Is OpenID The Way To Go?
It’s an interesting concept, but with recent developments, it may not be the way to go.
In case you didn’t already know, OpenID is a decentralized identity service. Basically it lets you login to any OpenID-capable site with the same credentials. Your login data isn’t tied to one huge corporation though (in theory). You register and OpenID with an “OpenID Provider”, basically a website that stores all your login credentials and processes requests from other sites. Anyone can become an OpenID Provider.
The major advantage of OpenID is you get one “username” (more of a URL) that you use on any OpenID-ready site.
One thing I’m not a huge fan of is the way you login to an OpenID-ready site. Registration couldn’t be simpler. Just hit register and provide your OpenID. You’ll be redirected to your OpenId Provider’s site, where you’ll have to give the new site permission to use your OpenID by entering a username and password. Can you guess how you login? You head over to your OpenID Provider’s website (like www.myopenid.com) and enter a username and password. Yournow logged in to OpenID. Now to login to an OpenID-capable site, just enter your OpenID URL (which looks like http://you.yourprovider.com). You’ll jump over to your Provider, where you’ll enter your password. Having entered the password, you’ll bounce back to the page you where on previously, now logged in. The major advantage of OpenID is you get one “username” (more of a URL) that you use on any OpenID-ready site. Personally I think the whole process is a little clumsy and needs work. It’s an interesting concept, though.
What are these “recent developments” that make OpenID less of a good idea?
- AOL has an OpenID tied to every account.
- Microsoft is doing the same as AOL.
- Microsoft is trying to “integrate OpenId into Vista” (uh oh).
Those huge corporations will likely try to take the Open out of OpenID. They will struggle to become the largest Provider, and etc etc. Microsoft is trying to “integrate OpenID into Vista”? That can’t be good.
Let me point something out. If someone gets your OpenID password, they instantly have access to every OpenID-ready site you use. “Oooh, a credit card number.”? You don’t want that to happen, do you? OpenID must not be used with sites that store credit card numbers. OpenID makes it easier for crackers to get access to your stuff. All they need to do is get login data from one site, and they have access to everything. If Microsoft is integrating OpenID into Vista (probably with a patch or Service Pack), then we can assume that Vista will be storing your OpenId URL and password so that it can log you in easier. Does that sound like a good idea to you? Given Microsoft’s reputation for security…
If someone gets your OpenID password, they instantly have access to every OpenID-ready site you use.
But having huge corporations “getting into the OpenID business” isn’t good. It all helps them in their quest to conquer the internet. So these companies will have control of the systems that let people log in to tons of sites on the web. They could block sites, for example. Say AOL doesn’t want you to use a site that competes with one of their services, they just stop their OpenID’s from contacting the sites servers and… Do you get the message? These companies will do anything to totally rules the web. Look at Yahoo. They’re buying sites up and integrating them into their main site (Del.icio.us, Flickr, etc). I’m guessing they’ll be an OpenID provider soon. Have you heard of “Yahoo Brand Universe”? Basically they’re trying to take on fan sites like The Leaky Cauldron, or other somewhat smaller sites (Leaky isn’t that small. They get over 100,000 unique users a day). Here’s an article about Brand Universe. Sounds like they want to take over the web, doesn’t it? They want to attempt to put fan sites out of business. It’s to late to do that to Harry Potter, though. Fan sites like Leaky Cauldron and Mugglenet have huge followings, then there are smaller fan sites fitting into Harry Potter niche markets (like The Site of Requirement).
If AOL, MSN, and possibly Yahoo are OpenID providers, what’s to stop them from buying up the smaller providers in their attempts to become the biggest provider? Nothing.
If AOL, MSN, and possibly Yahoo are OpenID providers, what’s to stop them from buying up the smaller providers in their attempts to become the biggest provider? Nothing. If AOL said they’d pay you $3 million for your OpenID-providing site, you’d have a lot of trouble resisting that much money, wouldn’t you. It will happen.
That’s why I’m not a huge OpenID fan. I like the concept, but it’s going to blow up in everyone’s face. That’s why I’m taking a different approach in NTugo, a new site I’m working on. I’m thinking of having OpenId’s working in tandem with NTugo Accounts, so you’ll be able to login with a username and password or an OpenID. An NTugo Account will optionally have an OpenID tied to it so you can login either way. Suppose one of those corporate OpenID’ers decides to block OpenID logins to NTugo (supposing NTugo got big enough for it to matter). A user could just login with a username and password instead. If they still want to use OpenID with NTugo, they could proceed to their profile page and bind an OpenId from a different provider to the NTugo account. Good idea, or what?
Hmmm. Maybe go and see what you have to do to become an OpenId provider….
Originally posted on April 3, 2007 on my old blog.