Forgot your password?
typodupeerror
Security The Internet IT

OpenID Fan Club Is Shrinking 333

Posted by timothy
from the and-watch-that-basket-carefully dept.
A.B. VerHausen writes "Even though there's a whole new Web site devoted to understanding and using OpenID, some companies are dropping the login method altogether. OStatic is reporting that the 'free Web site network Wetpaint announced recently that it will no longer support OpenID as a login option for its wiki, citing low usage and high support costs as reasons.' Apparently, fewer than 200 registered users bothered with OpenID, and the extra QA and development time doesn't make it worthwhile to support. This can't come as welcome news on top of the internal issues the article mentions the OpenID Foundation is having now, too." I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years, but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...
This discussion has been archived. No new comments can be posted.

OpenID Fan Club Is Shrinking

Comments Filter:
  • by wealthychef (584778) on Wednesday January 07, 2009 @05:23PM (#26363493)
    Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.
    • by Stile 65 (722451)

      Password Safe is an open-source program that I use. It's pretty nice.

      • Re: (Score:3, Interesting)

        by Tikkun (992269)
        Password Safe (on Windows) + Password Gorilla (On Linux) + rsync over ssh to sync the password database works quite well for me. If you have a decent router (wrt54g with tomato firmware for example) you can easily setup and use dyndns to get to home security regardless of what network you're connecting from.

        I have a bunch of random 16-64 character passwords (depending on what the site will let me use) that involve upper and lower case letters, numbers and symbols, and I don't need to remember them all (j
        • Re: (Score:3, Insightful)

          by coaxial (28297)

          Just use password gorilla everywhere since it's available on mac, linux, and win32. That's why I have. But in all honesty, I don't really use it. It's frankly too much of a pain to fire up another program,log in, search, copy and paste the login and password, and the close the program. So what do I do use? Unencrypted plain text files named after domains, all stored in a handy directory named dont_look_here .

          Seriously.

      • by davester666 (731373) on Wednesday January 07, 2009 @06:26PM (#26364485) Journal

        It's because everybody wants to be a provider (so they get all your valuable information from you, as well as your surfing habits from other web sites that use OpenID when you sign on using your ID), but pretty much nobody wants to just accept an OpenID login (as they wind up just sending valuable information to another company with no direct benefit to themselves [and they could care less about the customer's convenience]).

    • Similarly, KDE has something like this called KWallet. I use it quite a bit (well, it kind of forces itself on you), but I've been pretty happy with the result...one password to rule them all.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password. No OpenID required, just the Mac Keychain.

      This works well if your always logging in to websites from YOUR computer... won't Open ID mean users can log in to websites from anywhere (Work, Friends house) and only have to remember the one user/pass pair?

    • Then when you go to a friends house all you have to do is boot up their computer and...

      oh wait...
    • by vivek7006 (585218)

      There is a firefox add-on developed by some guy at Stanford University. It is called pwdhash. I have been using it for over a year now, and find it incredibly useful

    • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Wednesday January 07, 2009 @06:21PM (#26364401) Homepage Journal

      Rather than trust an external site with all my security, I use a tool called 1Password for Macintosh (there is a similar tool for windows) that secures my passwords in once place and protects them with a single master password.

      Rather than trust an external site with my security, I use OpenID on my home server that secures my single password in one place and never distributes any of my login information to other servers.

      • by GooberToo (74388) on Wednesday January 07, 2009 @07:30PM (#26365409)

        And this is exactly why OpenID never caught on. You implemented it the only way it makes sense. For the vast majority of people this is too much. For companies requiring a login, they garner no information about who is visiting their site so they have no incentive.

        The combination of the two means no one wants to accept OpenID and it is too painful to truly use securely. Whereby securely means, no user information released.

    • Re: (Score:3, Insightful)

      by ceejayoz (567949)

      That's by no means a solution, as it ignores entirely the main reason for OpenID - avoiding registration.

