Something is Dead, Long Live Something or Other…

I came across this interesting article about OpenID via @foolington from the JISC Logins for Life project. OpenID has naturally hit that point in its life where people are talking about it being dead and failing to achieve its goals – we see this dip with all products and we saw the same criticism of SAML, which I believe is now firmly embedded as a mainstream standard supporting a variety of technologies (including OpenID).

I may of seemed critical in the past of OpenID, but this is simply because people have a habit of trying to compare apples and pears – assuming that things like OpenID will ‘replace’ efforts such as the UK federation. The aims of these two initiatives are entirely different.

I think this article has it wrong about OpenID, mostly because it assumes the primary function of OpenID is authentication. I believe that the strengths of OpenID actually lie in authorisation and identity management / security issues. More on that later.

Firstly lets look at the reasons why the author thinks OpenID fails as an authentication method. These seem to be focused around the user experience and typical user behaviour in relation to authentication. I’d be the first to admit that the user experience of access management needs improving – full stop. This is why we are expending lots of energy on initiatives such as the JISC Publisher Interface Study and the proposed REFEDS Discover Project. The basic concept of OpenID does indeed have you ‘logging in’ with a URL, but most mainstream adoption of the concept use a more traditional username and password set. Why is a URL as username so strange? It may be a bit different, but quite frankly it is no stranger that the trend for using your email address as your username (I have ranted about that as a problematic process before, I will spare you now!).

One of the other points made is that the ‘problem’ of having multiple username and passwords sets is a one time only problem as people always tick the ‘remember me’ button and store this information as a cookie. Well yes, they do – this is one behaviour I have finally managed to break myself of though. This is an argument I often hear against the work of federations as well. Well that is fine if you only ever use one PC, and you will never need to remember that password when you are visiting a friend, or in your local library, or on holiday in an internet cafe and trying to work out how to cope with your cancelled flight. Letting people rely on forgetting their passwords doesn’t seem like a particularly good idea – surely having a reasonably unique login is better than this?

I don’t talk much about security on this blog, simply because their are far wiser people who know much more about it than me (@futureidentity and @josiefraser would be two people to follow if this area interests you). I do get involved in lots of discussions about security and privacy as a natural part of my work. In another timely incident, Josie Fraser posted this piece this morning on the trends of privacy in 2010. This clearly highlights some of the problems of giving up our security to browsers and giving up our identity to providers.

So this gets me back to some of the benefits of the OpenID approach – it puts you in control. You control what information you want to release, you control your identity. OK, a lot of the time this sense of control may be false as providers will insist on consuming all of your information in order to permit you access to service, but it is a start. Having one username and password set has to be better than using the same password on nearly every site – I know I worry about my use of passwords in this way (although I admit I have not really done anything to improve this).

Of course ‘better’ access management will always be hard sell to the end-user and will not be something they naturally run around asking for – but does this mean that OpenID is dead? I don’t think so. Like taking vitamins, not drinking too much and exercising regularly, managing identity online is something most of us know we should do but it quite often feels like too much hassle so we take the line of least resistance and muddle on through. Perhaps OpenID should make it on to my New Year’s resolutions list? I’m always so good at keeping those….

1 thought on “Something is Dead, Long Live Something or Other…

  1. Leo Lyons

    Undoubtedly OpenID has benefits. I try to use it whenever I see the opportunity. But that is part of the problem – you rarely do see an opportunity. With a few exceptions, neither Identity Providers nor Relying Parties seem very keen to shout about the existence of OpenID. In dozens of interviews for the Logins for Life project I have found individuals who own an OpenID – by dint of having, for instance, a Yahoo account – but who are not aware they have one.

    I have a Yahoo mail account and so have a Yahoo OpenID. It works (usually), I use it, I can even remember the URL. But I had to look hard to find it.

    It might be there somewhere but I can find no mention of OpenID on any of the Yahoo help pages. In fact if you pull up the Help search screen and enter OpenID you are presented with:

    ‘We did not find results for: openid. Try the suggestions below or type a new query above.’

    Go to ‘All Yahoo Services’ – no trace of OpenID there either. I tried ‘Account’, ‘Registration’ ‘Answers’. They all return a blank. In fact the only way I know to find out about Yahoo OpenID is to enter that as a Google search. Finally I get some information about OpenID – how to enable my Yahoo OpenID , what I can use it for and eventually, once I have signed in to Yahoo –again – it is revealed to me.

    But it is still so confusing – my Yahoo OpenID URL is presented in two forms one of which is similar to this:

    https://me.yahoo.com/a/hWGeg9ojq_cn_eTcdlkqPdfDAoo06CmjPys0Ad0Y6r47QYhLFU0-

    OK so I am offered the chance to create a customised simpler version and it is also explained that I don’t have to type these URLs in I can ‘simply look for a Yahoo! button or type yahoo.com in the OpenID text field.’ So let’s assume the punter gets rises above all this confusion and unfriendliness and goes to a site which accepts OpenID. I did this with LiveJournal and did as I was told and typed yahoo.com into the box. This is the response I get:

    no_identity_server: The provided URL doesn’t declare its OpenID identity server

    Typing me.yahoo.com into the box does work but then I am presented with a Yahoo branded warning which recommends I do not share any personal information with this site. To add to the confusion, despite the warning, there is no way to gracefully back out of this page as the only button presented is the Agree button. Exactly how is this sort of experience ‘Putting me in control’? And if I chose to, how can I control what information I want to release? I have trawled the web looking for a site which offers to let me in with OpenID and also asks me what information I want to share. Haven’t found one yet. I agree it’s a start – but not much of one.

    I do not mean to single out either Yahoo as a provider or LiveJournal as a relying party – I have had similar experiences with many other sites and other OpenIDs. But these sorts of experience are not exactly going to encourage the average internet user to manage their online identitity. I think there is a place for OpenID in Higher Education – in fact despite the above I am an enthusiast for it – but we are going to have improve the user experience and do some promotion too. We also need everyone else to work on the user experience as OpenID is only going to thrive if it becomes the norm, or at least a widely known alternative to more usernames and passwords and filling in yet another registration.

Comments are closed.