Why OpenID will fail. AKA OpenID disinformation time.

14 comments

I'm not sure how many of my blog readers know what OpenID is, or I guess, even who reads my blog anymore. But anyway, it seems like I'm reading about or hearing someone talk about OpenID every other day now, all of whom seem to be talking about why openid will fail. Actually... today I heard/read two people describing why OpenID will fail or why it's a bunk idea. One on a random blog, the other at a discussion lead by Cory Doctorow at SFU (which was an awesome discussion, btw). The reasons why OpenID will fail are usually the same:

  1. Privacy: If you use an OpenID provider for all of your logins then that provider knows exactly which blogs you read, which sites you visit, and which companies you shop from (assuming all the sites you use, use OpenID). That kind of information is very valuable to marketer and likely to get sold or stolen.
  2. Trust: Just because someone's identity provider says that the person logging into your site is Bob, how can you trust that the person is actually Bob. No large companies will every trust third party OpenID providers. Perhaps they'll become a provider themselves and you'll need to setup an OpenID with them. If all large organizations do this, you defeat the purpose of OpenID.
  3. Buy-in: OpenID is useless unless everyone buys into it. When even many technical experts have never heard of it, everyone will never buy into it, even if it is an amazing technology.
  4. Corporate control: OpenID is a solution for corporations to solve single sign-on problems and more easily gather user data, not a solution for individuals. It is not made for individuals, therefore even if it catches on it will be a Bad Thing (tm).
  5. Phishing: 'nuff said.

Those seem to be the most typical arguments I've read/heard. The corporate control one was a new one today though. So, why do I think OpenID will fail? One reason:

People don't understand OpenID or the problem it is trying to solve. Sure, maybe the people developing it do, but not the people who will be most influential in its adoption. Of the arguments I've heard and read very few have actually pointed out real issues with OpenID, and the good ones have mostly been demonstrating that the problems OpenID are trying to solve have already been solved in other identity technologies. Sure OpenID may not be the be-all end-all of identity on the net, and it's not trying to be, but OpenID may have no future if its scope and goals cannot be clearly articulated to the people who could be advocating it, instead of bashing it.

EDIT: Perhaps I was too subtle in this post, but just to clarify... the 5 points I listed above are not my arguments nor do I believe that they are valid. They are simply the most common arguments I hear against OpenID.

Peanut Gallery

The argument "Buy-in: OpenID

The argument "Buy-in: OpenID is useless unless everyone buys into it" is absolutely bogus.

One of the features of OpenID is the concept of single sign on. For the end user that means not having to sign up for multiple accounts and remember multiple passwords across different sites. Does this mean this only works if you can only sign on if *all* websites become an OpenID-suporting site. No. With just 2 sites, there can be utility of this feature. It is a case of "the more the merrier" and absolutely not "all-or-nothing.

Carl

Problem with google

Mark

Problem with google checkout: It's not available in Canada yet! Canadian retailers need an American presence to set up an account. But I guess they'll solve that soon enough...

> And yet, you seem to be

Scott Hadfield

> And yet, you seem to be doing little in explaining what OpenID is.

Very true. And as someone who wants to see OpenID succeed. Perhaps I'll do that in a [near] future post.

Just to be clear... points 1

Scott Hadfield

Just to be clear... points 1 through 5 aren't my arguments. They're just the most common arguments I hear and I agree that for the most part they are not valid as they argue things that openid isn't being designed to accomplish. I'm just trying to point out, that the majority of arguments against openid just demonstrate that the people arguing don't understand the goals of openid.

Too late. Google Accounts

Too late. Google Accounts already won.

If you have a Gmail, Blogger, or an AdSense account you have a Google Checkout account.

E-tailers are supporting both PayPal and Google Checkout now. No one seems to like PayPal so that will slowly disappear.

Google has been able to get more momentum with Google Accounts in a year than MS was able to get with Passport even with the 5 year head-start that they had.

And you hit the nail on the head. I am fairly technical person, but I have no idea what OpenID would do for me. And I don't care enough to even do a search for it.

I can check my email and buy stuff with my Google Checkout account. That's all I really care for.

And yet, you seem to be

And yet, you seem to be doing little in explaining what OpenID is.

BTW, point 1 and 2 are moot. Anyone may set an OpenID provider, either at a network or at their own blog. That means only YOU know what sites you go to. For companies, it means they can control what their employees do, and that's just what they love doing.

Trust: Just because

Trust: Just because someone’s identity provider says that the person logging into your site is Bob, how can you trust that the person is actually Bob. No large companies will every trust third party OpenID providers. Perhaps they’ll become a provider themselves and you’ll need to setup an OpenID with them. If all large organizations do this, you defeat the purpose of OpenID.

That's not really an issue. OpenID's not built on trusting what the identity provider says, but on trusting the permeance of the identity provider. If the provider for http://example.com/id/bkerley comes back and says "web browser session #234 owns this ID" on Tuesday, and on Sunday says "web browser session #187 owns this ID", then you know they're the same user. You don't know the user's given name or anything like that, but you do know that both sessions are the same user.

Phishing an OpenID is the same problem with any login field, and it's also quite solvable. You could make a provider that uses a challenge-response login with a public-private keypair (even using a smartcard to store the private key) to defeat playback attacks, or one that uses one of those key-shifting keychains.

I'd rather trust a provider of my selection with the job of verifying that I own my browser session and random third party website of verifying that my browser session owns a URL than trusting a random third party of verifying the former alone.

I couldn't agree more that

I couldn't agree more that OpenID's biggest challenge is in being understood. That's why I'm investing a ton of effort in to explaining it to people. I don't think the OpenID community has found the right way to explain it yet, but that doesn't mean that they won't. Try explaining the Internet to people ten years ago.

[...] Kritik an OpenID (en)

[...] Kritik an OpenID (en) [...]

[...] the best things in

[...] the best things in life are free » Why OpenID will fail. AKA OpenID disinformation time. OpenID会失败的可能原因不在于它所拥有的任何缺点,而在于别人不知道OpenID是干嘛的以及能干什么。 使用Openid发表评论 — Trackback地址 本文发表于Monday, March 12, 2007,归类在 文章收录. 收藏本文 [...]

OpenID = Intenet Identity

OpenID = Intenet Identity ?...

...

The only thing about OpenID

fauigerzigerk

The only thing about OpenID that troubles me as a service provider is that users have to remember an entire URL instead of just their username. And if they don't have one yet (which is very likely at this time), they have to get one from an entirely different site. That's a lot to ask.

My idea would be that users who already have an OpenID and know the URL can just use it. Others who don't have one or don't know about OpenID, can use the local website to create an account which is automatically passed on to an affiliated OpenID provider. So in future, they can use their short username if they have an OpenID account with that affilitated provider, but they can also use their newly created OpenID with other websites if they like.

[...] by todd on March 11th,

[...] by todd on March 11th, 2007 I just read a post by Scott Hadfield titled Why OpenID will fail. Now, his post title seems a little better crafted than mine to generate some interest and some [...]

[...] in two recent posts I

[...] in two recent posts I got a little more reader feedback than I had thought. Figuring that only about 4 people [...]