  • by marhar (66825) on Wednesday January 07, 2009 @05:30PM (#26363629) Homepage
    Stack overflow [stackoverflow.com] took an interesting approach, and only uses OpenID. They don't even have a non-OpenID option. Proprietor Jeff Atwood discusses some of the tradeoff at his blog [codinghorror.com].
    • Re: (Score:3, Interesting)

      by caramelcarrot (778148)
      Writing student run websites inside a University with its own public centralized-login system is pretty fantastic. I don't have to worry about getting people to sign up for just that small service, I can establish identity reliably and identities are transferable between projects (say, populating a dinner event signup with information from LDAP, or pulling up our own photos of students for admin purposes). I realize that for most of the applications mentioned, reliable identity is a feature not offered by
    • by Dan667 (564390)
      The problem I have with this is that instead of just using a login and password, you are redirected to an openid login page and then back to stackoverflow. This is more work for not a whole lot of gain. I don't like it and I don't have a good memory to remember my password so I would consider myself to be openid's target audience.
    • by Blakey Rat (99501) on Wednesday January 07, 2009 @05:57PM (#26364017)

      Yeah, and it demonstrates the flaws of OpenID quite well, too. The number one feature request for the site, since it opened to the public, was to add a way of "moving" your OpenID to another provider since many OpenID providers are completely unreliable. Instead of fulfilling this feature request, some users recommended creating a OpenID "delegate," which basically means setting up your own website which can switch between different OpenIDs. This process, needless-to-say, is not only extremely complicated and technical, but requires you own a webserver.

      They've added in a "feature" where you can add a second OpenID (and have two entirely different logins for a single account! Usability/security nightmare!) Of course, that doesn't help people in the vastly most common case: when their OpenID provider craps out, and they haven't had the foresight to add a "backup" OpenID.

      The usability of OpenID is also extremely poor. It took me several tries to get a Yahoo OpenID working. After finding out that the URL example given by StackOverflow's login page was completely wrong, and also discovering that Yahoo keeps OpenID turned off by default until you request it be turned on, my actual OpenID turned out to be something like: my.yahoo.com/asaij223dsdh2q45acsh421qi32h (I don't remember it exactly, it was a giant impossible-to-memorize string.)

      Unfortunately, while the site now allows you to move your OpenID and made some other improvements, they still haven't added an option to just eschew OpenID altogether in favor of a simple username/password combo, so I just don't use the site at all. (Rather, I'll use the site, but not any features that require a login.) StackOverflow is free, so they don't care about ad revenue, but I'm sure curious how many users their crappy OpenID requirement is driving away.

      Sure, Microsoft sucks and we all hate them, etc, etc, but at least their Passport/LiveID system actually freakin' WORKS. So far I've had nothing but problems from OpenID.

      • by gbjbaanb (229885)

        Talk about cutting off your nose to spite your face. If you got yourself an OpenID (from a decent provider, not crappy old Yahoo) then you'd have no problems with it - like I, and many thousand other users on SO do.

        I think it would work better if Jeff provided his own OpenID provider, even if it was just a rebranded MyOpenID one [janrain.com], that would solve one "issue" people have (where they go to a different site to sign up) as it would appear to them that they'd never left SO.

        the issue of moving OpenID is another o

        • by Blakey Rat (99501) on Wednesday January 07, 2009 @06:23PM (#26364433)

          Yes, but the difference is that Passport has worked reliably for years and years now... 10 years, if I'm remembering correctly... and I've yet to flawlessly log in to anything using OpenID even once.

          I have to admit, that after typing that post I went back to StackOverflow and they've actually fixed their faulty instructions for how to enter Yahoo IDs. (It used to read: my.yahoo.com/username which never worked, AFAIK. Now it just says to use www.yahoo.com and have Yahoo ask your username, which does appear to work.)

          But look at it this way, availability-wise:

          If you use OpenID with a delegate, you're dependent on your own web server working, at least one of your OpenID providers working, and StackOverflow working.
          If you use OpenID with no delegate, you're dependent on your OpenID provider working, and StackOverflow working.
          If they use Passport, they're dependent on Passport.com and StackOverflow.com both being working.

          If StackOverflow had their own login, you only have one dependency: itself. Clearly this is the best option if you want to optimize for availability.

