreshing after previous two posts :)

I can't help but think that it may be more successful if the official OpenID website actually had some information about OpenID and how it works rather than just a sales pitch which encourages you to get an OpenID with no idea as to what it will involve or how it will work when you use it.

Visiting a few providers, I encounter the same problem: I am offered a sign-up process but absolutely no information of how it works from the user perspective or how my identity would be protected.

@[ICR]: What do you mean by move? You mean buying a new one? No problem, I migrated my Firefox profile already from my original computer to a new one in the past and recently again, no issues with that, all my passwords are there.

Or did you mean sitting at "someone's else" computer? You really dare to type your OpenID password or any password on someone else's computer? Wow, you are brave. If he has a keylogger running, you just gave him access to ... well, in my case to a small hand full of sides, in your case, thanks to OpenID, to pretty much everything. Very brave of you to always trust anyone to not do that.

Roboform, bitches!

Actually it is lacking compared to openid, in one respect: you still have to create an account on every site. I like the idea of not having to do that.

What Jon Cram said, it's to technical atm.

What is the major reason why everyone is using msn these days instead of icq ass even though icq had tons of users before even msn was thought of.
1. You can pick your own, easy-to-remember, loginname instead of having
to remember a random 14-digit number.

And you guys who promote roboform etc? How do you login when you don't have acess to your own computer? At our school we can't access the usb-ports and i doubt you can at most internet-cafes eighter.

> And you guys who promote roboform etc? How do you login when you don't have acess to your own computer?

Agreed; and:

How many average people do you know... (auto mechanics, factory/warehouse employees, chefs, etc. etc. etc.) that want to carry around a usb device everywhere they go so that they can check their e-mail or post on their facebook or whatnot? It's absurd.

Jon Cram writes: "normal users don't get web addresses." It is true that the OpenID community can do a lot to make this technology more accessible. One small step in the right direction is a universal OpenID login widget: ID Selector (www.idselector.com). If websites implement this tool, all users get a consistent experience where they don't need to remember the full OpenID URL syntax, just their account name. Further, on a return visit, users get "single click login" with no URL to remember or type in.

Site-wide login is a great idea, but from what I'm reading OpenID is a pile of dog crap.

The biggest single thing I /don't/ want to do is to allow easy linking if identity between websites. If anything my email and my real OpenID should be protected and only known to the OpenID provider. Dozens of annoying account creation screens are lame, but they'll still exist. Sure I suppose a court order can be given to an OpenID provider to provide a list of accounts, but that would be pretty rare and as I see it allowable assuming due diligence of the courts.

Also, for the security minded, OpenID could allow you to have a sub-password per site, but let that be up to the user.

From what I can see, the only bonus from a single signon comes from storing some contact information that you give to some sites. i.e. Amazon and billing address, current CC info, etc. Not having to update it all of the time, and hopefully having it securely stored by the provider. The consumer sites using OpenID then don't need all of that information all of the time, and their policies would erase the data after a certain timeframe.

In the end though, what'll happen is it'll be like every stupid facebook application that needs to know everything about you before you can use it, so what's the point of having checkboxes to tick if they're always ticked and you completely give away all that information instead of at least being able to obscure your online identity, even if just a little.

The only place it doesn't matter is when it's all the same company. google* or MSDN, but I'd never, ever use their 'single sign-in' anywhere else. (until they're bought I guess)

OpenID is another thing i won't use. First of all it's a real single source of risk. On some OpenID providers you can see all websites which are linked to your OpenID. That means if someone hacks that account, he can access every website with your <personal> information. That is worse than an email account. Normally with an email account he can't really know for which website the adress is used for (or do you store every website with login name in your emailaccount?).

I use different mail addresses for joining a site based on a few things:
1. Do I want to login