What’s wrong with OpenID?
It hasn’t taken over the world.
Answer Wiki
The intentions were good and the technology works well, but the customer’s experience in the early versions – having to enter a URL to identify oneself – was too difficult.
55 Answers
5.6k Views • Upvoted by Antone Johnson, Former VP and head of legal at eHarmony, legal executive at consumer Web companies since 2000, incl…
It's a tech-approached solution to a tech-self-imposed problem: the identification of the user.
Because identification isn't something I usually do. When I walk around, when I enter into a store, when I buy something, when I... live, nobody explicitly stops me for a few minutes asking my identity... with the exception of - wonder! - our self-imposed tech "solutions".
Exactly like logins.
Think that OpenID in the first years was "borrowing ideas" from how the passports are handled. Who thinks that the current passport system is a fantastic way to manage identities please raise a hand. ;)
Back to us.
While I agree on everything else in his comment, to me, this statement is bold, interesting... but wrong:
The problem *exists*. And it's huge. It's huge both for all the problems it triggers, for all the things it blocks and for all the implementation hurdles it hides.
Think about this: you can't build ANY service that needs identity if the service usefulness is smaller than the cost (mind and time) of the login process. We are just seeing a glimpse of it with the one-click logins created by Facebook and similar.
The solution?
We need to step back and understand why we are trying to do that, and that's about identification, not anything else. And identification happens between me and someone else, not through a mediating party (that is needed to provide security and safety, not for the identification process itself!).
I've been thinking a lot about this and that's one of the reasons I'd like to join the Mozilla team: the login system should be an API provided by the browser itself, with the possibility of choosing personal or work profiles (due to different usages of the same services) and even anonymous if you'd like to browse in safety. Because the browser is my "API" to interact with the web. 1password and similar tools are trying to take a status-quo approach to this problem, but they aren't making the next step (probably just due to sheer share numbers).
The identification logic - logins, OpenID, certificates, etc - should move from the website to the browser.
With this solution, you will be able to just browse and use every service without - almost - even noticing that you've been authenticated. Of course, it needs to be designed and tested thoroughly, it's not as simple as saying it, but who if not Mozilla would be able to push out a feature like this?
I think it's game changing.
(see the part above in italic for the reason why)
I think that a group with this vision and the correct focus on technical issues, user experience, privacy and security is going to appear somewhere. Maybe inside the Chromium dev team, maybe inside the WebKit dev team, maybe inside the Firefox dev team, maybe inside the Microsoft dev team, maybe inside the Opera web team. Who knows.
~
This is the follow-up of this answer, if you'd like to get more in depth: http://intenseminimalism.
Because identification isn't something I usually do. When I walk around, when I enter into a store, when I buy something, when I... live, nobody explicitly stops me for a few minutes asking my identity... with the exception of - wonder! - our self-imposed tech "solutions".
Exactly like logins.
Think that OpenID in the first years was "borrowing ideas" from how the passports are handled. Who thinks that the current passport system is a fantastic way to manage identities please raise a hand. ;)
Back to us.
While I agree on everything else in his comment, to me, this statement is bold, interesting... but wrong:
a problem that most people don't really have. - Yishan Wong
The problem *exists*. And it's huge. It's huge both for all the problems it triggers, for all the things it blocks and for all the implementation hurdles it hides.
Think about this: you can't build ANY service that needs identity if the service usefulness is smaller than the cost (mind and time) of the login process. We are just seeing a glimpse of it with the one-click logins created by Facebook and similar.
The solution?
We need to step back and understand why we are trying to do that, and that's about identification, not anything else. And identification happens between me and someone else, not through a mediating party (that is needed to provide security and safety, not for the identification process itself!).
I've been thinking a lot about this and that's one of the reasons I'd like to join the Mozilla team: the login system should be an API provided by the browser itself, with the possibility of choosing personal or work profiles (due to different usages of the same services) and even anonymous if you'd like to browse in safety. Because the browser is my "API" to interact with the web. 1password and similar tools are trying to take a status-quo approach to this problem, but they aren't making the next step (probably just due to sheer share numbers).