          And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology. OpenID is too crappy to succeed on its own merits, so now we have website "activists" trying to force its use... that's crummy.

          • by metamatic (202216)

            And what really makes me bitter here is that the goal isn't to make their website easier or quicker or more available to use, it's just a political campaign to increase the number of people who use some crappy, poorly-designed, technology.

            On the contrary, having to register yet another unique login/password in order to use a web site is a major usability problem.

            Checking my password management application, I see that I now have 434 different sets of login/password credentials. As you might guess, this makes

            • by Kent Recal (714863) on Wednesday January 07, 2009 @09:17PM (#26366671)

              If you have a better solution, I'd like to know what it is.

              Well, I can offer the obvious solution.

              Put authentication in the browser. Oh my god, what a novel idea!
              Have the user enter his password once, at the beginning of the session, and create a unique token for each site from that.
              Submit that token along with every request, in a HTTP-header.

              No login required ever. Sites can distinguish users by their tokens (even when they're not "logged in") and a registration merely consists of connecting a token to whatever metadata (a username, address, whatever the user wants to give out to a particular site).

              Paranoid users could choose to suppress the token by default and only start submitting it when they hit the "Login" button on their browser chrome - without typing in a username or password ever.

              Better yet, add a bit of cryptographic trickery and these tokens can easily be revokable, updateable etc. for the cases where a password is stolen or "lost". And ofcourse browsers could easily store multiple "identities" and provide a dropdown to switch between them on the fly.

              It's not rocket science, really. The whole system could be designed and spec'ed out over a weekend and would work better than anything that we had before. No third parties involved and everybody (even the data collectors) happy.

              Problem? Oh, right. Getting it into the mainstream browsers... Well, give it another 20 years.

  • It is not supported (Score:3, Informative)

    by butlerdi (705651) on Wednesday January 07, 2009 @05:32PM (#26363667)
    It would help if the players actually had spent any effort to make it work. Try using Verisign's site and it is horrible. It times out when validating. The others while rich in graphics are no better, nothing to see here .....
    • Effort was never the issue. The issues are:

      a) Selfishness. Too many sites allow you to use their database to log into others, but not use others to log into theirs. Seems the big players want to be the ones owning your data, just like MS tried to own logins with its system... whatever that was called.

      b) What does OpenID actually gain you? You still have to enter login details. It's just a URL instead of a username. Others have said this above too, but what's needed is something like a wallet: infocard

    • Re: (Score:3, Informative)

      by Randle_Revar (229304)

      MyOpenID works very well. The few times I have had a failure to login, the problem was on the client web site's end.

  • OpenID still exists? (Score:4, Informative)

    by jandrese (485) <kensama@vt.edu> on Wednesday January 07, 2009 @05:34PM (#26363695) Homepage Journal
    I remember when this came out. I thought to myself "I'll sign up when I run into a website that needs it." Except for this article, that was the last I'd ever heard of it. I'm amazed it is still around.
    • by Chabo (880571)
      I have my Sourceforge and Blogger accounts linked up with OpenID; those are pretty mainstream sites...
  • by pondermaster (1445839) on Wednesday January 07, 2009 @05:34PM (#26363701)
    "I've actually been quite happy with OpenID, since I have spawned far too many username/password pairs over the last 20-plus years" What's wrong with Administrator/admin everywhere? In fact, it works so great that entire Windows networks are known to use it. No problems reported so far.
  • by WiiVault (1039946) on Wednesday January 07, 2009 @05:37PM (#26363753)
    I am not a user so YMMV, but I personally don't like all my eggs in one basket. I use different logins and passwords on most of the sites I visit. I hardly want a security breach on some forum I post to to be able to have access to my email or credit cards site. Centralized is great for some things, but I simply don't trust any company to be as tight with their security as I am with my own. To them a breach is a "whoops, sorry!" to me it could be personally and financially devastating.
    • by Aladrin (926209) on Wednesday January 07, 2009 @05:45PM (#26363867)

      The idea behind OpenID is that the forum never has your login credentials, they just have the promise of some OpenID server that you are really you. They can never use the information they obtain to log into any other service you use with that login.

