What is this OpenID Everyone Speaks Of? - Mona Nomura

FriendFeed is the easiest way to share online. Learn more »

What is this OpenID Everyone Speaks Of? - http://pixelbits.wordpress.com/2008...

December 4, 2008 from Pixel Bits - Comment - Like - Share

Varun Mahajan, David, Sam and 30 other people liked this

I hate OpenID. Password managers contradict all of OpenID's advantages. - Larry Hudson

Maybe I'm stupid. But I just don't get it. - Mona Nomura from IM

It's meant to make life easier but all it does is make life harder, not to mention limiting some of our accounts on services. - Andrew Trinh

Limiting? Explain, please. - Mona Nomura from IM

I get it...but I don't. - Adriana

I like the idea of OpenID, unfortunately the lackluster adoption of consumers of OpenID makes it pretty much meaningless. I run a provider on my domain so I can login as mernisse@ub3rgeek.net but the only place I've ever gotten it to work was livejournal... - matthew john ernisse

Ok. I see Open ID everywhere. I know what it is, but I never use it. - Ian May

Adoption of consumers? Tell me WHY consumers should care? It's not like the project is partnered with merchants (ebay, paypal, banks, etc.). HOW is this relevant to us? Everyday people - consumers? - Mona Nomura from IM

Logging in without passwords doesn't sound good to you? - Nathan Howell

Password managers? My browsers already come with it and there are tons of free programs. Why should I take the time to figure out how to claim my OpenID? - Mona Nomura from IM

My password manager on Firefox (sxipper) is pretty sweet but it doesn't help me when I'm not in Firefox or not on my primary computer. - Daniel J. Pritchett

This is the most rational discussion of OpenID I've ever seen. - Dave Winer

Links put in blog comments which are supposed to point back to other blogs which cite / quote the current blog. The spam is when the links lead to something which is completely non-relevant and "Spammy". - Robert Miller

Daniel et al, thank you. I'm deleting the comments pertaining to trackback spam so we can get back to the OpenID discussion. I see a lot of advocates on FF - where are they? - Mona Nomura from IM

Not having another copy of your password on every site's database is one good reason. - Rodfather

Here's a great video that explains OpenId, with music and animation. http://bit.ly/fljz - Dave Winer

Good point by Rob - if you use the same password for everything (come on, who doesn't?) then you're wide open the first time someone cracks the user database at any one site you visit. - Daniel J. Pritchett

And that is a very, very good thing. - Robert Miller

I like how sites like http://hypetape.com/ use Google Accounts login for their site. - Larry Hudson

Right now there is no reason to care about OpenID. Everyone is hopping on the provider bandwagon, but no one is hopping on the consumer bandwagon. Until you can actually login to things with it, it's kinda meaningless. I think the biggest advantage is that my authentication credentials are NEVER transmitted to anyplace other than the OpenID provider. So if the consumer site gets hacked (say livejournal), they can't steal my username or password. This is a moot point until you can USE the thing places. - matthew john ernisse

Google account logins are almost as useful as OpenID, just less idealistic. Zoho gets brilliance points for accepting both Google and Yahoo logins. That's only like 99% of the internet! - Daniel J. Pritchett

Yes, there are definitely too many providers and not enough consumers right now. It is still early for OpenID... it's just getting started. - Nathan Howell

I have used my OpenID account several places; just not all over. Then again, not using the same access all over seems like a good thing; in a twisted way. - Robert Miller

Hehe, OpenID is like 4 years old :) Sadly I'm not sure if it'll ever catch on enough, especially with Facebook and Google trying to roll their own. - matthew john ernisse

IMO the implementation of OID has been pretty clunky. It's a great idea in principle but when it's implemented it seems heavy and out of place. - Threepwood

Everyone's talking about info stored in respective databases but what about Amazon? PayPal? Ebay? etc., etc. Why should we start caring NOW? - Mona Nomura from IM

