Universal identity and single sign on using openID? No thanks
Universal standards and open data formats are the holy grail of modern information technology. With different vendors creating competing products they always try to lock users into walled gardens where they use their product and only their product. Or you get hybrids like Facebook applications where you can use other products provided they play by our rules. Companies have no incentive to work well together. After all, it’s only the consumers who suffer.
Photo by doctorow
In an ideal world the consumer would be able to use whatever application they want to and move our data from one app to another with minimal hassle. We want to be able to use the email application of our choice in any context. We want a single synchronized calendar of our choice and still be able to share events with other people. We want to maintain one list of contacts and use them in every “social” web application. Consumers want to maintain control over our information, not spend all of our time maintaining applications and trying to get them to talk to each other.
One of the holy grails of web technology is single sign-on: the ability to use different web applications from one user account. Instead of having to remember 20 (or more like 30-50 in this web2.0 social app environment) login credentials, you’ll only have to remember one.
Every few years it seems like there’s another attempt at creating a universal login. Microsoft had Passport (now Windows Live ID). Google has unified its services to all use a single Google Account for authentication. Yahoo has never been great at integrating all of its services under one umbrella, but they certainly try (Flickr and Pipes use the Yahoo account, but del.icio.us and MyBlogLog don’t). People are saying that Facebook may be the future “universal account” since so many people use it. But the problem with all of these choices is that each of them is run by a centralized company. Do you trust them? Will you always trust them?
Photo by thelastminute
OpenID is the most popular decentralized system for single sign-on and maintaining a universal digital identity. It’s a very cool concept. Instead of having to worry about maintaining multiple user accounts and passwords (which should be different on different sites), openID lets you maintain one account and one online identity – without having that identity dependent on one company. At least that’s what the purple koolaid wants you to believe. If you stop to thing about it, you’re still dependent on whatever company you are using as your openID server.
The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. WordPress.com supports openID but I’ve had problems with it  that have prevented me from using it to login to other accounts. It’s never a good idea to put all your eggs in one basket, but it’s much better to have one basket that works well than to have multiple baskets that have to work together properly or they won’t work at all.
It reminds me of those stupid wireless headphones for iPods. You can replace the small, portable earbud headphones that come with the iPod with larger headphones in order to be free from wires. But you greatly increase the dependencies needed to listen to music. Not only does your iPod have to be charged, but your wireless headphones and wireless transmitter ALSO have to be charged. The chances that they’re all going to be charged at the same time is much less than the chance that your iPod will be charged. The end goal of being free from wires isn’t worth the complexity the solution adds to the system – the solution introduces more things that can break and go wrong.
This is the problem with openID. In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. OpenID is easy enough when it works, but if your server is having issues then it can be frustrating to know that you could login just fine if only the stupid server was up and working.
It works ok if you’re openID account is your own domain name because you can use delegation to point it to another server, but if you use someone else’s openID server then you’re screwed. It’s a very cool hack to use your web url as your login ID, but I’d only do it if you own your own domain name and plan to own it for as long as you’ll be using it to access those accounts.
The sad truth is that we already have an open identity that works — our email addresses. Smart web applications use our email address as our login identity. Almost all web apps allow us to recover our password using that email address . Email is the only login identity we really need to remember; every other identity can be found by searching our email or using the password recovery feature.
Photo by jblndl
Updates and clarifications:
The scenario I’m talking about is when you don’t have full control over your openID URL. It doesn’t matter who your openID provider is as long as you can redirect your URL to another provider if it goes down. Many sites have been advertising that they support being an openID provider, telling you to use their URL as your openID. They make no mention that you should use them as a provider, not as your URL. You should *always* have full control over your openID URL.
Neomeme hits openID from the point of view of how it can be used to easily stalk someone over the Internet.
Jan Miksovsky notes that openID is too confusing for first time users.
- When I try to use my WordPress.com openID it says that I’m not logged in even though I can access my dashboard. I’m not sure if this is a cookie issue, custom domain names, or if it’s related to peak usage times (always seems to happen at noon or 5pm), but it’s been hard to get to the bottom of.
- How do you recover your from your openID server going down if you don’t own the domain name? I couldn’t find any information on how to do it. Your openID should not be an account. You should be able to keep your account but change your openID login credentials, much like how you can change the email address your account is registered to.
Subscribe to comments with RSS.
Comments are closed.