OpenID? I'd Never Use That!

Sometimes its easy to get lost in the excitement of a new technology when there is significant breaking news, as has been the case with OpenID recently (see "AOL and 63 Million OpenIDs", "AOL OpenID News Excites the Blogosphere", and Fred Stutzman's timely article "OpenID and the Value of Connected Identity").

When I began a brief explanation of OpenID to a fairly savvy Web user (the co-author of my book about MySpace, who, while not a developer, knows her way around the Internet, and knows a bit about HTML, browser cookies, embedded objects, etc.) -- her immediate reaction was "I'd never want to use that! What if your password is stolen?" Which made me think "surely this has been thought through by OpenID people..."

Despite the excitement, it's certainly not a closed case for OpenID at this point in time. Organizations and companies can provide it, but that doesn't mean people will use it.

Brady's View

In his February 22 O'Reilly Radar post Pros and Cons of OpenID, Brady Forrest looks at the recent flurry of OpenID news and says:

[OpenID] has recently started getting a lot of support - kind of.

Note in that flurry of announcement there was only one new big acceptor - DIgg. AOL, Microsoft are not accepting OpenID. Why not?

The biggest sites that accept OpenID are SixApart's sites and Digg. None of the big players -- AOL, MS, Google, Yahoo!, MySpace -- accept OpenID.

By "accepting" OpenID, Brady means that a user who has an OpenID URL can go to that site and use their personal URL as their credentials for gaining privileged access to the site. In other words, you can use your OpenID URL to log into the site.

OpenID Asks: "Why Won't You Accept Me?"

So, what does it mean if we have a flurry of companies providing OpenIDs to users, but almost no one accepting OpenID credentials? Why would this happen?

I can immediately think of one good reason: providing OpenID URLs is relatively easy to do and does not require a lot of coordination with other vendors; accepting OpenID credentials is a more complex process and requires interactions between your own servers and those of all OpenID providers. Providing OpenID sounds relatively safe compared with accepting it.

Security Concerns

My fairly savvy Web user's immediate reaction to my brief overview of OpenID was based entirely on security concerns. If someone steals your OpenID credentials, then won't they have full access to every site you use that accepts OpenID?

Brady Forrest puts it this way:

Security Concerns have not been fully resolved - Because of the reliance on a second site for sign-in, OpenID is open to phishing attacks. These concerns are being actively addressed, but the solutions are still being tested and each OpenID has the latitude to choose their solution. An uninformed consumer may not realize that their provider is behind the times. Until this situation is resolved it is not suitable for high-privacy sites like banking, or health (if ever).

Is the Recent OpenID News Important?

The news that perhaps 100 Million people now have an OpenID URL (most of them without taking any overt action related to OpenID) is certainly positive news for OpenID. OpenID is now readily available to anyone who wants it.

But is having an OpenID URL useful at this point? Right now, OpenID is like a currency that can only be spent in a few stores. 100 Million people "have" OpenID, but how many of them go to that short list of stores / sites? and how many of those 100 Million people are actually aware that they have an OpenID URL?

So, a currency that is useless in most stores was given to 100 Million Web users, most of whom have no awareness that they now hold this new not-very-useful currency. So should this really qualify as big news? Does it have any importance at all?

I think so. I think the news that so many people have OpenID URLs will encourage more sites and vendors to accept OpenID credentials. It will provide them with a way to stand out from the crowd. Maybe the big players won't join in right away, but for smaller sites accepting OpenID has a lot of advantages.

Benefit for Smaller Sites

If you're a small site, your potential user may not feel like it's worth the effort to have to create and try to remember a new user name and password, just to gain access to your site. But if they can use their OpenID URL as their credentials for a group of sites, then a big part of the inconvenience of becoming a privileged / credentialed member of the sites is eliminated. Hence, we could say that OpenID can help sites on the "long tail" attract more credentialed users.

But Still, Not for Everyone, Yet

Still, I don't think I'll see my savvy Web user friend using her OpenID any time soon, no matter how many sites accept it. That won't change until I can convince her that it offers greater security than what she currently experiences on the Internet. She already considers security on the Internet to be porous and overly cumbersome, in general. The OpenID solution sounds to her like an invitation to security disaster. And I don't have in hand strong evidence to convince her she should think about this differently. Not yet, anyway.

-- Kevin Farnham
O'Reilly Media