December 24, 2006

The problem with OpenID... will it ever leave the confines and control of the geek world?

When it comes to identity management, one of the more interesting things these days that I have been following is the whole idea of OpenID. Alan even went so far as to link to a great video screencast by Simon Willison that shows how to use OpenID. There is quite a bit of buzz about it. Heck, Dick and his crew over at SXIP are actually throwing an OpenID 2.0 Vancouver Mash Pit in January to try to get more people working with it. And I'll be there. (If you want to join me Alan, let me know) All good stuff.

In the midst of all the buzz though, I am seeing one trend that I think is doing more to HURT OpenID than help it. Everyone wants to be the "provider"... but few want to be the "consumer". Let me see if I can put this into perspective for you. Let's look at the majority of sites that I regularly use that could benefit from OpenID:

  • My Bloglines account
  • My Technorati account
  • My Google Ads and Analytics account
  • My Movable Type blog author logins (I have 3 separate blogs)
  • My comments on other peoples blogs
  • My phpBB Forums account
  • My YouTube account

Now, it IS possible to get 3rd party patches/modules for some of these that can consume OpenID auth. But by default, most of these sites want to be the provider. And that drives me nuts. These guys all obviously GET the idea behind OpenID... going so far as investing in building the code to let them be the IdP. But few are making it easy to consume OpenID. I could care LESS if Six Apart or Technorati can be an OpenID provider. I don't particularly have a lot of care or trust in them. I want these sites to trust MY provider... which in this case is my own corporate authentication server.

You see, for me to adopt OpenID I would like to use this blog as my identifier, and configure authentication delegation to the company's two factor authentication server, which can provide support as an OpenID provider. Then I could simply use my same hardware token to logon to all these sites.

And that to me is the REAL value of an "open" ID. I think that is getting lost with all these players. It's nice that they want to be providers for their users. But they should ALSO be willing to be the consumer for those of us that use their service, but wish to use a different provider.

I think part of the problem is that if we plotted OpenID on Gregory Moore's "Technology Adoption Life Cycle", we aren't even close to "crossing the chasm". Geeks see the value of OpenID and are coding support in as the provider. It's only a small step from being an identity silo to offering a way "out". But what we need is more ways "in".

If I consider the value of the information available to my accounts on sites like Bloglines and Technorati, there shouldn't be a problem with their sites trusting MY identity from somewhere else through OpenID. I only hope they realize that soon... so I can truly be an OpenID adopter and advocate.

If you work for these sites, or have a popular site yourself, please consider being a consumer BEFORE being a provider. Don't get me wrong... fill your boots and be an OpenID provider if your users want it. But if you want ME (and people like me) to use your site, consider first to be a consumer of it. It's much easier for me to adopt that way.

It's MY identity after all.

Posted by SilverStr at December 24, 2006 03:32 PM | TrackBack

Glad to see someone asking some tough questions. With OpenID, isn't there a risk of single point of security failure?

Also, I suspect there will need to be an OpenID transfer agent if you decide to change or combine your OpenID logins.

Thanks, Again!

Posted by: Doug Karr at December 24, 2006 08:35 PM

Hey Doug,

One of the nice things about OpenID is how decentralized it is. You can very easily point your authentication delegation to different servers if you need to. Your "identifier" is indeed a single point of failure, but no different than any other typical logon trust scenario.

The idea is that you have ONE identifier, that can then point to whatever provider you wish to provide authentication. This way, if a provider was to go away, or you decided to change who you want as your trusted provider you simply make a single change on your identifier page. Simon does a good job to show that in his screencast. I highly recommend you check it out if you haven't already.

Thanks for visiting my blog. Have a happy holiday!

Posted by: Dana Epp at December 24, 2006 10:56 PM

Good point, although not true with respect to phpBB forums.

As the author of phpbb-openid, I assure you that phpBB 3.0 forums will all be OpenID consumers.

Posted by: Dmitry Shechtman at December 25, 2006 05:42 AM

So why doesn't your blog accept OpenID for comment authentication yet? :P

Your article is very insightful. OpenID consumption is too slow for my liking.

Posted by: Trevor Green at December 25, 2006 08:34 AM


Good point Trevor. Easy. MT does NOT have a default consumer for it. Which is part of my point :)

Built into 3.2 is a PROVIDER... but NOT a CONSUMER. It is possible of course to install 3rd part plugins, but the base master sources doesn't contain it.

Over at there is a good plugin for MT that I have been thinking of using. Just haven't gotten around to it.

Posted by: Dana Epp at December 25, 2006 09:44 AM


Great to hear phpBB v3 will support OpenID out of the box. Any idea when that is expected to be released?

Posted by: Dana Epp at December 25, 2006 09:48 AM

Your point about consuming OpenID authentication is well taken, but I think you might just be pointing to a more simple obstacle: It takes more work to accept the OpenID signin than to provide an ID, for most applications. And for those of us that make blogging tools, being a provider is a natural extension of providing URLs to all our users.

That being said, LiveJournal is already both a consumer and provider. MediaWiki does both services. The Movable Type plugins, bundled since version 3.2, do both services as well. (We'll need to improve the documentation so that you know what you can do with your blog.) And we'll be adding sign-in support on Vox as well. In fact, the primary use of OpenID on both Technorati and Magnolia is for sign-in, *not* for providing ID. So the momentum is there for both providing and consuming.

Posted by: Anil at December 25, 2006 01:29 PM

Hi Dana,

I think it is a case of everyone wanting to be the provider so that they have only to look at their database for auth, which is silly considering the decentralized design of OpenID.

Personally, I agree that I'd want to be my own provider and have my own 2FA used to allow me in to the sites I want to have secured access to - not have some external party of who's security I have no knowledge be the keeper of my keys. Remember how well Microsoft did this with their "Passport" project? :)

Then, were I or an employee to lose their identifier, we'd be able to issue a replacement that would immediately let them back in to their secured sites. In other words, I am in control of my own destiny, and others are just along for the ride - I sure know I wouldn't trust Verisign nor Microsoft nor the great majority of other companies with my security info.

Posted by: HiltonT at December 25, 2006 01:56 PM


Fair enough that its easier to write a provider than a consumer. Perhaps that is something for the OpenID crew to think about.

Improving the MT docs would DEFINITELY be nice. I know of the plugins, and having clear steps on enabling it as a client would be nice.

For Technorati though... I would LOVE to know where the OpenID login is. I have looked everywhere in my account, and there is NO MENTION of OpenID consumption at all for existing users. Nor is there anything under their "login" or "Join" forms. If they are supporting OpenID, it's not very apparent.

I appreciate the comments. And I look forward to seeing more OpenID integration with MT from you guys in the future.

Posted by: Dana Epp at December 25, 2006 09:04 PM


Yep. That's exactly how I feel. As more sites provide access as a consumer to OpenID, it will be more and more critical that the trust of the provider be prevalent. And its important that this trust be decoupled from the site(s). And since it is so trivial through authentication delegation to redirect where the authentication occurs... more and more trust HAS to be on the host of the claimed identifier. Poor ACLs and traditional defacement attacks all of a sudden become a practical attack vector to breach one's identity.

The chain of trust therefore becomes even more important, and needs to give the end user the power to control.

Posted by: Dana Epp at December 25, 2006 09:13 PM


I hate to disappoint you, but OpenID consumer support won't be out of the box (I'm not on the phpBB development team yet ;) and is an unofficial site).

However, I do hope to make it available before phpBB 3.0 ships.

Posted by: Dmitry Shechtman at December 27, 2006 07:05 AM