What is the benefit of using ONLY OpenID authentication on a site?
https://stackoverflow.com/questions/60436
-
09-06-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
From my experience with OpenID, I see a number of significant downsides:
Adds a Single Point of Failure to the site
It is not a failure that can be fixed by the site even if detected. If the OpenID provider is down for three days, what recourse does the site have to allow its users to login and access the information they own?
Takes a user to another sites content and every time they logon to your site
Even if the OpenID provider does not have an error, the user is re-directed to their site to login. The login page has content and links. So there is a chance a user will actually be drawn away from the site to go down the Internet rabbit hole.
Why would I want to send my users to another company's website?
[ Note: my provider no longer does this and seems to have fixed this problem (for now).]
Adds a non-trivial amount of time to the signup
To sign up with the site a new user is forced to read a new standard, chose a provider, and signup. Standards are something that the technical people should agree to in order to make a user experience frictionless. They are not something that should be thrust on the users.
It is a Phisher's Dream
OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy. [ taken from David Arno's Answer below ]
For all of the downside, the one upside is to allow users to have fewer logins on the Internet. If a site has opt-in for OpenID then users who want that feature can use it.
What I would like to understand is:
What benefit does a site get for making OpenID mandatory?
Solution
The list of downsides misses the most obvious one: it is a phisher's dream. OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy.
Matt Sheppard hits the nail on the head as to the answer though:the benefit of only using OpenID is that it involves less hassle for the site creator as there are no usernames and passwords to handle and no user account creation code required.
OTHER TIPS
The benefit of making OpenID mandatory is simply that login code for the website does not need to be written (beyond the OpenID integration), and no precautions need to be taken around storing user passwords etc.
Not having your own login code also means not having to deal with a lot of support issues like resetting of lost passwords etc.
Certainly most of your downsides are valid, so I guess it becomes a trade off.
What surprises me is that there are not more sites forming a close relationship with a particular OpenID provider to simply the account signup phase - i.e. some sort of 'You can use any OpenID you like, but you can also create one right now by entering a username and password etc' login page, which automatically creates a new account with the selected provider for you.
It's a good way to outsource a part of your infrastructure. You don't have to worry about lost passwords etc., someone else does it for you.
I'm not sure I'd use it exclusively, though. I haven't used OpenID enough to entirely trust it, and the sign up process needs to be streamlined until > 90% of users have an OpenID.
Adds a critical point to failure to the site
The third highest idea on uservoice for Stackoverflow is to allow changing the OpenID provider. And in the comments there is the suggestion to allow associating more than on OpenID. On sites where multiple OpenIDs can be associated with an account if your usual OpenID provider is down you can still log in with another provider (assuming you've already associated it with the site).
Also, it's only a critical point of failure for users of the OpenID provider that isn't working. All the other users on other OpenID providers can continue to log it. Over time you'd expect that users would migrate to the most reliable providers.
Takes a user to another sites content and every time they logon to your site
If you've set up your OpenID provider to always trust a site (or OpenID consumer in the nomenclature) and you are already logged into your OpenID provider then they will redirect you straight back to the site without you even seeing your OpenID providers site.
Adds a non-trial amount of time to the signup
Currently that may be true, but as andyuk said, "This becomes less of an issue the more sites that support OpenID". I'd expect that in a few years time most users will already have an OpenID and know what it is.
One of the big benefits of going OpenID-only from an engineering perspective is that abstracting out the credentials-authentication piece lets users pick authentication methods that are much more sophisticated than whatever you would bother to build for your site. Yes, some OpenID providers are easily phished. On the other hand, other OpenID users log in with Information Cards, hardware tokens, or telephone verification, and these are credentials which cannot be captured and replayed by a phisher.
As Gabe Wachob put it:
People who want to innovate in authentication methods [...] do NOT have to be the same people who innovate in offering services on the web (any one of a million folks running Mediawiki, Drupal, etc). That "delinking" of authentication innovation and service innovation is what is valuable in OpenID.
So by using OpenID, you can offer your users stronger authentication methods. The abstraction lets you implement one interface, and then you can pick any provider to work with, whether they use eight-character passwords in cleartext or challenge-response neural implants.
It encourages users to sign-up to OpenID, find out more about it and hopefully to evangelise it themselves.
Stack Overflow proves just supporting OpenID can work.
"Adds critical point to failure to the site"
In the event of an OpenID provider failing to work, the site should have a mechanism to allow users to login and add/change OpenID providers. Perhaps the site could email a temporary link to bypass security so users can access their account.
"Takes a user to another sites content and every time they logon to your site"
My OpenID provider allows me a trust a given website so I do not need to even view their website.
"Adds a non-trial amount of time to the signup"
This becomes less of an issue the more sites that support OpenID.
As a web developer, I'm a big fan of the idea of OpenID. Writing Auth code is a pain in the ass. As a web user, I'm a big fan of OpenID - for non-critical uses like SO, forums, etc - because once you have the ID, it's a very simple way to join a site.
I think, outside of a few exceptions - like a community for developers - at this time, you can't force OpenID only. The "average" web user (whatever that means) doesn't get it. However, promoting it in a site like this raises awareness among developers, and the idea will eventually trickle down. As OpenID appears on more and more sites, people will look in to it, realize they have one, and then start using it. In order for OpenID - which is a great idea - to catch on, there needs to be a critical mass of users and sites supporting it.
Eventually, it will just be "the way it is", and we'll wonder why we ever created authentication code for every single website we made, or why we would create a unique identity everywhere we went on the Web
As discussed in one of the podcasts, it adds a barrier to entry to the wanderer happening by wondering if this might be where they should post their Yahoo! Answers question.
