Wednesday 1 October 2008

OpenID For Dummies? Yes It Is.

What a day, so much happening, so much goin' on!  I'm sitting in the bus watching really crap weather outside, so I'm refreshing my news page often.  That's led me to a few sites to investigate stuff and research further, then post.

Now - this.

I'd love it if their glowing prose were true, if the gorgeous pink fluffy bunnies cavorting in the clouds and green fields kind of optimism were justified.  But it just isn't so.  Speaking purely as an OpenID user, I can say that I've never seen a more shambolic implementation of something supposedly secure and user-friendly and open up the web to authenticated use.

My experience?  If I have an OpenID on one provider, there will be some sites that eschew all other OIDPs in favour of their own.  The reason for the distrust is simple - OID is hackable.  Not in the sense of Microsoft's wonderfully insecure learning aids for serious system crackers, but in the sense that everything is hackable given enough effort.  And they are not willing to extend that much trust to a competitor.

So I end up logging into some sites manually using the old userID/password authentication scheme anyway.

Then there's the whole "name as a URL" thing.  I've used my email address for almost 15 years, now I also have a URL.  So I have to remember a URL when I want to log into an OID enabled site.  Now here's a thing...  When I go to a new site that requires authentication, they ask me for my OpenID URL...  Before, I'd just type a username like "cyclic57" and a password like "shamb0l1C" and that would be that.

Signup info like addresses and so forth, you ask?  Even on OID enabled sites, I get asked to enter that crap again and again - that ole trust issue, I'd say.  So there's no advantage to me in that, either.

Now I go to another site, one I've previosuly logged into with OID.  Nine times out of ten, I have to type in my OID URL.  Dunno why, but it's my experience more often than not.  So instead of typing cyclic57 shamb0l1C I now have to type in http://myOpenIDProvider.com/cyclic57...  Lovely.  Double the typing, for a "convenience."

And that generally takes me to the OIDP loging screen where I have to type in at least my password, anyway.

Oh and that's not the end of it.  Remember how some applications will only allow certain OIDPs?  Well, so to use all my web applications, I now have three OID URLs and passwords to remember.

So - simple its' not, easy it's not, and convenient it's not.  Given the way some application providers won't accept certain OpenID Providers, it's not even very open. Summary?  Its definitely still at the for dummies stage.

2 comments:

Mike DeNeut said...

You should check out my blog, feel free to subscribe and leave some comments..

http://md16185.blogspot.com


What you're saying, is kinda like my opinions about proxy servers, they allow people to send spam, and be fake online.

Something needs to be done, when everyone is afraid to make normal videos, or is stuck "moderating comments".. Do people not understand the concept of "acting normal" in the 21st Century?

teddlesruss said...

Well only to a point - OID is just as much hassle as logging in manually to each site, and is one central point where someone can, if they crack your password, access multiple of your accounts.

As for "acting normal" - sheesh, there hasn't been such a thing as long as I've known. I considered myself to be pushing the envelope as a kid, but geez I am a total square when I look around today...