January 17, 2008
Stop it! Can we stop with everyone being OpenID providers, and start being more consumers?
So everyone is a buzz that Yahoo announced that it is now joining the OpenID craze. At the end of the month you will be able to visit openid.yahoo.com and set your Yahoo account to sign into other sites that support OpenID.
Sounds great. Anyone tried to use their OpenID from a different IdP to get into Yahoo? Ya, not so easy. Nor will it be expected too. How about AOL? Or Google? They all are fine being the IdP... but no one wants to trust the IdP I want to trust.
This is the problem with OpenID. Everyone wants to be the provider of the identity. No one wishes to consume it and trust someone else. Well, except for the smart guys over at 37Signals that use their OpenBar for single sign on.
We need more consumers.... not more providers. I talked about this back in 2006. Until we get more consumers going, OpenID will be on the cusp of being a geek thing.
And before I get nasty emails that will be routed to /dev/null.... numbers DO lie. Just because there are now going to be millions of OpenIDs thanks to AOL and Yahoo accounts means dick if they can't be used at each other's sites. Talk to me when I can use my favored IdP to log into both my Yahoo and Google accounts.
Posted by SilverStr at January 17, 2008 09:16 AM
My OpenID on Vladville will trust you if you ever try to post a comment :)
Until the recent spec revisions, OpenID was kinda scary. Even with it, I have the same concern you pointed out. Before I saw that Verisign's "lab test" site could be a provider, I was very skeptical about storing my personal data with anyone. Consumers are not going to be able to make intelligent choices where their personal data is stored, and Yahoo!, Google and AOL all have a mixed history w/r/t security and privacy.
What sites primarily accept OpenID? Web 2.0-ish sites. Which sites are more vulnerable to attacks? Web 2.0 sites.
I'm a huge fan and proponent of the new Web 2.0 / social web extravaganza, but serious work needs to be done on the coding-standards and security lifecycle in the apps, with "single sign on" taking (almost) center stage.
Who will we trust to care for the data we hold so dear?
My problem with OpenID is that it's basically the same as using the same logon and password everywhere. If my OpenID is ever compromised (in whatever manner you want to imagine) ALL those accounts are compromised.
Sure the current situation of multiple logons and passwords is more complex, but if you do it right, a compromise of one account doesn't effect any of your other accounts.
Two-factor OpenID systems help with this, but without them, it's a very insecure system.
Keep in mind that OpenID was designed with the authentication implementation intentionally open-ended. Two factor, Kerberos, RADIUS, whatever -- it doesn't matter.
However, you're right that this means some OpenID providers may be considered less secure than other providers. You almost need a trust model to be laid across all of the providers to rate how trustworthy one source is over another...