Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenID Fan Club Is Shrinking

Posted by timothy on from the and-watch-that-basket-carefully dept.

A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...

18 of 333 comments (clear)

  1. Local software solution instead by wealthychef · · Score: 4, Insightful

    Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.

    --
    Currently hooked on AMP
    1. Re:Local software solution instead by DMUTPeregrine · · Score: 5, Informative

      KeePass Password Safe is open source, and quite portable. I keep my database on a USB key, which is on my keychain. Anywhere I go I have my passwords AND the executables.

      --
      Not a sentence!
    2. Re:Local software solution instead by Just+Some+Guy · · Score: 5, Insightful

      Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password.

      Rather than trust an external site with my security, I use OpenID on my home server that secures my single password in one place and never distributes any of my login information to other servers.

      --
      Dewey, what part of this looks like authorities should be involved?
    3. Re:Local software solution instead by davester666 · · Score: 5, Insightful

      It's because everybody wants to be a provider (so they get all your valuable information from you, as well as your surfing habits from other web sites that use OpenID when you sign on using your ID), but pretty much nobody wants to just accept an OpenID login (as they wind up just sending valuable information to another company with no direct benefit to themselves [and they could care less about the customer's convenience]).

      --
      Sleep your way to a whiter smile...date a dentist!
    4. Re:Local software solution instead by Sancho · · Score: 5, Insightful

      Frankly, I don't trust other computers. I try my best not to log on to online services when I'm not using a trusted computer.

      I'm sure as hell not going to plug a USB drive with my password database into an untrusted computer.

    5. Re:Local software solution instead by GooberToo · · Score: 5, Insightful

      And this is exactly why OpenID never caught on. You implemented it the only way it makes sense. For the vast majority of people this is too much. For companies requiring a login, they garner no information about who is visiting their site so they have no incentive.

      The combination of the two means no one wants to accept OpenID and it is too painful to truly use securely. Whereby securely means, no user information released.

  2. Re:my fp list is growing! by sgbett · · Score: 5, Funny

    I would have beat you if I could have remembered my login details...

    --
    Invaders must die
  3. a site that uses nothing but OpenID by marhar · · Score: 5, Interesting

    Stack overflow took an interesting approach, and only uses OpenID. They don't even have a non-OpenID option. Proprietor Jeff Atwood discusses some of the tradeoff at his blog.

    1. Re:a site that uses nothing but OpenID by Blakey+Rat · · Score: 4, Insightful

      Yes, but the difference is that Passport has worked reliably for years and years now... 10 years, if I'm remembering correctly... and I've yet to flawlessly log in to anything using OpenID even once.

      I have to admit, that after typing that post I went back to StackOverflow and they've actually fixed their faulty instructions for how to enter Yahoo IDs. (It used to read: my.yahoo.com/username which never worked, AFAIK. Now it just says to use www.yahoo.com and have Yahoo ask your username, which does appear to work.)

      But look at it this way, availability-wise:

      If you use OpenID with a delegate, you're dependent on your own web server working, at least one of your OpenID providers working, and StackOverflow working.
      If you use OpenID with no delegate, you're dependent on your OpenID provider working, and StackOverflow working.
      If they use Passport, they're dependent on Passport.com and StackOverflow.com both being working.

      If StackOverflow had their own login, you only have one dependency: itself. Clearly this is the best option if you want to optimize for availability.

      And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology. OpenID is too crappy to succeed on its own merits, so now we have website "activists" trying to force its use... that's crummy.

      --
      Comment of the year
    2. Re:a site that uses nothing but OpenID by Kent+Recal · · Score: 4, Interesting

      If you have a better solution, I'd like to know what it is.

      Well, I can offer the obvious solution.

      Put authentication in the browser. Oh my god, what a novel idea!
      Have the user enter his password once, at the beginning of the session, and create a unique token for each site from that.
      Submit that token along with every request, in a HTTP-header.

      No login required ever. Sites can distinguish users by their tokens (even when they're not "logged in") and a registration merely consists of connecting a token to whatever metadata (a username, address, whatever the user wants to give out to a particular site).

      Paranoid users could choose to suppress the token by default and only start submitting it when they hit the "Login" button on their browser chrome - without typing in a username or password ever.

      Better yet, add a bit of cryptographic trickery and these tokens can easily be revokable, updateable etc. for the cases where a password is stolen or "lost". And ofcourse browsers could easily store multiple "identities" and provide a dropdown to switch between them on the fly.

      It's not rocket science, really. The whole system could be designed and spec'ed out over a weekend and would work better than anything that we had before. No third parties involved and everybody (even the data collectors) happy.

      Problem? Oh, right. Getting it into the mainstream browsers... Well, give it another 20 years.

  4. What bothers me about OpenID. by WiiVault · · Score: 4, Insightful

    I am not a user so YMMV, but I personally don't like all my eggs in one basket. I use different logins and passwords on most of the sites I visit. I hardly want a security breach on some forum I post to to be able to have access to my email or credit cards site. Centralized is great for some things, but I simply don't trust any company to be as tight with their security as I am with my own. To them a breach is a "whoops, sorry!" to me it could be personally and financially devastating.