      You still have to trust that OpenID server with all of your logins, but it's not like you trust every tiny site with them.

      Having said that, very few sites I use will take OpenID, and some are providers only... Which is absolutely worthless. I'm waiting for something worthwhile to happen before I jump in, and I bet a lot of other people are, too.

      • by LingNoi (1066278) on Wednesday January 07, 2009 @05:53PM (#26363957)

        The idea is dumb, it does put your eggs all in one basket because once someone has your login credentials they have your whole online identity.

        If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.

        That's what is so damaging about it. Not only does it give a black hat login access to your personal information all over the internet, but it also allows you to create new information under the guise of someone else potentially ruining a person's life.

        • by roemcke (612429) on Wednesday January 07, 2009 @06:07PM (#26364151)
          You already have all your eggs in one basket. Virtually all online sites will send you new passwords by e-mail if you forget them. If your e-mail account get compromised, an attacker can request and intercept new passwords for any online site he wants to access.
          • by LingNoi (1066278)

            To say it is the same thing is a complete stretch. It simply isn't because an attacker would have to data mine the passwords.

            Also, (and this is the most important thing) if the attacker changes your email password it doesn't lock you out of every website you have an account on.

          • Unless the attacker deletes the recovery emails before you get to them, you'd notice somebody requesting a bunch of password resets. Ditto for signup requests.

            With open-id, if you have RMS's Magic URL, you can pretty much go hog-wild as him without ever being noticed. Anything that takes an Open ID URL is something you can sign up for and probably do your bidding un-noticed.

        • by cstdenis (1118589)

          Doesn't matter for the majority of people who already use the same password on all sites they use.

          • by LingNoi (1066278)

            It does if you have one usr/pass which locks you out of every website you visit on the internet.

        • by gilgongo (57446)

          If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit

          Sigh. You can string out infinite "what if's" as long a the first "if" is big enough. What IF you found out his online BANKING login? What if he left his front door open and you snuck in and hid in his toilet and then jumped out when he came in and covered him in shaving foam? Eh? Eh? He'd be such a dork! W00t!

          You're attacking OpenID on a facile premise.

          • by LingNoi (1066278)

            So you basically have no response to this? Do you seriously think that a it's impossible to get a usr/pass via the internet? I can think of a number of ways of getting openID information especially if I happen to be logging in to a public terminal.

            It's a big issue and you shug it off like it's no big deal. This is one of the reasons why openID is unpopular, the unwillingness to face the reality of what a one user/password system brings.

    • Whoosh - the concept of OpenID passes right over your head, and the head of those who modded you insightful.

      Please look into it then explain how a security breach on some forum you post to can lead to someone cracking your openID security and thus having access to your email or 'credit cards site' (whatever that is).

      Note also that OpenID does not mandate that you put all your eggs into one basket, and I wouldn't personally use the same login system for banking and other sites no matter what login system it

    • I am not a user so

      You're a user of slashdot. Do you have logins on other sites too?

      but I personally don't like all my eggs in one basket.

      Your current situation: one egg per basket. With OpenId: you decide how many baskets. Could be one, could be two, or many.

      I hardly want a security breach on some forum I post to to be able to have access to my email or credit cards site.

      You do not understand OpenId. Then again, you do not understand "user".

  • I Wonder Why... (Score:5, Interesting)

    by bradgoodman (964302) on Wednesday January 07, 2009 @05:37PM (#26363757) Homepage
    Shrinking support? I wonder why...

    Hmmmm...

    I checked out the "Explaining OpenID" web site referenced in the article, and it didn't make a whole lot of sense.

    It did tell me that my OpenID is: www.google.com/o8/id

    I undoubtedly will not remember that, nor do I believe it is even accurate.

    I then read how I could integrate it into my own web site - and despite doing a ton of web development and XML stuff, had no idea what they were talking about - at either a high or low level.

    In conclusion - If they want to get users and developers on board with OpenID - their going to have to do a hell of a better job. Either that, I'm just too stupid to understand their "OpenID for Dummies" web site.

