When I first heard of the OpenID concept back in 2006 it seemed like a novel idea that would go well with the increasing prevalence of web services and applications. Most of these services require registration, and who could possible remember different passwords for all of them without using a specialized tool? Instead of using the same password for every site, OpenID presented a solution to allow you to organize your online accounts under one login, using the concept of Single Sign On (SSO).
It seemed like a daunting task. Up until that point, single sign on had had limited success on the web. Microsoft’s Passport system, since rebranded as Windows Live ID, had mixed success with popular websites such as eBay and Monster, and both of those eventually discontinued support. It appeared that they did not like having their user base under potential control and monitoring of a third party. OpenID aimed to solve that by being, well, open. Just as any website could support OpenID login, there could be a multitude of OpenID providers that would allow you to obtain an OpenID-enabled URL, which would form the basis for your online identity.
Convenience, but watch out for the pitfalls
With these benefits in mind, I quickly signed up for an OpenID account using myOpenID, which is a popular provider run by JanRain. (JanRain was an early adopter of the OpenID technology) I mainly used it for my Zooomr account, but also used it to conveniently try out other websites that required registration but also supported OpenID-enabled login; not having to register for these sites was nice.
But having so many accounts under the umbrella of a single login is both OpenID’s biggest strength and weakness. Without OpenID, if you forgot the password to one of your accounts, only access to that website was affected – the same could be said if someone found out the password, so as long as you followed best practices by not reusing passwords. With OpenID, if you lose access to your single-sign on account, your entire online identity is potentially nixed. Additionally, the login process is a bit convoluted, and seems particularly susceptible to phishing attacks because of this.
OpenID/myOpenID: Access to many different websites, all from one login
I ran into this problem back in January. I went to login to my OpenID account and found that I had forgotten the password. I soon remembered that I had changed it during the holidays; this probably happened just before I fell extremely ill and was basically in bed for two or three days straight. Because of this and my stupidity of not associating an e-mail address with my OpenID account, I had completely lost access to it, and by extension, my Zooomr account, where I had a small collection of photos.
I decided to contact the operators, JanRain and explain my situation. Clearly, they would have no proof that I was the owner of the account, and would be well within their rights to ignore my requests. However, they were quite helpful – after asking me a few personal questions related to my account, they relinquished control back to me. Kudos to MyOpenID for taking responsibility even though the USEFUL service they’ve been offering has been free. From my experience, they clearly understand the responsibility of being a single sign-on provider in a globally-federated environment.
Obviously, the loss of my password and not bothering to associate an e-mail address with my account for recovery (which I have since done) were mistakes of my own that contributed to the predicament. But it does highlight the importance of keeping your online account secure, especially if it is a SSO account controlling access to a multitude of other online services.
Support is growing
Despite the potential pitfalls, OpenID support is growing. In addition to Yahoo becoming a provider, it appears that Google, Microsoft and Verisign will also be coming on board. With support from these big names, it appears that OpenID is here to stay.
However, the potential troubles do raise issues about global single sign-on systems like those using the federated OpenID standard. With phishing attacks becoming increasingly common, the number of corresponding account thefts is sure to rise. Normally, this can already be quite a hassle, but with a single point-of-failure a single account loss can be multiplied without limit. Having to re-build your identity across multiple sites can be time-consuming, even without considering the potential for data and privacy loss.
Despite this, the recent announcements of support from the “big players” are something to look forward to. With more support, the OpenID protocol will advance, and should include more safeguards against the present and potential problems. The goal is a daunting one, to be sure, but with the proper time and effort, it should become a reality.
[…] OpenID pros und cons […]
Great article – Check out this post that covers some pros and cons of using OpenID or OAuth for authentication, and details why we decided not to use OAuth for now.
Pros and Cons of OpenID Authentication (OAuth)
Im using openID atm on my blog, its definitely worth an install.