The identification logic - logins, OpenID, certificates, etc - should move from the website to the browser.
With this solution, you will be able to just browse and use every service without - almost - even noticing that you've been authenticated. Of course, it needs to be designed and tested thoroughly, it's not as simple as saying it, but who if not Mozilla would be able to push out a feature like this?
I think it's game changing.
(see the part above in italic for the reason why)
I think that a group with this vision and the correct focus on technical issues, user experience, privacy and security is going to appear somewhere. Maybe inside the Chromium dev team, maybe inside the WebKit dev team, maybe inside the Firefox dev team, maybe inside the Microsoft dev team, maybe inside the Opera web team. Who knows.
~
This is the follow-up of this answer, if you'd like to get more in depth: http://intenseminimalism.
4.3k Views • Upvoted by Antone Johnson, Former VP and head of legal at eHarmony, legal executive at consumer Web companies since 2000, incl…
OpenID has not been well productized - the UX was very poor, but has been getting much better after the larger players have gotten involved, and logging in with an URL is mostly a thing of the past.
Facebook Connect is proving the value of logging in with an established identity. From a purely technical perspective, OpenID can deployed by other identity providers to implement the same functionality as Connect, but using open and interoperable standards.
Facebook Connect is proving the value of logging in with an established identity. From a purely technical perspective, OpenID can deployed by other identity providers to implement the same functionality as Connect, but using open and interoperable standards.
OpenID is a great standard and addresses a real problem. What’s wrong with it is that the steps for any user to actually authenticate are confusing and time consuming, which presents a significant enough challenge as to negate the most obvious benefits of replacing single site logins.
It boggles my mind that this is apparently a big question for techies and, to me, is a perfect example of the Silicon Valley mindset that doesn't understand how to build products that real people want to use.
The short answer is that OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have. That's what's "wrong" with it.
To answer the most immediate question of "isn't having to register and log into many sites a big problem that everyone has?," I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here are some of them:
Perhaps you say that as a site operator, you don't want people leaving due to registration/login friction so you have an incentive to promote OpenID. Well, no - the solution to that is not to implement or support a new and cumbersome different login system (how does anyone ever conclude this? People find your login system a source of friction, so the solution is to install a weirder one??), it's to restructure your site so that people don't have to log in to use it.
The fact that anyone even expects that OpenID could possibly see any amount of adoption is mind-boggling to me. Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site. This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?? Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead?? Not only that, but in the cases where OpenID has been implemented without the third-party proxy login, the technical complexity behind what is going on in terms of credential exchange and delegation is so opaque that even extremely sophisticated users cannot easily understand it (I have literally had some of Silicon Valley's best engineers tell me this). At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users. Even Facebook Connect suffers from this problem - people think "Wait, I want to log into X, not Facebook..." and needs to overcome it by making the brand and purpose of what that "Connect with Facebook" button ubiquitous in order to overcome the confusion.
In return, OpenID offers the following purported benefits:
OpenID simply stands no chance. It is like saying to people, "Hey, I notice you have a lot of keys on your keyring. Wouldn't it be more convenient if you could unify them all so you wouldn't have to carry all those keys? (sounding pretty okay here so far...) All right, here, instead of using those keys, you should take this extremely convoluted and foreign-looking mobile phone, into which you have to insert all of your keys, type in a special password, and then oh, well, it works on most locks but not all of them, so you'll only be able to replace some of your keys with it, so now you should carry this new weird mobile phone on your keyring too. Also, it doesn't work as a phone. And it has other companies' brand names printed all over it. And it calls one of those companies whenever you use it."
OpenID is not flawed in some minor product way that requires just a few tweaks, it is so massively flawed (perhaps in its very conception) that anyone in their right mind would immediately know that it could never possibly be successful, the very notion that there's merely "something wrong" with it is a Joseph Goebbels -"Big Lie"-style question wherein the nerds who came up with it have somehow been brainwashed into thinking that it could somehow ever be a viable thing that real people would want to adopt.
OpenID is not taking over the world because it's pretty much the exact opposite of a good product.
The short answer is that OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have. That's what's "wrong" with it.
