Slashdot Mirror
OpenID Fan Club Is Shrinking
A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...
Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.
Currently hooked on AMP
I am not a user so YMMV, but I personally don't like all my eggs in one basket. I use different logins and passwords on most of the sites I visit. I hardly want a security breach on some forum I post to to be able to have access to my email or credit cards site. Centralized is great for some things, but I simply don't trust any company to be as tight with their security as I am with my own. To them a breach is a "whoops, sorry!" to me it could be personally and financially devastating.
Do you see OpenID anywhere on the front page to Facebook?
There's your problem, people don't know that OpenID even exists.
The popular library for PHP is poorly documented. The API has each function documented (phpdoc), but nothing to actually get you started using the API. When we needed to do something other than the rudimentary sample code, it turned into a huge hassle. The API seems far more complicated than it needs to be.
Developers aren't going to adopt it much if they have to keep re-implementing the standard from scratch. OpenID needs to publish a well documented API for each popular language that might need it. That'll get the ball rolling faster.
Developers: We can use your help.
It might also have to do with the fact, that OpenID was never supposed to be a general login system. At its bones, it's a homepage/URL verification protocol for the blogging community. And it's constrained to that, because URLs (no matter how shortened) are not *common*-user-friendly.
How is it more work to enter your username and password on one page instead of another?
Developers: We can use your help.
Yes, but the difference is that Passport has worked reliably for years and years now... 10 years, if I'm remembering correctly... and I've yet to flawlessly log in to anything using OpenID even once.
I have to admit, that after typing that post I went back to StackOverflow and they've actually fixed their faulty instructions for how to enter Yahoo IDs. (It used to read: my.yahoo.com/username which never worked, AFAIK. Now it just says to use www.yahoo.com and have Yahoo ask your username, which does appear to work.)
But look at it this way, availability-wise:
If you use OpenID with a delegate, you're dependent on your own web server working, at least one of your OpenID providers working, and StackOverflow working.
If you use OpenID with no delegate, you're dependent on your OpenID provider working, and StackOverflow working.
If they use Passport, they're dependent on Passport.com and StackOverflow.com both being working.
If StackOverflow had their own login, you only have one dependency: itself. Clearly this is the best option if you want to optimize for availability.
And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology. OpenID is too crappy to succeed on its own merits, so now we have website "activists" trying to force its use... that's crummy.
Comment of the year
That is half the problem. It isn't an intuitive way of logging into a website. Since the days of timeshare computers, people understand "username / password". Nobody understands "URL => ????".
If you were to ask me to write the OpenID obituary, the biggest reason the protocol failed was the decision to use a URL instead of an email address. Every other failure was secondary to that one.
Effort was never the issue. The issues are:
a) Selfishness. Too many sites allow you to use their database to log into others, but not use others to log into theirs. Seems the big players want to be the ones owning your data, just like MS tried to own logins with its system... whatever that was called.
b) What does OpenID actually gain you? You still have to enter login details. It's just a URL instead of a username. Others have said this above too, but what's needed is something like a wallet: infocard or a keyring manager, which keeps track of all your details on your machine, and extends your single desktop sign-on to websites, so you don't need to log in at all. Most of this tech is available and implemented, with firefox's password memory, and desktops' wallets. Unfortunately, again, people are competing to control this, instead of focusing on an open system. An open, Infocard system for GNOME/KDE and other desktops (all equally supported and native), which presents web logins as "Here's your wallet. Select which ID card you want this site to use" would nail this problem easily.
The Magic URL (which is magic, actually) *IS THE USERNAME AND PASSWORD*. That is the whole point of OpenID. A website leaves the username/password business to some other guy and just trusts the protocol to make sure the Magic-URL is legit.
If you've hacked RMS's OpenID account, you can just go to any OpenID site, even if he never visited it before, and start impersonating him. That is the "benefit" of OpenID! Most of the OpenID authenticated sites out there dont have a concept of "sign up", you just go to the site, plug in your Magic URL and start doing shit. There is no email confirmation step on those site, and if there was, it would kinda defeat the whole purpose of OpenID in the first place.
And if I'm wrong in my interpretation of this, please send me to a URL that actually explains how the damn thing works. Nobody gets it and if the OpenID guys can't explain it clearly, they probably dont get it either.
Lets say I've hacked your OpenID account. Now I can go visit sites like StackOverflow and post as you. Since they dont require email verification when you "sign-up", it doesn't matter if you had an existing account with them before I hacked you. I can go anywere that takes OpenID and "silently" impersonate you regardless of if you used the website before. No email verification means you'd probably never know it either. Well.. until you google "AvitarX" and find yourself posting horse porn on some OpenID site.
Are you talking gmail, or a corporate email account? If you have an email provider you can pick up a phone and call, these kinds of attacks don't exist. Sure they compromise your account, but you just call IT and have them un-compromise it.
Which actually says to me only a fool would register his OpenID account under a email account where you *can't* call the provider. If you bind your "mega-important OpenID account" to bob@gmail.com, you are gonna get screwed if the email account is compromised.
That's like asking "why should I trust HTTP to authenticate my users?". You're confusing the protocol with the sites that use that protocol. "OpenID" isn't authenticating your users, their providers are.
The same way you can be sure that any given one of your non-OpenID users hasn't been compromised when they log in the old-fashioned way: not at all.
I don't know, but it's got to be less than when you are the one who owns the authentication mechanism that got compromised. Either the user fucked up or their OpenID provider did; you literally can't be at fault for the breakin.
"User", I guess? I don't think there really is an OpenID parlance, at least not for this.
Of course their account is with you. You're still (presumably) requesting and storing the same information as before, and doing the same things with that information.
What the fuck is the "Read the rest of this comment..." link for if Slashdot already displays the whole goddamn 65 KB troll? That's 435 lines at 150 characters each.
Yeah, and how is he supposed to decrypt it, in his head? I'm assuming of course, that he's not Bruce Schneier.
I'm surprised that /. geeks actually use specific tools to manage their passwords, when it's so much simpler and quicker with a couple of shell micro-scripts.
Shell scripts are harder to use if you have to cut-and-paste between them and the browser.
You provided a windows batch file as an example... on that terminal, you have to open the console menu and first select mark, then draw a block around the text, and copy the text to the clipboard.
The browser's built-in manager is very easy to use, and as such, is used the most frequently. If that starts to fail or strain, you then switch to the other tools, such as keeping a plaintext file or building a greasemonkey script.