    Now I'm of course just an engineer and developer - I'm sure users like my parents, grandparents and kids would understand this stuff much better.

    • Re:I Wonder Why... (Score:4, Insightful)

      by truthsearch (249536) on Wednesday January 07, 2009 @05:51PM (#26363927) Homepage Journal

      The popular library for PHP [openidenabled.com] is poorly documented. The API has each function documented (phpdoc), but nothing to actually get you started using the API. When we needed to do something other than the rudimentary sample code, it turned into a huge hassle. The API seems far more complicated than it needs to be.

      Developers aren't going to adopt it much if they have to keep re-implementing the standard from scratch. OpenID needs to publish a well documented API for each popular language that might need it. That'll get the ball rolling faster.

    • by NereusRen (811533)

      Dead on.

      I've looked into OpenID multiple times before, and each time wandered around in a maze of terminology and things that didn't make any sense to me until I gave up.

      I'm sure it's better overall than the current system of username/password pairs, but it's just not better enough. Pretty much any complaint about the current system can be solved in a way that doesn't depend on anyone else implementing or supporting it, and which is less complex than OpenID. If there were compelling enough advantages to usi

    • Re: (Score:3, Informative)

      by Main Gauche (881147)

      I checked out the "Explaining OpenID" web site referenced in the article, and it didn't make a whole lot of sense.

      Agree 100%. After wasting time plowing through the same front page you read, I finally found the five minute video [openidexplained.com] (!) that makes me think this works similarly to Google Checkout: When you want to log in to site X, you are redirected to an OpenID site, and enter your single password there; then site X is told that it's really you.

      I got none of that from the front page.

    • by gilgongo (57446)

      Shrinking support? I wonder why...

      Hmmmm...

      I checked out the "Explaining OpenID" web site referenced in the article, and it didn't make a whole lot of sense.

      I'm actually a huge supporter of OpenID, but I have to say I think you're mainly right.

      For whatever reason, OpenID (indeed even single sign-on) is fundamentally not a trivial thing to grasp. The idea of one system, one account is so deeply engrained in people's minds, it's going to be very hard to shift that. A bit like public key encryption as well, I would say.

  • by phantomcircuit (938963) on Wednesday January 07, 2009 @05:42PM (#26363819) Homepage
    Do you see OpenID anywhere on the front page to Facebook [facebook.com]?

    There's your problem, people don't know that OpenID even exists.
    • by hedwards (940851)

      The fact that one site is considered that important is far worse than any openid breach could possibly be. It doesn't matter whether it's myspace, facebook, or the future thing dikfore, it's not good to equate one site to the internet.

      The fact that people at that site don't see it isn't a good reason to suggest that it's unknown by the masses. It's the fact that a large number of sites don't use it and display it prominently.

      • My point is two fold.
        • Few important sites are OpenID consumers. IE you can't login using only an OpenID url.
        • Of the few sites which you can login to using only an OpenID url not one that I have seen has the option prominantly displayed.
  • overengineered (Score:3, Interesting)

    by Lord Ender (156273) on Wednesday January 07, 2009 @05:51PM (#26363923) Homepage

    Why make things complicated? Just use X.509.

    Just have GETs to "http://anyserver.com/id/Lord Ender" return a certificate (public key) issued to, literally "http://anyserver.com/id/Lord Ender".

    I would then have the certificate/keypair installed in my browser. It doesn't matter who it is signed by-it can be self-signed.

    When I sign in to a website, I put "http://anyserver.com/id/Lord Ender" as my ID. The website then fetches my certificate from anyserver.com and asks my browser to prove I'm me using the built-in features of SSL. From then on, the web site will know me as "Lord Ender of anyserver.com".

    It doesn't get any simpler or easier to implement.

    • A lot of sites just use an email address as userid, then generate their own passwords rather than letting the user choose. People generally know their email address, and mailing the password to the address is secure enough for many applications.
      • by hedwards (940851)

        But only if you don't care about password reset exploits or the fact that this information is sent via clear text through the tubes.

    • by nschubach (922175)

      How does the site know your machine is tied to that public key?

