One OpenID to Rule Them All...or Not?

openid.png Decentralised online identification system OpenID can log you into thousands of social networking sites (and counting) using a single username and password. OpenID asserts who you are by proving you own a URL—not an email address, not a password, not your mother's maiden name, just a URL that must be confirmed by both the accepting site and OpenID host. No more filling out web site registration forms! Now that sounds wonderful to those of us sick of tracking the login details for all the web services we use. However, while OpenID is terrific in theory, it's real-world usage still has a way to go. Let's take a look at some of the pros and cons of OpenID.

OpenID Pros

Identity management: If you're looking to build a strong online identity, OpenID makes your social networks easier to manage. Instead of having multiple usernames and passwords for various sites, you only have one. To see all the sites where OpenID is currently accepted, check out the OpenID Directory. Following that train of thought, if you're trying to build a good online reputation, OpenID is potentially a godsend for tearing down walled gardens and making more than one social network easier to access—you just leap from one network to another using your OpenID URL. Think of it as the BugMeNot for social networks.

Security: As far as security goes, it's much easier to manage only one username and password rather than 45, right? So you could change your OpenID host password periodically just to keep things more secure. You're also allowed to create more than one OpenID persona, so you could enact differing levels of security depending on what you're accessing.

Decentralisation: OpenID is decentralised, which means everyone's OpenID data isn't stored in one place or managed by one entity or company. Unlike other identity management systems, like Microsoft's Passport (now Live ID) and Six Apart's Typekey, you have a choice of OpenID providers and can even set it up on your very own web site. (Here's a tutorial on how to do that.)

In a nutshell, OpenID is a convenient way to manage your online identity across sites with a single username and password.

OpenID Cons

User profiling: If you're concerned about what you use on the web being tracked in any way, shape, or form, you may want to stay away from OpenID....but then again, you'll want to stay away from Google, Yahoo, or any other service that traces your user activity. OpenID gave me pause because there's the possibility of so many different networks and sites being compromised and tracked at once if your OpenID is cracked by an unscrupulous user. What we're looking at here is potentially a big problem, especially if your OpenID is linked to dozens or even hundreds of sites—especially since OpenID is accepted at something like 5,000 sites now. None of these sites are what you would call "secure" sites, i.e., anything that uses https:// or has any kind of really (read: financial) sensitive information. OpenID makes it simple to track a user's movements once an identity is revealed, even more so than multiple identities scattered across the web, which is what most of us have right now—multiple, unlinked accounts make anonymity easier to accomplish.

Security concerns: OpenID logins work by redirecting you to the OpenID hosting provider and having you enter your single username and password there. This means that potentially, an evil operator could set up a phishing site in that redirect which collects your login information. If they do, due to the nature of OpenID, they've got the keys to all the sites you OpenID into. For an excellent discussion of OpenID security concerns like this one, check out The Identity Corner's article on The problem(s) with OpenID.

Usability issues: For the average user, OpenID is still too confusing to create and use. Just finding the signup page to create your own OpenID is quite the feat; and the process of actually using it at a site that professes to accept it is clunky and difficult. For example, how does a new user choose an OpenID provider? There are many, and the OpenID signup is difficult to find on most of them. For example, if you go to Live Journal's home page, you won't find an OpenID signup. If you go to Yahoo's home page, you won't find an OpenID signup...and so on. It's pretty buried. The only way I was able to find it on Live Journal was to google "openid livejournal". You can't sign up for an OpenID from within these services; in fact, if you enter in a wrong URL ID you'll just get a cryptic error message such as this one:

Error:One or more errors occurred processing your request. Please go back, correct the necessary information, and submit your data again.

This error message is pretty useless with no out to create an OpenID whatsoever—nowhere in sight. However, this doesn't mean that OpenID isn't working right—quite the contrary, because OpenID is not an account. According to the folks behind OpenID, it is also NOT a trust system, because trust requires verification of identity. All you're doing with an OpenID URL is telling the site that you have the ability to prove ownership of that particular URL. It's not a Live Journal account, it's not a Yahoo account—it's just an alternative to starting an account at any of these sites, a name and password substitute. Which makes it somewhat handy, actually, if you can get it to work.

Back to creating your own OpenID: in short, it couldn't be LESS user-friendly. If you go to the OpenID home page, all you get is a bunch of techno-babble. Way down on the right hand side is a link to I Want My OpenID, which sounds promising until you actually go there. It was sheer luck that I was able to find my way to creating an OpenID, and that's probably just poor marketing/navigation, but dang. THIS is the correct signup page, but you don't find this URL in any official documentation that I could find.

Reliability (or lack thereof): Even though sites may say they accept OpenID, using it can be hit and miss. Out of the five sites that I tested this on (Moodstr, Simpy, Issues Done, Vote Monkey, and Treedolist), this is what happened: Moodstr would not recognise me at all no matter what. Simpy recognised my OpenID, but still required me to open a Simpy account just to look around—the OpenID passport was pretty much ignored. Issues Done liked my OpenID, but then redirected me to a page where my email was required to keep going. Vote Monkey was successful, as well as Treedolist—I was able to dive right in.

OpenID advocate Simon Willison that explains why this happened:

Most web application signup processes work something like this:

  • Bob selects a username
  • Bob enters a password, twice
  • Bob enters his e-mail address
  • Bob clicks a validation link in an e-mail sent to that address

Some sites throw a CAPTCHA in there for good measure. OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you'll almost certainly want them to jump through the e-mail and/or CAPTCHA steps. In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.

Identity theft: How do you prevent false identities from being registered? You don't. Anyone could register as you and create quite a bit of havoc if they really wanted to—possibly wrecking an online reputation that could take a lot of effort to rebuild.

Online identity management experts are usually united on this one principle: if you're not using a variety of thoughtfully crafted user names and passwords online, you're not doing a good job of protecting yourself. OpenID aims to make this process more intuitive and secure, but at this point, there are too many unanswered questions to make it a truly secure identity management system.

What you can do with it right now (and what we wish we could do with it)

OpenID is a double-edged sword. I use it, but only for stuff I don't mind getting cracked (I don't think my stash of unicorn pics is interesting to anyone but me). It's a great shortcut for blog comments, as well—no more having to create a TypeKey account just to make your voice heard.

Then again, it's irritating to do everything twice. On many sites that support OpenID, you can't just sign in with your OpenID and start using it—you still have to add additional details about yourself, like an email address, a user name and password. There are also security and usability issues that need to be fully addressed before OpenID can be really embraced by the general online public. It's a great idea—in theory—but I'll take security over convenience any old day.

Quick footnote: Here are two video presentations about OpenID that are recommended viewing for anyone wanting to learn more about it. First, a Google Tech Talk titled "The Implications of OpenID":Secondly, a quick OpenID security writeup:

Wendy Boswell, Lifehacker US's Weekend Editor, likes kittens better than unicorns.

WATCH MORE: Tech News & Life Hacks


    I've been using for a few months now and found it easy to create my open id and link it to all the sites I use it on.

Join the discussion!