I came across this interesting article about OpenID via @foolington from the JISC Logins for Life project. OpenID has naturally hit that point in its life where people are talking about it being dead and failing to achieve its goals – we see this dip with all products and we saw the same criticism of SAML, which I believe is now firmly embedded as a mainstream standard supporting a variety of technologies (including OpenID).
I may of seemed critical in the past of OpenID, but this is simply because people have a habit of trying to compare apples and pears – assuming that things like OpenID will ‘replace’ efforts such as the UK federation. The aims of these two initiatives are entirely different.
I think this article has it wrong about OpenID, mostly because it assumes the primary function of OpenID is authentication. I believe that the strengths of OpenID actually lie in authorisation and identity management / security issues. More on that later.
Firstly lets look at the reasons why the author thinks OpenID fails as an authentication method. These seem to be focused around the user experience and typical user behaviour in relation to authentication. I’d be the first to admit that the user experience of access management needs improving – full stop. This is why we are expending lots of energy on initiatives such as the JISC Publisher Interface Study and the proposed REFEDS Discover Project. The basic concept of OpenID does indeed have you ‘logging in’ with a URL, but most mainstream adoption of the concept use a more traditional username and password set. Why is a URL as username so strange? It may be a bit different, but quite frankly it is no stranger that the trend for using your email address as your username (I have ranted about that as a problematic process before, I will spare you now!).
One of the other points made is that the ‘problem’ of having multiple username and passwords sets is a one time only problem as people always tick the ‘remember me’ button and store this information as a cookie. Well yes, they do – this is one behaviour I have finally managed to break myself of though. This is an argument I often hear against the work of federations as well. Well that is fine if you only ever use one PC, and you will never need to remember that password when you are visiting a friend, or in your local library, or on holiday in an internet cafe and trying to work out how to cope with your cancelled flight. Letting people rely on forgetting their passwords doesn’t seem like a particularly good idea – surely having a reasonably unique login is better than this?
I don’t talk much about security on this blog, simply because their are far wiser people who know much more about it than me (@futureidentity and @josiefraser would be two people to follow if this area interests you). I do get involved in lots of discussions about security and privacy as a natural part of my work. In another timely incident, Josie Fraser posted this piece this morning on the trends of privacy in 2010. This clearly highlights some of the problems of giving up our security to browsers and giving up our identity to providers.
So this gets me back to some of the benefits of the OpenID approach – it puts you in control. You control what information you want to release, you control your identity. OK, a lot of the time this sense of control may be false as providers will insist on consuming all of your information in order to permit you access to service, but it is a start. Having one username and password set has to be better than using the same password on nearly every site – I know I worry about my use of passwords in this way (although I admit I have not really done anything to improve this).
Of course ‘better’ access management will always be hard sell to the end-user and will not be something they naturally run around asking for – but does this mean that OpenID is dead? I don’t think so. Like taking vitamins, not drinking too much and exercising regularly, managing identity online is something most of us know we should do but it quite often feels like too much hassle so we take the line of least resistance and muddle on through. Perhaps OpenID should make it on to my New Year’s resolutions list? I’m always so good at keeping those….