      You'd have to have the browser or a local app upload a public key from your machine to the anyserver.com account, right? If your public key changed, or you tried to log into the same site from a friend's house or work... how would you verify that your ID belongs to you? Log into a local app that updates the public key? (or log into the public key hosting server) That's the only way I see that it would work.

    • Yeah, look at the FOAF+SSL discussion, for example.

      What needs to happen is to make it far easier for people to generate and add their own client certificates to browsers, as well as get them signed by each other.

  • Not a login system (Score:2, Insightful)

    by Anonymous Coward

    It might also have to do with the fact, that OpenID was never supposed to be a general login system. At its bones, it's a homepage/URL verification protocol for the blogging community. And it's constrained to that, because URLs (no matter how shortened) are not *common*-user-friendly.

  • by Anonymous Coward on Wednesday January 07, 2009 @05:58PM (#26364039)

    but it's a major chicken-and-egg problem. Hopefully someone out there will build a better mousetrap ...

    If it's a chicken-and-egg problem, wouldn't it be better to build a chicken trap, with egg catcher?

  • by pvera (250260) <pedro.vera@gmail.com> on Wednesday January 07, 2009 @05:59PM (#26364051) Homepage Journal

    I am a web developer by trade, and so far one of the most infuriating things that I have to deal with on a weekly basis is that my customers simply can't bring themselves to care enough to remember their admin logins. Every week I have to unlock a handful of administrators. It doesn't matter if I provided them with a proper password rescue option, it is simply too much for them.

    The second big problem is that we have multiple branches of certain products running at the same time, so at any given time one of my customers may have to login into her production, staging or 2-3 development servers, each with its own username and password.

    We are a .net shop, so my original idea was to use the new membership and role providers and remove the login mechanism from all sites from a given customer. This works, but it is hard to get all sites in line since there is always something else going on that is more important. They still screw it up, but at least they only have to remember one username and password that works at the same level (production, staging, dev, etc.).

    When I heard about OpenID I tried to see if I could implement it in any of our sites that use .net 2.0-style security. I was glad to see that somebody already had thought of this, and I found a ready to run library with a very nice login control for .net that uses OpenID.

    It wasn't easy, but it was interesting, and within 10 or so hours invested I had:

    1. A .net web app that used ANY OpenID instead of the built-in aspnet_* tables hierarchy.
    2. A recovery page. You type your email address and it emails you a list of any OpenIDs in the system that match that email address.
    3. A self-registration page. If you arrive at the web app, and you authenticate through OpenID successfully, and you don't have a local profile, it asks you to fill a quick form.
    4. Security roles are used just like any standard .net app that uses the SQL membership/role providers.

    The beauty of it is that I can even run my own OpenID server for my customers. All they would need to remember is that they login by typing a URL like:

    userid.ouropenidserver.com

    and it would do the rest for them.

    One customer, three projects, three environments per project, that's nine login/password pairs that I am expecting them to remember. Instead all they need to remember is the URL and the password. If they lock themselves out, all they need to remember is the email address used to register, which emails them their OpenID URL. If they forget their password, that is handled at the OpenID provider level, not at the end user application.

    Even if nobody else in the world uses it, to me it clearly means that I can spend more of my customer's money in building new things instead of on troubleshooting and damage control (even if the two figures are identical, customers will bitch more about paying for repairs than paying for work that can be recognized as new). And it is an easy concept, if they have a Google or AOL account, they already have an OpenID.

  • I don't really like OpenID. I have a lot of email accounts that are separate for a reason. It annoys me when I go to a random site, and one of them is pre-entered into a login box.

    I use KeePass [keepass.info] to manage usernames/passwords. Having a single ID/password isn't any more convenient.

    • by gilgongo (57446)

      Good for you. You obviously are able to manage large numbers of logins safely and efficiently. OpenID is not for you.

      My mother, on the other hand, has a list of ALL her site login details (currently about 15 and rising) written out and stuck to the side of her PC.

      Sure - she must not be allowed to use OpenID for sites like Zopa, Amazon or her bank, but gardening and cooking sites do not deserve to screw up her life with password management.

