OpenID
Since some time I have been using OpenID to log into some services that support it. I have come to a number of conclusions that I’ld like to share with you, so here goes.
First conclusion
Signin up isn’t really that practical. Basically you add an extra step. The service will accept your openID and then ask you to sign up as if there hadn’t been an openid. You have to fully create your account, including username and password. Naturally your openid is connected to your account, but you could do it the other way around as well, sign up normally and add your openid later. No win…..
Second conclusion
Openid supports sending along data to the service like your username, e-mail address etc. That’s all very nice but I haven’t found a service yet that actually uses that information instead of asking me for it. Also, I doubt (but haven’t confirmed) that if my information on my openID changes the service would automatically update the information it stores. So: no joy, no dataportability at all, No win…..
Third conclusion
Signing on with an openid isn’t that practical as well. You enter your openid, get redirected to the openidservice where you would have to logon, so you could be returned to the service you wanted to sign into in the first place. That’s a bit awkward. Now you say that you could skip the sign-on-at-your-openid-provider by remaining signed-on, but that’s not very secure and would not be adviced from any other place than a very private computer…. So: No win….
Fourth conclusion
Since most users will reuse their logon-credentials at multiple sites (which they shouldn’t, I know!) openid actually doesn’t solve their problem. Apart from that, If their openid account were to be hacked, all services would be open to the hacker. Do you really think that most users will accept mega-passwords for their openid services? They won’t, so it’s their pet’s name again….. No win…
Fifth conclusion
Openid is not much more than a delegated sign-on trust between websites that in most cases unfortunately still relies on very basic and therefor not very secure authentication schemes. Allthoug the idea is nice, and you could say it’s better than nothing, it’s just not really that good yet. It also isn’t the first attempt at something like this. How about Microsoft Passport or the Yahoo ID? I guess what’s needed is the actual use of multifactor authentication with openid so this service actually adds security instead of just delegating it to another service… No win… Not yet…