Toss in Bank accounts and Utility accounts. - Robert Miller

I haven't bothered to find about OpenID either. So, if OpenID gets hacked, what happens? - Rishabh Mishra (p248)

People have always died of diseases. Why should we start caring NOW? ;-) Progress has to start sometime. - Nathan Howell

Eventually, we'll end up with an embedded chip that will replace all logins, passport, driver's license, social security number, credit/debit cards, door locks, and ya.. - Rodfather

What was wrong with Microsoft's Passport? - Andrew Smith

Where will the chip be embedded -- in your ass? - Dave Winer

The idea is supposed to be that a higher-level of security surrounds the OID account. I get a verification phone call each time a login is done against my account. - Robert Miller

Passport was controlled by one company. OpenId is distributed among many. - Nathan Howell

I think I will pass on the embedded chip. - Robert Miller

MSFT's Pass FAIL was due to timing and their popularity, imho. Dave: LOL!! @Nathan: Point taken. - Mona Nomura

Very true. No one company owns the OpenId data. - Robert Miller

You have to have something between the ears; though I imagine it would be toss-up between that and the ass. - Robert Miller

OpenID is just a standard for authentication. If your OpenID provider gets hacked your exposure is most likely the same as if your individual account(s) got hacked. This is assuming that they store your password in a readable format. - matthew john ernisse

Well it's unintuitive for one. We (end users) are already becoming lazy and spoiled. The hunting and pecking just to claim your OpenID is tedious. - Mona Nomura

http://MyOpenId.com? No hunting, no pecking. - Robert Miller

So it seems a lot are in agreement that in theory, OpenID is "good" but in practice, it's like a chip getting stuck in our ass? - Mona Nomura

I do not completely agree with that as you can choose to use an OpenId or not, generally. - Robert Miller

I agree that OpenID needs some work, but I think unintuitive is probably the wrong word for it. My grandparents sure don't find the name/password mechanism intuitive. - Nathan Howell

@Mona Of course it's hard and unintuitive. This is a really stinking hard problem to solve and this is the best we've come up with so far. It is even a problem that most people don't even know (or care) exists. And to be fair, claiming your OpenID is stupid easy. You said you already have like 7. USING your OpenID is what is hard and what needs to be made better. - matthew john ernisse

Matthew: I agree, wholeheartedly, with your last sentence, "USING your OpenID is what is hard and what needs to be made better." - Robert Miller

matthew: Then I must be stupid, since I can not figure out HOW to claim it for the life of me. I click, then jump to another site, click again, get taken back to another site, click again... where is the end to the madness? And why would it benefit me *now*? - Mona Nomura from IM

@Mona you're not stupid. This is the problem with OpenID. Getting an ID is easy as cake, tons of sites provide them. Very few sites use them for anything useful. Which is exactly why it isn't useful for *anyone* now. - matthew john ernisse

Believe it or not, that is part of the claiming process; sort of like using PayPal to purchase something. - Robert Miller

So I keep clicking until I reach the end...? How would I explain this to real life friends of mine who are not technologically savvy and only use, say - Facebook and or Myspace? - Mona Nomura from IM

I don't mean to sound so difficult, I'm just trying to figure out a way to correlate relevance to every day people. Trust me, the more I learn about information, privacy, and various partnerships, I *want* to back OpenID. - Mona Nomura from IM

Mona, this is a pretty cool article about OpenId's pros and cons: http://blogs.atlassian.com/develop... - Shevonne

That is the clunkiness. It sucks right now. This will change as more companies who joined OpenId in the last year start to incorporate it as part of their offering. It will get better, evolve, or go away. Based on the member companies in the organization, I think it will have to evolve -- Something about having MS and Google involved tends to cause that. - Robert Miller

OpenID probably isn't useful to most people at this point. Most everybody already has at least one, but there aren't enough places to use it. - Nathan Howell