It's somewhat elitist, but given the focus of this website in particular it is fairly acceptable to turn away any who can't figure out the Open ID process, and anyone who really has a real question they need answered can be bothered to work through any slight hardship.
From my experience with OpenID, I see a number of significant upsides :
If you choose to log in with your trusted OpenID provider, eg. Verisign PIP+VIP you can enjoy the benefit of out of band SecureID authentication mechanisms. This should be seen as the major benefit the outweighs ALL others. You are no longer trusting whatever crappy form based authentication is on the site you access, you are trusting Verisign VIP or whatever your choice of OpenID provider may be.
Internet rabbit hole? Sounds like bad implementation and I for one do not know what you are referring to.
You cannot steal authentication detail easily, it can be made closer to impossible than what we already have! You may be able to trick to me into thinking I am contacting my provider, but Verisign for one has an option to not allow or accept redirections. I see these phishing issues as something trivial also, especially again if you weigh it against the benefits of out of band authentication mechanisms that you can gain through your OpenID authentication provider. So say you phished RSA key detail one time, it would not be valid the next time or maybe just totally useless if you were to say use a browser certificate.
In conclusion, OpenID is just the evolution of the current system, an Email address to verify against. If your email account is your current single point of failure then yes, your OpenID could be your new single point of failure in the case where the OpenID you control is no longer under your control. So, if you trust only your email server then simply host your own OpenID URL. If you trust Gmail, use a gmail URL for your OpenID because by the same token, you already trust Gmail as your SSO as your gmail account can ultimately retrieve your account passwords.
It's a no brainer, but I can see that some people may have difficulty understanding the basic concepts of authentication mechanisms. If I CAN login with my SecureID card (via my OpenID provider) to a site that I have an account on, I WOULD. So if it was the only option, I'll take it!
Adds critical point to failure to the site
That critical point of failure could be the confirmation email you send out, but the user's mailbox is a) unavailable due to a typo, b) full or c) provider is 'down'.
Takes a user to another sites content and every time they logon to your site
I can see that, but IMHO - this is not so bad. I mean, Y! seems to be one of the most cluttered logins and it also never works for me. ;) Aside, most OpenID providers don't look so bad (yet).
Also, keep your audience in mind. If mom and pop are your users, OpenID is probably confusing as hell. But so is probably a lot on the Internet. In SO's case, the people are somewhat savvy users and know what they want.
Adds a non-trial amount of time to the signup
This is a non-issue. Look at the list of providers: http://openid.net/get/
So many people have at least a Yahoo! account, so if it actually worked. It wouldn't be so bad. I agree though that if a user doesn't have OpenID, and doesn't know what it's for. It's not so easy to educate them.
And think about the implication - "to register for site A, you need to register at site B". And we all know that registering per se is a pain in the ass. But in the long run, this is also exactly what OpenID tries to address.
In mainstream, I currently see no value for making OpenID mandatory. I like it as an add-on though. Just how people provide links to "login with your Facebook", etc.. Then people who don't get it (or don't care) don't need to bother. But others can still use it.
OpenID may be the greatest thing since sliced bread, but I have been given no reason to trust "them" with my identity - other than Jeff Atwood/Joel Spolsky made me do it in order to be here complaining about it ;-)
One thing to mention also. You already have a userbase with OpenID, they just need to login.
I am in favour of OpenID, mainly from an ease of use perspective. I remain to be convinced about it's safety, but it has a lot of potential. There are lots of things that could be said on this, but I just wanted to respond to the following two points:
Adds a non-trivial amount of time to the signup
Only the first time it's setup. Also, with companies like Yahoo providing support now, many people won't even have to bother setting up an OpenID if they don't want to. If you used Google or someone similar as your OpenID provider, would you see them as inherently insecure? And how often would you expect them to have downtime?
It is a Phisher's Dream
I do accept that this might be partly true. But is phishing not more of a social problem than a technological one? OpenID could make it easier, but that doesn't eliminate the fact that the real problem is the user. It's far more important to make users aware of how phishers operate than trying to safe guard them through technology.
At least OpenID sends you to your OpenID provider to login.
I was reading a blog on blogspot and there is a link to follow this blog (presumably tell me when there are newposts) to do this it pops up a box asking for my Gmail username and password.
Even assuming that this is genuine and not a phishing site - they now (potentailly) have the login to my Gmail, my Google documents, my Google applications - everything!
The main benefit of having an OpenID will be seen in the long term. Instead of having to apply to different sites for an identity, you do that once and then use it on all the sites that require a unique identity. Of course for secure sites like banking and trading it will need a different kind of thinking altogether. But for social networking sites and the like you can use it easily.
Mom and Dad will find it easy too because now they have to remember only one username/password. A lot of times it gets hard for us to remember what login we have at which site, and end up using the correct username/password of Site A on Site B. OpenID will solve that. Plus it's a good revenue model for an OpenID provider and user. I can enter to one such provider all the details I am willing to give and every such detail I give I can earn money.
Maybe the provider can coax me to tell it more about myself using that as an incentive, which it can then sell to the sites I register with. So Site A pays OpenID for my information. OpenID then passes a cut of that on to me. Site A doesn't have to manage users, OpenID gets money, user gets money, everybody is happy :)
This way you won't have to make OpenID mandatory. People themselves will want it. OpenID providers will then compete amongst themselves to provide better services, and where there is competition there will be better value provided to all concerned. I think it's a fabulous idea.
Edit: Regarding downtimes at one particular provider; if OpenID provider A is not confident of providing 100% uptime, it can take the help of another provider B, and the user on Provider A can choose from the options provider A gives. The site which goes to provider A to authenticate a user will know which other providers to go to in case provider A is not working. This will be stored in its database on first login automatically. Anybody want to brainstorm the implementation details ? :)