  • by grumbel (592662) <grumbel@gmx.de> on Wednesday January 07, 2009 @06:05PM (#26364129) Homepage

    Authentication on the web is kind of messy and annoying, but OpenID is so too. It just doesn't feel right to be pushed from one server to the next to do authentication, since it leaves the door wide open to phising attacks. Also using URL for authentication just looks ugly.

    I personally would prefer something that works on the client side and not on some other third server, i.e. store a GPG public key in your browser and have the browser use that to automatically sign blogposts or whatever to authenticate you. To stop spam one could have third parties sign the GPG key to create a web of trust kind of thing.

    So you would have a reusable secure token you use for authentication on all pages, instead of having to come up with new passwords all the time. And it would also keep the third party out of the picture, since the token remains only on your client and never leaves it.

    • So I'd have to remember an entire RSA key?

      oh no I just have to carry a flash drive with me at all times?

      No thanks.

      Anyways that already exists, https can require client certificates.
      • by grumbel (592662)

        Nothing would stop a page from providing classic username/password in addition or have a third party service that manages your keys if you like. They point is that most of the time I log in a webpage from the very same set of machines and it just idiotic to make up random password for each side and having to manually carry them from one machine to the next, when a single secure token would be much more secure and easier to use.

        • Nothing would stop a page from providing classic username/password in addition

          The same applies to OpenID

          have a third party service that manages your keys if you like

          How is this any better than OpenID?

          when a single secure token would be much more secure and easier to use

          A single cryptographic key would be cumbersome, even in comparison to 15+ passwords. A Physical token? for junk sites? I don't think so.

          • by grumbel (592662)

            How is this any better than OpenID?

            It wouldn't, which it why it would be a fallback or alternative, not the main way to do authentication.

            A Physical token? for junk sites? I don't think so.

            Its not a physical token, its file you store somewhere on your computer/mobile/netbook. You already do a very similar thing already with coookie.txt, does that bother you too?

    • It just doesn't feel right to be pushed from one server to the next to do authentication, since it leaves the door wide open to phising attacks.

      When the authentication server is your home server, you can pretty well guard against fishing.

      Also using URL for authentication just looks ugly.

      Uglier than an email address? Not inherently, no. You're just used to seeing one and not the other.

      • by grumbel (592662)

        When the authentication server is your home server, you can pretty well guard against fishing.

        Kind of, but most of the public would never do that and be wide open to phising. Authentification should be secure by default, not by fixing it with ducttape yourself on your home box.

        Uglier than an email address? Not inherently, no. You're just used to seeing one and not the other.

        An email address at least is 'pure', since much of the dispatching is done in the MX record, hidden away from the user, with OpenID you often get lengthy ugly URLs, because provider just slap it into onto their service. Which brings me to another point, OpenID should have used email instead of URLs. Your email account today is

        • Is it would have allowed a service to easily migrate it's existing userbase to OpenID.

          1) Legacy user logs in.
          2) System has their email on file and checks to see if that email address now supports OpenID.
          3) If the email address now supports OpenID, the website can offer to migrate the user to OpenID.

          The big "flaw" in my idea is if the user already exists in the system, why the hell would you want to migrate them to OpenID anyway? Why not just let them use the email address for a login and authenticate local

      • When the authentication server is your home server, you can pretty well guard against fishing.

        Not always. They know your home server, presumably, and as such could, without too much effort, duplicate the look of it--which is enough to fool a depressingly large percentage of people.

  • ...then you've probably already figured out another solution. Looking at the OpenID Explained site, I see a bunch of explanation of why it's useful. "You choose how much web sites get to see about you." I already have a solution to this. If it's a site I don't trust, I use a disposable Yahoo email account. "Won't bother you for the same information over and over again." Not a big deal. I have about 100 username-password pairs in an encrypted file. This is how many I've collected over roughly a decade. Enter
    • by frisket (149522)

      ..."Whenever someone sees your OpenID in use, anywhere on the Internet, they'll know that it's you." To me, this seems like a bug, not a feature...