But will it be too late before Salesforce and Facebook roll out their enterprise partnership plans? As retarded as this may sound, my sudden interest is 90% due to them... I want to make sure all my non tech friends on Facebook understand teh stipulations and I need to find a way to explain it to them so they will understand. @Shevonne - thanks for the article, dude! - Mona Nomura from IM

I like Robert's PayPal analogy. Instead of buying something with the "Pay with your PayPal account" process, you sign up and log in to a site with the "Join using your Yahoo account" process. (Replace Yahoo with other OpenID providers as desired.) - Daniel J. Pritchett

I dunno if there is anyway to explain it. The problem is that trusting an anonymous 3rd party with the task of proving a user is who they say they are is hard, and so the process is ugly and painful. Password managers and such make not using OpenID so easy, even though they lead to the type of poor password practices that enable identity theft. That is a hard concept to sell to people. - matthew john ernisse

Nice article Shevonne. - Robert Miller

@Robert Thanks! I thought so too. - Shevonne

Good point Matthew - using weak password practices is really easy. Too bad we can't outlaw passwords, forcing everyone to use OpenID or something ;) - Daniel J. Pritchett

Mathews other part of that point was not just the bad password practices, but the password manager is only on the one computer. It takes a manual effort to load the password(s) on another computer and that just increases your exposure. Then again, I do not allow my browsers to hold my passwords. - Robert Miller

I use OpenID on my Laconica accounts, my Zooomr account, and my Slicehost. I wish I could use it everywhere, there is no reason to not support OpenID, just laziness and that excuse is wearing thin. - Bjorn Stromberg

Considering Facebook's propensity to ban accounts, I would have an issue with them serving OpenId accounts, but, obviously, not using as a client. - Robert Miller

I think OpenID is languishing in chicken-and-egg land. No site(s) supported using it because no trustworthy site(s) provided OIDs. Conversely no site(s) provided it because no site(s) were using it. Maybe now that more site(s) are providing OpenIDs, it will finally start to push site(s) to use it. - matthew john ernisse

Bjorn: Laconica is already over my head. I don't have an army like Leo to set up my own server on a micro-blogging site LOL - Mona Nomura from IM

Laconica is similar to OpenID in that you only need an account on one service to participate on all the other services. You just pick the server you like (for whatever reason) and away you go. - Bjorn Stromberg

When I first built Cullect.com - it only used OpenID. Now it supports 10 additional authentication services - and OpenID is the biggest challenge to support. - Garrick Van Buren

And that is the hurdle OpenId has to overcome. - Robert Miller

Garrick: I looked at Cullect and there's only three authentication services you have that don't ask for a username and password: OpenID, FriendFeed, and BackPack. Impersonation is not an acceptable alternative. Users shouldn't have to give away the keys to their kingdom to use your service. - Bjorn Stromberg

Here's an interesting article on making OpenID more usable: http://radar.oreilly.com/2008... - Nathan Howell

Nathan - thank you. THIS is why I love FriendFeed so much. Good, insightful discussions from all views. Will definitely be doing a follow-up post. Thanks, everyone! - Mona Nomura

"Relevance to every-day people"? Yawn. That old thing again. I stopped caring about that a long time ago. OpenID makes my life easier. If you are happy doing things inefficiently, feel free. I'll be able to put my feet up while you are doing all the stuff that takes me no time at all. I use OpenID for the same reason I use a command line rather than Windows, vim rather than Word - a bit of extra geekiness means a lot less work later on. - Tom Morris

Clickpass FTW! Sign up for my site using Clickpass and tell me the benefits aren't obvious. Look for the "Alternative registration/login" button below the regular login form: https://ourdoings.com/person... - Bruce Lewis from fftogo

I just DO NOT like OpenID. Good idea, poor implementation. - ‘-.-’ Tutivillus Grift

