// Internet Duct Tape

Universal identity and single sign on using openID? No thanks

Posted in Technology, Web 2.0 and Social Media by engtech on August 15, 2007

Universal standards and open data formats are the holy grail of modern information technology. With different vendors creating competing products they always try to lock users into walled gardens where they use their product and only their product. Or you get hybrids like Facebook applications where you can use other products provided they play by our rules. Companies have no incentive to work well together. After all, it’s only the consumers who suffer.

Radio Shack's evil EULA - by buying this, you waive your consumer rightsPhoto by doctorow

In an ideal world the consumer would be able to use whatever application they want to and move our data from one app to another with minimal hassle. We want to be able to use the email application of our choice in any context. We want a single synchronized calendar of our choice and still be able to share events with other people. We want to maintain one list of contacts and use them in every “social” web application. Consumers want to maintain control over our information, not spend all of our time maintaining applications and trying to get them to talk to each other.

One of the holy grails of web technology is single sign-on: the ability to use different web applications from one user account. Instead of having to remember 20 (or more like 30-50 in this web2.0 social app environment) login credentials, you’ll only have to remember one.

Every few years it seems like there’s another attempt at creating a universal login. Microsoft had Passport (now Windows Live ID). Google has unified its services to all use a single Google Account for authentication. Yahoo has never been great at integrating all of its services under one umbrella, but they certainly try (Flickr and Pipes use the Yahoo account, but del.icio.us and MyBlogLog don’t). People are saying that Facebook may be the future “universal account” since so many people use it. But the problem with all of these choices is that each of them is run by a centralized company. Do you trust them? Will you always trust them?

Photo by thelastminute

OpenID is the most popular decentralized system for single sign-on and maintaining a universal digital identity. It’s a very cool concept. Instead of having to worry about maintaining multiple user accounts and passwords (which should be different on different sites), openID lets you maintain one account and one online identity – without having that identity dependent on one company. At least that’s what the purple koolaid wants you to believe. If you stop to thing about it, you’re still dependent on whatever company you are using as your openID server.

The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. WordPress.com supports openID but I’ve had problems with it [1] that have prevented me from using it to login to other accounts. It’s never a good idea to put all your eggs in one basket, but it’s much better to have one basket that works well than to have multiple baskets that have to work together properly or they won’t work at all.

It reminds me of those stupid wireless headphones for iPods. You can replace the small, portable earbud headphones that come with the iPod with larger headphones in order to be free from wires. But you greatly increase the dependencies needed to listen to music. Not only does your iPod have to be charged, but your wireless headphones and wireless transmitter ALSO have to be charged. The chances that they’re all going to be charged at the same time is much less than the chance that your iPod will be charged. The end goal of being free from wires isn’t worth the complexity the solution adds to the system – the solution introduces more things that can break and go wrong.

wireless headphones for ipod

This is the problem with openID. In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. OpenID is easy enough when it works, but if your server is having issues then it can be frustrating to know that you could login just fine if only the stupid server was up and working.

It works ok if you’re openID account is your own domain name because you can use delegation to point it to another server, but if you use someone else’s openID server then you’re screwed. It’s a very cool hack to use your web url as your login ID, but I’d only do it if you own your own domain name and plan to own it for as long as you’ll be using it to access those accounts.

The sad truth is that we already have an open identity that works — our email addresses. Smart web applications use our email address as our login identity. Almost all web apps allow us to recover our password using that email address [2]. Email is the only login identity we really need to remember; every other identity can be found by searching our email or using the password recovery feature.

Photo by jblndl

Updates and clarifications:

The scenario I’m talking about is when you don’t have full control over your openID URL. It doesn’t matter who your openID provider is as long as you can redirect your URL to another provider if it goes down. Many sites have been advertising that they support being an openID provider, telling you to use their URL as your openID. They make no mention that you should use them as a provider, not as your URL. You should *always* have full control over your openID URL.

Neomeme hits openID from the point of view of how it can be used to easily stalk someone over the Internet.

Jan Miksovsky notes that openID is too confusing for first time users.


  1. When I try to use my WordPress.com openID it says that I’m not logged in even though I can access my dashboard. I’m not sure if this is a cookie issue, custom domain names, or if it’s related to peak usage times (always seems to happen at noon or 5pm), but it’s been hard to get to the bottom of.
  2. How do you recover your from your openID server going down if you don’t own the domain name? I couldn’t find any information on how to do it. Your openID should not be an account. You should be able to keep your account but change your openID login credentials, much like how you can change the email address your account is registered to.