    1. Re:What bothers me about OpenID. by Aladrin · · Score: 5, Informative

      The idea behind OpenID is that the forum never has your login credentials, they just have the promise of some OpenID server that you are really you. They can never use the information they obtain to log into any other service you use with that login.

      You still have to trust that OpenID server with all of your logins, but it's not like you trust every tiny site with them.

      Having said that, very few sites I use will take OpenID, and some are providers only... Which is absolutely worthless. I'm waiting for something worthwhile to happen before I jump in, and I bet a lot of other people are, too.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    2. Re:What bothers me about OpenID. by roemcke · · Score: 5, Insightful

      You already have all your eggs in one basket. Virtually all online sites will send you new passwords by e-mail if you forget them. If your e-mail account get compromised, an attacker can request and intercept new passwords for any online site he wants to access.

  5. I Wonder Why... by bradgoodman · · Score: 5, Interesting
    Shrinking support? I wonder why...

    Hmmmm...

    I checked out the "Explaining OpenID" web site referenced in the article, and it didn't make a whole lot of sense.

    It did tell me that my OpenID is: www.google.com/o8/id

    I undoubtedly will not remember that, nor do I believe it is even accurate.

    I then read how I could integrate it into my own web site - and despite doing a ton of web development and XML stuff, had no idea what they were talking about - at either a high or low level.

    In conclusion - If they want to get users and developers on board with OpenID - their going to have to do a hell of a better job. Either that, I'm just too stupid to understand their "OpenID for Dummies" web site.

    Now I'm of course just an engineer and developer - I'm sure users like my parents, grandparents and kids would understand this stuff much better.

  6. It Is Not Prominantly Displayed by phantomcircuit · · Score: 4, Insightful

    Do you see OpenID anywhere on the front page to Facebook?

    There's your problem, people don't know that OpenID even exists.

  7. A better mousetrap? by Anonymous Coward · · Score: 5, Funny

    but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...

    If it's a chicken-and-egg problem, wouldn't it be better to build a chicken trap, with egg catcher?

  8. Obstacles to implementation by pvera · · Score: 5, Interesting

    I am a web developer by trade, and so far one of the most infuriating things that I have to deal with on a weekly basis is that my customers simply can't bring themselves to care enough to remember their admin logins. Every week I have to unlock a handful of administrators. It doesn't matter if I provided them with a proper password rescue option, it is simply too much for them.

    The second big problem is that we have multiple branches of certain products running at the same time, so at any given time one of my customers may have to login into her production, staging or 2-3 development servers, each with its own username and password.

    We are a .net shop, so my original idea was to use the new membership and role providers and remove the login mechanism from all sites from a given customer. This works, but it is hard to get all sites in line since there is always something else going on that is more important. They still screw it up, but at least they only have to remember one username and password that works at the same level (production, staging, dev, etc.).

    When I heard about OpenID I tried to see if I could implement it in any of our sites that use .net 2.0-style security. I was glad to see that somebody already had thought of this, and I found a ready to run library with a very nice login control for .net that uses OpenID.

    It wasn't easy, but it was interesting, and within 10 or so hours invested I had:

    1. A .net web app that used ANY OpenID instead of the built-in aspnet_* tables hierarchy.
    2. A recovery page. You type your email address and it emails you a list of any OpenIDs in the system that match that email address.
    3. A self-registration page. If you arrive at the web app, and you authenticate through OpenID successfully, and you don't have a local profile, it asks you to fill a quick form.
    4. Security roles are used just like any standard .net app that uses the SQL membership/role providers.

    The beauty of it is that I can even run my own OpenID server for my customers. All they would need to remember is that they login by typing a URL like:

    userid.ouropenidserver.com

    and it would do the rest for them.

    One customer, three projects, three environments per project, that's nine login/password pairs that I am expecting them to remember. Instead all they need to remember is the URL and the password. If they lock themselves out, all they need to remember is the email address used to register, which emails them their OpenID URL. If they forget their password, that is handled at the OpenID provider level, not at the end user application.

    Even if nobody else in the world uses it, to me it clearly means that I can spend more of my customer's money in building new things instead of on troubleshooting and damage control (even if the two figures are identical, customers will bitch more about paying for repairs than paying for work that can be recognized as new). And it is an easy concept, if they have a Google or AOL account, they already have an OpenID.

    --
    Pedro
    ----
    The Insomniac Coder
  9. That is a bug, not a feature by coryking · · Score: 4, Insightful

    Lets say I've hacked your OpenID account. Now I can go visit sites like StackOverflow and post as you. Since they dont require email verification when you "sign-up", it doesn't matter if you had an existing account with them before I hacked you. I can go anywere that takes OpenID and "silently" impersonate you regardless of if you used the website before. No email verification means you'd probably never know it either. Well.. until you google "AvitarX" and find yourself posting horse porn on some OpenID site.