      That misses the point. This way when a programmer from my fave pr0n site sees my OpenID in the credit-card records she's just cracked open, or (worse) someone browsing rec.editors.vi seems my OpenID posting in gnu.emacs.sources, they'll just know it's really me

      I'll stick to remembering usernames and password with the aid of my keychain, thanks.

  • Truth be told, the only way Open ID will gain traction is if someone like google takes it over or implements it (merges it) with google accounts. Something many people have already signed up for. This is what google did with other services they had going.

    Personally I use disposable email sites like mailinator.com and Roboform to just register once, then save the password. Then all you do is have to click a button and you can backup your passwords and never have to worry about forgetting a password again.

  • On my site http://crowdnews.eu/ [crowdnews.eu] 100% of the sign ups
    is by openid.
    But thats becouse it is the only option.

    If openid is the only options for login
    it does simplify the database structure for your site. But the code become more complex.

    Also there are some bugs in the openid 2.0 specs. which makes it unsafe and costly.

    Also I feel that openid is missing support for online shopping.

    I have often felt that the should be easier way to supply all the info they ask, when you buy something online. Also postal address is

    • by LingNoi (1066278)

      On my site http://crowdnews.eu/ [crowdnews.eu] 100% of the sign ups is by openid.

      I looked at your website and it has less then 20 users, no wonder it's 100%.

    • by Blakey Rat (99501)

      Out of curiosity, have you done a survey to find out how many visitors to your site *aren't* logging in because of the OpenID requirement? I was just wondering this about StackOverflow in another post in this thread (they also require OpenID to log in.)

  • AOL has had this for years. If you have an AOL ID you can see if at http://my.screenname.aol.com./ [screenname.aol.com] It's essentially "kerberos for the web". Unfortunately (a) it's a bear to get working (on the apache side), (b) is only used by their partners, and (c) forces you to use your AOL login. But other than that it's pretty nifty - if only they would open source it.

  • I call bullshit. The person who submitted this article cites a single web site that has dropped OpenID support and then proclaims the conclusion that "OpenID Fan Club is Shrinking." Sorry, but I won't believe that OpenID is dying unless Netcraft confirms it :)

    Seriously though, OpenID is doing fine. They could stand to have some better marketing, though. I think that nearly everyone would use OpenID if they only knew it existed.
    • I wouldn't.

      -The APIs suck. (Not the .NET one so much, but I prefer PHP for my web development. And that one is fucking atrocious.)

      -I want to use a different password and username everywhere. I don't necessarily want somebody on Ars Technica, for example, being able to go "hey, that guy's the same guy I saw on Slashdot!".

      -I use a different password for every account I possess and save them in an encrypted password file, along with my browser; I enter a password maybe once a week, and if one's compromised, no

      • by styrotech (136124)

        -I want to use a different password and username everywhere. I don't necessarily want somebody on Ars Technica, for example, being able to go "hey, that guy's the same guy I saw on Slashdot!

        Minor correction:

        An OpenID isn't a user account - it's an identity that can be associated with a user account and you can even associate multiple identities with an account if you want.

        So even with the same OpenID, you can still have different user account names on Slashdot and Ars with nobody knowing they are connected

  • I didn't see this explained on that web page. Why should my web site use OpenID?

    As a user of websites, I also see this as a big problem. How do I get all those various username/password pairs I already have on a few hundred websites tied into OpenID? I do not want to give up the names I have. And to complicate things a bit more, I have more than one on a few of them. How is that handled? And what happens with I visit a new website somewhere and want to be known as Skapare [slashdot.org] there, too?

    It seems to me tha

  • So I went to sign up for Toodledo [toodledo.com] the other day. On the suggestion of my boss, I went to sign in via OpenID. Well I didn't have an OpenID, so I signed up for one of those through the OpenID provider that Toodledo linked from their very page - myopenid.com. Fair enough. Went back to sign in with Toodledo and my shiny new OpenID and I get an error message back saying "There was an error connecting to your OpenID server."

    Well what the hell. I sign up using the very provider that they link to and I still can't

%DCL-MEM-BAD, bad memory VMS-F-PDGERS, pudding between the ears

Working...