To answer the most immediate question of "isn't having to register and log into many sites a big problem that everyone has?," I will say this: No, it's not. Regular normal people have a number of solutions to this problem. Here are some of them:
- use the same username/password for multiple sites
- use their browser's ability to remember their password (enabled by default)
- don't register for the new site
- don't ever log in to the site
- log in once, click "remember me"
- click the back button on their browser and never come back to the site
- maintain a list of user IDs and passwords in an offline document
Perhaps you say that as a site operator, you don't want people leaving due to registration/login friction so you have an incentive to promote OpenID. Well, no - the solution to that is not to implement or support a new and cumbersome different login system (how does anyone ever conclude this? People find your login system a source of friction, so the solution is to install a weirder one??), it's to restructure your site so that people don't have to log in to use it.
The fact that anyone even expects that OpenID could possibly see any amount of adoption is mind-boggling to me. Proponents are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site. This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else?? Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead?? Not only that, but in the cases where OpenID has been implemented without the third-party proxy login, the technical complexity behind what is going on in terms of credential exchange and delegation is so opaque that even extremely sophisticated users cannot easily understand it (I have literally had some of Silicon Valley's best engineers tell me this). At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users. Even Facebook Connect suffers from this problem - people think "Wait, I want to log into X, not Facebook..." and needs to overcome it by making the brand and purpose of what that "Connect with Facebook" button ubiquitous in order to overcome the confusion.
In return, OpenID offers the following purported benefits:
- Own your own identity. Supposedly, OpenID makes it so that you can own your own registration/login information rather than submitting it to the ownership of websites. It turns out that this is not a problem that any normal user cares about, as evidenced by the years of successful websites on the internet where people have willingly signed up and submitted their personal information to. No one cares about this.
- Makes logins easier. In this, OpenID already fails the "is it better than the second-best alternative" test for people who actually do want easier login experiences. There is an existing alternative for people who want to optimize their login experience at the expense of security and everything else. It's called "let your browser remember this password" or "click 'remember me.'" Anyone who is willing to do that isn't going to find an OpenID login easier; it's harder.
OpenID simply stands no chance. It is like saying to people, "Hey, I notice you have a lot of keys on your keyring. Wouldn't it be more convenient if you could unify them all so you wouldn't have to carry all those keys? (sounding pretty okay here so far...) All right, here, instead of using those keys, you should take this extremely convoluted and foreign-looking mobile phone, into which you have to insert all of your keys, type in a special password, and then oh, well, it works on most locks but not all of them, so you'll only be able to replace some of your keys with it, so now you should carry this new weird mobile phone on your keyring too. Also, it doesn't work as a phone. And it has other companies' brand names printed all over it. And it calls one of those companies whenever you use it."
OpenID is not flawed in some minor product way that requires just a few tweaks, it is so massively flawed (perhaps in its very conception) that anyone in their right mind would immediately know that it could never possibly be successful, the very notion that there's merely "something wrong" with it is a Joseph Goebbels -"Big Lie"-style question wherein the nerds who came up with it have somehow been brainwashed into thinking that it could somehow ever be a viable thing that real people would want to adopt.
OpenID is not taking over the world because it's pretty much the exact opposite of a good product.
You log in with a URL. This blows every user's mind.
As per Charlie Cheever's comment inline (he's totally right), some services have implemented a graphical login (meaning you simply click your OpenID provider) but this doesn't necessarily correlate with what a user expects. For example, on Stack Exchange it asks you to "click your OpenID account provider". Most users have no idea what this means. "So I log in with my Google account - but, I want to sign up. I don't want to login to Google."
So, I'd argue the user experience of OpenID is not mature enough for most web users.
As per Charlie Cheever's comment inline (he's totally right), some services have implemented a graphical login (meaning you simply click your OpenID provider) but this doesn't necessarily correlate with what a user expects. For example, on Stack Exchange it asks you to "click your OpenID account provider". Most users have no idea what this means. "So I log in with my Google account - but, I want to sign up. I don't want to login to Google."
So, I'd argue the user experience of OpenID is not mature enough for most web users.