27 Responses

Subscribe to comments with RSS.

  1. sunburntkamel said, on August 15, 2007 at 8:56 am

    yes, wp.com openID is not terribly stable. livejournal’s is much better, but i don’t really want my identity linked to a friends-only journal. i haven’t tried verisign’s because i keep forgetting what my unwieldily-long url is supposed to be.

    nonetheless, the idea of being able to authenticate against archgfx.net would be nice. i know on iconbuffet, after you’ve signed on once you have the option of _also_ specifying an email/password login. (useful for me when i killed my openid server at sbk.wp.com).

    another workaround might be for sites like pip.verisignlabs.com to sell openID servers (e.g. openid.archgfx.net), much like they sell SSL certificates. i suppose the holy grail would be an open source openID provider that i could run on my own server.

  2. engtech said, on August 15, 2007 at 9:55 am

    @sunburntkamel:

    Actually, it’s a bit easier than running an open source openID provider if you have your own domain name.

    All you have to do is modify the website at your domain name to delegate to another openID server… http://netevil.org/blog/2007/06/howto-set-yourself-up-with-an-openid

    It doesn’t look hard to do, especially since there are WP plugins that will do it for you.
    http://eran.sandler.co.il/openid-delegate-wordpress-plugin/

    But the key thing with openID is:
    – always use a url that you have full control over and plan to ALWAYS have full control over
    – there should still be a username/password you can use if your openID goes down

    I like the idea of openID for the “unimportant stuff”, especially blog comments. It’s a great way to authenticate commenters without using captcha.

  3. engtech said, on August 15, 2007 at 10:22 am

    the problem is that delegation requires the delegate to be willing to authenticate your domain. livejournal won’t authenticate archgfx.net, for example.
    i’m actually using the wordpress plugin, since i’ve been too lazy to disable it, despite livejournal refusing to make it usable.

    well, that’s an added pain in the butt. I’m back to “just let me use my email and a password” :)

  4. Dave Kearns said, on August 15, 2007 at 12:14 pm

    >>If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login.<<

    Um, no. If your OP crashes, you can simply go to a different OP and establish an account., The actual OpenID, the URL you claim as your own, doesn’t change at all.

  5. engtech said, on August 15, 2007 at 1:37 pm

    @Dave Kearns:

    Please correct me if I’m wrong.

    1. My openID is http://engtech.wordpress.com
    2. I’m using it to login to my account at blah.com
    3. WordPress.com is having issues. I can’t login with http://engtech.wordpress.com
    4. Now I’m locked out of blah.com

    If you don’t use your own domain name/delegation with openID, you can get locked out because you have no ability to change the broken url.

  6. Ian Stewart said, on August 15, 2007 at 1:42 pm

    I’d like an option to use gmail as a password manager if it’s going to end up being one anyway.

  7. engtech said, on August 15, 2007 at 3:09 pm

    @Ian Stewart:

    The easiest password strategy I’ve seen is a Firefox extension that uses a salted hash of the base url of site you are logging into + a master password.

    Here’s the simplified version of how it works:
    http://www.neomeme.net/2007/01/15/generating-the-perfect-password/

  8. [...] especially for cranky old farts like myself whose memory has seen better days but in practicality as pointed out by //engtech over at his blog Internet Duct Tape there are some serious drawbacks to be considered [...]