I use OpenID whenever I can. This meme of it's too hard and not understanding what problem it solves is kinda funny to me, especially coming from early adopters types. OpenID also shouldn't be looked at as a solution all by itself; if you think about it as part of a suite of solutions (with OAuth and Portable Contacts)--that helps. - Albert Willis

OpenID is a way to prove you own a URL. On it's own, that is not much of an improvement over entering your email and password on a site (except that they then can't spam you). However, URLs are places that sites can get more information - they can discover a feed, discover a profile that you want to share, discover an API to your contacts list and so on, saving you from having to re-enter all that stuff in every new site that can be made more useful by having them. That is the promise of OpenID. - Kevin Marks

OpenID has only two reasons for being 1. To control what you buy, or 2. to determine what you will buy so they can guide you to it. Same old users tracking these companies have been doing from the conception of the internet as we know it today. - John D Reasor

What does that mean? (control what you buy) - Mona Nomura from IM

I have to admit I was wondering that myself and figured I had just plain missed something. - Robert Miller

Maybe John is saying that many companies want to be OpenID providers so that they can track your usage of other sites, thus gathering data for targeted marketing. - Bruce Lewis

On the three or four sites I use that support OpenID, it has been awesome. From an end-user's point of view, the primary advantage of OpenID is that you've got one place for your avatar, your signatures, your contact info, and your user profile. Change it there, and it gets updated on all your website memberships. It solves a major password security problem, and the problem of managing your identity online in one punch. - Eric Hamilton

I don't even know why I'm posting in this, nobody'll read down this far. But people keep mentioning they want to CLAIM their OpenID. You do know you can claim them with claimid.com, and you can put ALL of them (flickr, yahoo, wordpress, etc) into that one claim? It might help you claim them, but I don't know if it'll help you use them. - Tom

So how does the authentication process work? Thanks for the info btw, good to know. (and yes, I read this far... IM notifications ftw!) - Mona Nomura from IM

type yahoo.com into the box. That's all I know ;-) - Duncan Riley

Tom, I don't think that's what ClaimID does. They give you an OpenID and a page that you can build a profile on. Part of that profile could be listing other OpenIDs you have, but it's not combining them. I don't know where the stuff about "claiming" OpenIDs is coming from. It's not really part of the process. - Nathan Howell

There's a video on this page that might help with understanding OpenID: http://openidexplained.com/use It's a couple of years old, but stlll good. The first few minutes show the process of using an OpenId in different situations. - Nathan Howell

@JohnDReasor: You know that they can track you based on your email address too, right? So, what's your point? - Chris Messina

OpenID provides a protocol between app providers and authenticators so that users have freedom in picking an authenticator. This means users can pick one based on their need for security. This would avoid scenarios like the recent Twitter debacle. BHO would have picked a secure provider. - Aswath

So if Twitter was an OpenID provider, that would've prevented this phising debacle? - Mona Nomura from IM

No, it would not. It just means it's a insecure password hosted elsewhere. - Jauder Ho

Nathan, good video! I've been accepting OpenID on billso.com, and it's working well so far. Still waiting to see what Facebook and Google each have planned for federated IDs. - Bill Sodeman

I was asking Aswath, Jauder :) - Mona Nomura from IM

Mona, :P . In any case, having a weak password still means that it can still be easily attacked, regardless of where it is hosted. That is until we get rid of the username/password pattern which I do not see happening anytime soon. The "promise" of OpenID being able to transfer profile information has only been used on a very limited basis, partly due to the problem of data mapping (does name on A mean fullname on B?). Mostly, I have just seen OpenID used just for auth with the prior problems mentioned. - Jauder Ho

I find FriendFeed harder to explain than OpenID - Bwana ☠

OpenID allows users to select their own provider.So we do not have to go with Twitter's OID. One can go with another provider that uses a different auth scheme. For example Vidoop does not use the traditional password scheme. - Aswath

I really like OpenID. Especially in combination with the Firefox addon "Verisign's OpenID SeatBelt". - Peter