  9. Thomas said, on August 16, 2007 at 1:25 pm

    Hi,
    Well, this must be your first article I wholeheartedly disagree with, though I admit that *many* of your points are valid. But…
    – With respect to OpenID:
    1/ Setting up delegation through your own domain is painless and takes about 5 mins if you can follow the ‘OpenID Delegation for Dummies’ Wiki
    2/ You are always free to host your own OpenID server – not the simplest feat, granted, but doable and getting better.
    3/ Most partners offering OpenID are community-driven, or FOSS supporters, or NFPs… the data, per their TOS/Privacy Agreement is usually much much private and explicitly yours. The ownership of a Yahoo Identity, Facebook Account, Google Account, as well as most e-mail accounts is debatable – usually they do control, or own, or have access to some portion of your data.
    4/ OpenID allows you to control privacy settings on a domain level. The website being logged into will only see as much as you allow it, never more. To the best of my knowledge, nothing comes close to that.
    5/ OpenID, with its recent contest, is gaining traction. Wikipedia shows 4500 sites using it already. Next version of Drupal will have it added to its core, for example. Same goes for FireFox 3.
    6/ I personally use OpenID on my WP blog, at my Basecamp account, at Plaxo, and have just incorporated it into a corporate Drupal site (Drupal 5 using a module). Perhaps I am getting lucky in that respect, or perhaps I’m a one-off… BUT I haven’t had a single issue with it.
    – E-mail as Identity,
    1/ Wonderful idea, if only all e-mail were secure. Speaking as a sysadmin, I find e-mail to be one of the weakest links imaginable. Let’s see – plain-text for most of the way, sometimes partial SSL, rarely PGP. Cracking passwords for most free e-mail accounts is a joke.
    2/ Password repetitiveness. While most savvy users know that they should use ‘strong passwords’ and vary them from site to site, Joe Blow uses the same or very similar password on most websites. And in most cases it’s a weak password. While recently this has been improving, when looking at this as the ‘weakest link’ scenario, I remain largely pessimistic.

    Now, this might make me sound like a big proponent of OpenID, which isn’t quite the case. I simply believe in the concept of a Single-Sign-On, and to me OpenID is currently the closest reliable thing out there. At work I authenticate against Active Directory, at home all my family members authenticate against OpenLDAP. But for the web I think OpenID can at least pave the way, if not become *the* solution.

    On that note, the things I’d like to see are easier out-of-the-box OpenID setups. Perhaps adding it as a package to Fantastico would be a good start – with cheapest personal hosting hovering around $2-3/mo, a lot of regular people have access to Plesk/cPanel and would give this a try. Even delegation feels like it could use a quick script to make it even easier. But this is still at the polishing stage…

    Anyway, could rant for a bit longer but I got my main points across…

  10. Gordon R. Vaughan said, on August 16, 2007 at 5:29 pm

    I don’t know how openID works, but in my limited experience with it, I haven’t had much success. Who knows if it’s a problem with openID, the sites I’m trying to log into, my using a Mac, my Opera browser, etc., etc.!

    Anytime you’re trying to make something easier, that fix has itself got to be very simple and rock-solid.

    Most things on the internet are still really way too hard to be worth bothering with. There are so many ways for something to go wrong, yet many sites go out of their way to add more.

    I like to try a lot of sites, but if it doesn’t work simply, it’s usually not worth the effort to hang in there and try to get it to work.

  11. Tai Tran said, on August 16, 2007 at 11:42 pm

    My concern is security:
    – If one loses his openID account, he loses control of ALL services.
    – A h.ack.er may exploit an openID for illegal purposes
    – Anonymity is not achievable: you want to reveal your identity on some sites, but not for some others

    Sounds scary enough!

  12. [...] Skip navigation Subscription OptionsMost Popular PostsIDT Labs – Free Software ToolsWordPress.com Resources – Tips, Tricks and ToolsWordpress.com Theme ReviewsWordpress.com Theme Review HelpGreasemonkey script: WordPress Category ResizerWordpress.com 7 Day Referrer ParserPerl Script – WordPress.com 7 Day Referrer ParserGreasemonkey Script: Akismet Auntie Spam for WordpressGreasemonkey Script: Find images that are too wideTag Cloud Generator for Wordpress.comTag Cloud Generator AdvancedTag Cloud Generator – Release NotesWordPress Themes by InternetDuctTape.comBlack and Blue and Read All Over Theme for WordPress SandboxMoon Under Uranus Theme for WordPress SandboxMiscellanious WordPress Scripts and ToolsGreaseMonkey Script: WordPress Comment NinjaTechnorati Favorite Your FansTechnorati Favorite Your Fans – Release NotesComic BloggerGreasemonkey script: Flickr always search for Creative Commons licensed photosGreasemonkey Script: Yahoo Pipe CleanerTag CloudAll Posts by Category and TitleSeriesGift Guide for Geekseaster eggsReader Appreciation for RSS subscribersWelcome to Internet Duct TapeblogAbout MeDisclosureImages Credits « Universal identity and single sign on using openID? No thanks [...]

  13. [...] another concern is pointed out by the author of a blog called Internet Duct Tape: “The decentralization that is openID’s [...]

  14. engtech said, on August 23, 2007 at 10:09 pm

    @Thomas:

    Respectful wholehearted disagreement one of the best things on the Internet! :)

    I agree 100% that openID is pretty awesome if you’re running your own domain and are using delegation. But what percentage of the web population is that?

    My bigger beef is with all of the companies who are supporting Provider and not Consumer — they usually don’t mention the issues that can arise with NOT owning your URL, and go so far as recommending that you login with their username.bigco.com address. Which is a killer, it means they own your identity, login on several web sites, and they can collect stats on how often you use other sites.

    Have you read some of the stuff about how easy openID is to phish?

  15. engtech said, on August 23, 2007 at 10:31 pm

    @Gordon R. Vaughan:

    “I like to try a lot of sites, but if it doesn’t work simply, it’s usually not worth the effort to hang in there and try to get it to work.”

    That’s wiser than you might know. There are so many time sink sites out there on the Internet. I find that I spend too much time trying to figure out “how to make a site useful to me” instead of doing something useful like going outside of the house. :)

  16. engtech said, on August 25, 2007 at 8:47 pm

    I’ve found another way to break openID.

    You create an account on sites without using your own domain name (because no one tells you anything about that).

    eg: engtech.wordpress.com

    You then buy your own domain name, and use that for your blog instead. You start redirecting your old domain name to the new one.

    eg: engtech.wordpress.com becomes internetducttape.com

    Now if you try to login to an openID consumer with your old URL, it will get your redirected URL instead!

    eg: login with engtech.wordpress.com, and it logs you in as internetducttape.com because of redirection

    Now you’re locked out of all of your old accounts unless you turn off domain redirection temporarily.

  17. [...] ventaja que parece que se le ve a las múltiples identidades en cada cuenta (o desventaja de OpenID) es que si un proveedor de identidad deja de funcionar en un momento determinado, el [...]

  18. [...] have to use the password recovery feature to retrieve my login information over email. Despite my distaste for OpenID, I have to admit that I see the appeal. Password recovery works fine only if you can remember which [...]

  19. [...] de identificación, pero cree que forzar su utilización es desconsiderado con los usuarios. En Universal identity and single sign on using openID? No thanks, señalan que este sistema es el más popular para registrar y mantener una identidad digital [...]

  20. Martin Fick said, on December 19, 2007 at 3:21 pm

    Delegation doesn’t help the availability problem, it simple shifts the single point of failure to the URL provider instead of the identity provider!

    Until this is fixed, I am not going to use openid!

    However, to be fair, I have at least started an effort to propose a DNS based solution that could potentially provide a simple HA mechanism for an openid wrapper. If anyone wants to help out (or has a much better proposal), check out:
    http://www.theficks.name/Hacks/OpenID
    or email me.

    -Martin

  21. [...] happens if MyOpenID has an extended outage, say 48 hours long? Or even worse, what if it folds? The decentralization that is openID’s strength is also it’s biggest weakness. If your [...]

  22. [...] – potentially very valuable competitive information.AVAILABILITY PROBLEMSStill another concern is pointed out by the author of a blog called Internet Duct Tape: “The decentralization that is openID’s [...]

  23. [...] best ways to promote your app is to let people use it without requiring an account to sign in. OpenID hopes to provide a universal account that you can use anywhere, but other sites like Geni and JottIt bring you directly to the [...]

  24. Bill Webb said, on February 20, 2008 at 9:45 pm

    VeriSign is an openID host. Pretty safe bet.

  25. [...] de identificación, pero cree que forzar su utilización es desconsiderado con los usuarios. En Universal identity and single sign on using openID? No thanks, señalan que este sistema es el más popular para registrar y mantener una identidad digital [...]

  26. [...] de identificación, pero cree que forzar su utilización es desconsiderado con los usuarios. En Universal identity and single sign on using openID? No thanks, señalan que este sistema es el más popular para registrar y mantener una identidad digital [...]

  27. [...] especially for cranky old farts like myself whose memory has seen better days but in practicality as pointed out by //engtech over at his blog Internet Duct Tape there are some serious drawbacks to be considered [...]


Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 286 other followers

%d bloggers like this: