The end of OpenID? [LWN.net]

By Jake Edge
February 2, 2011

Last week's Security page had a quote from 37signals about its decision to drop support for OpenID. Since then there have been several postings that purport to explain the problems with OpenID and why it never gained much traction. One of the better analyses comes from Wired's webmonkey blog, which calls OpenID "The Web's Most Successful Failure". So, why hasn't OpenID taken the world by storm?

OpenID set out to solve, or help solve, the "single sign-on" (SSO) problem, so that users could have a single identity that they used with multiple web sites. But OpenID is more than that, because it allows users, rather than web sites, to decide how much personal information needs to be shared. It is this user-centric nature of OpenID that may be leading to its downfall.

We have looked at OpenID several times over the years, including an overview in 2006, and a look at OpenID 2.0 in 2007. By the time we looked at the OpenID Connect proposal back in June, the problems with users being able to control the amount of information provided to web sites was becoming evident. It was, in fact, a major reason that OpenID Connect was proposed.

While OpenID is by no means perfect, the resistance to its adoption is not necessarily completely technical. Other OAuth-based schemes have become much more popular at least in part because web site operators get access to much more personal information by default than they get when users log in with OpenID. Even site-specific registration tends to extract more information (email address, full name, and so on). Because that kind of information is valuable to web site operators—and willingly given up by the vast majority of users—OpenID users are seen to be "less valuable", as OpenID Connect developer Chris Messina pointed out. The Wired blog post put it this way:

Web publishers never warmed to OpenID since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher. That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.

But one of the main alternatives to OpenID—one that has seen much more adoption—is Facebook Connect (though the "Connect" part of the name has largely been dropped). As that name would imply, it is run by Facebook, which is an organization that is not noted for its interest in preserving user privacy. One hopes that the pervasiveness of Facebook sign-ons will have some boundaries. While it does solve the SSO problem for Facebook users, in a fairly uncomplicated way, it would be horrifying to be greeted by your bank's log-in screen asking for your Facebook ID.

OpenID suffers from some design flaws, using a URL as the OpenID identifier being one of the most prominent, but its Achilles heel is that it is complicated for users, beyond just remembering their OpenID URL(s). An additional problem is that some of the larger web services were only interested in being OpenID providers (i.e. using their URLs to log in elsewhere), and weren't particularly interested in being "relying parties" (i.e. taking OpenID URLs from elsewhere to allow users to log in). This asymmetric "support" for OpenID further muddied the waters for users.

At this point, though, we may well have seen the crest of the OpenID wave. Wired posits it being incorporated into Mozilla's (and other browser makers') efforts to move identity management into the browser itself. That would allow the browser to route around the individual web site log-in screens and authenticate the user behind the scenes, so OpenID could be used in a far less complicated manner.

In the end, OpenID is targeted at users who value their privacy and want to take control of their internet identities—two traits that seem to be in short supply for many users. Facebook Connect (and the Twitter equivalent) leverage huge user bases to make adoption by other web sites very attractive. Though there is evidently still some user confusion about using those authentication methods, the experience is more straightforward than OpenID.

So, where do we go from here? The US government is starting to make noise about trusted internet identities, which might provide an alternative SSO solution—though not without privacy (and other) concerns of its own. LWN has implemented OpenID relying party support, though there is still some work and testing to do before we can roll it out. The 37signals announcement and the related chatter seems likely to turn off some other sites that were considering OpenID support.

It is tempting to call OpenID a failure, and to some extent it is, but it has some compelling ideas, at least for technically (and privacy) savvy users. But the features that are most attractive to those users are precisely those that web site operators wish to avoid—anonymous/pseudonymous authentication doesn't play well with their business models. For sites like LWN, where registration doesn't require any personal information, the barriers to adoption are likely to be things like available developer time (that's certainly the case here). In addition, there has always been some interest from our readers in OpenID support but it never seemed to garner a critical mass clamoring for it. If OpenID had taken off the way many hoped it would, supporting it would have become a much higher priority for LWN and lots of other sites.

As Wired notes, OpenID was ahead of its time. It suffered from some technical problems—what new protocol doesn't?—but those could have been fixed if there was some groundswell of interest from users or web sites. Since that didn't happen, it's probably time to start thinking about other SSO options that aren't controlled by companies or governments. Without a solution that is under individual control, we risk being herded into systems that cater to the needs of these large organizations—with all the dangers to internet freedom that implies.

Index entries for this article
Security	Authentication
Security	Identity management

to post comments

The end of OpenID?

Posted Feb 3, 2011 2:38 UTC (Thu) by mtaht (guest, #11087) [Link] (1 responses)

I still don't understand what was so wrong with pgp.

what's wrong with PGP ?

Posted Feb 3, 2011 17:09 UTC (Thu) by copsewood (subscriber, #199) [Link]

Nothing wrong with PGP in its GPG manifestation, apart from the facts:

1. that establishing and maintaining (with limited key lifetimes and handling key revocations etc.) the preferred web of trust PKI model it implements is too much work for this to be adopted by more than a few people, and

2. too few people can use secret keys in simple and standard pocketable hardware which treats the complex host computer as part of the untrusted network rather than as something ever likely to be secured adequately by the end user.

So as far as the 1990ies implementation environment in which this crypto security dream started is concerned, dream on.

However, DNSSEC will probably go a long way to solving the PKI issue. There are enough people handing domain rollover and getting/renewing a certificate at the same time as you register or renew a domain kills 2 birds with one stone. But we will then still need a simpler lightweight pocketable device for secret key storage and computations and which can at least make visible what you are signing and decrypting. I think for most people this is more likely to be their mobile phone than their desktop or laptop computer.

Possibly ways to start improving this might be to implement GPG as an Android application which accesses a DNSSEC trust anchor domain somewhere and which enables users to register signed subdomains. However, we'll probably see Android getting almost as bad from a security perspective as Windows before long, when having an internally hardware secured phone subsystem for this purpose will start to make sense.

It would be useful to have a cheap automatic registration DNSSEC subdomain trust anchor for developers and ones where they check your ID credentials more carefully and which charges you for a certificate. Different trust anchor CA policies will lead to different levels of confidence in identity, but all can give better assurances that someone@example.com.whichever.trust.anchor is the genuine user of that address than current GPG usage suggests.

The end of OpenID?

Posted Feb 3, 2011 6:18 UTC (Thu) by eru (subscriber, #2753) [Link] (3 responses)

This also could hint at the problem:

LWN has implemented OpenID relying party support, though there is still some work and testing to do before we can roll it out.

So a technically proficient site like LWN takes years to get it implemented? Maybe one reason for low adoption is the difficulty of getting started. I would personally like to see more of OpenID. So far I have been able use it on only one site I visit regularly.

The end of OpenID?

Posted Feb 3, 2011 14:02 UTC (Thu) by dmag (guest, #17775) [Link]

> So a technically proficient site like LWN takes years to get it implemented?

Yes, if the programmers are busy writing informative articles and going to nearly-washed-out conferences.

> Maybe one reason for low adoption is the difficulty of getting started.

No. For example, OAuth is far more complicated, yet implemented more widely.

> I would personally like to see more of OpenID.

Expecting sites to implement OpenID is a bit of wishful thinking. A succinct way of summarizing the article would be: "The value proposition of OpenID is to the USER, not to the implementor."

In order to be adopted, the next protocol will need to benefit both the user and the implementor. (I think something like OpenID, but with the ability to sign up to a site RSS feed at the same time.)

The end of OpenID?

Posted Feb 3, 2011 14:11 UTC (Thu) by corbet (editor, #1) [Link] (1 responses)

Implementing OpenID authentication is not that hard, I got it going in an afternoon. Harder is all the user interface to allow the management of identities and stuff. Just more of the sort of obnoxious HTML form stuff that gets so tiresome after a while. That's the piece that I never quite found the time to finish.

The end of OpenID?

Posted Feb 5, 2011 3:53 UTC (Sat) by SkyGuy (guest, #60773) [Link]

CGI::Application is a very simple and easy way to implement web forms without too many headaches. David Blank-Edelman's articles on CGI::Application helped me implement a moderately complicated web form without too much effort:

http://www.usenix.org/publications/login/2009-08/pdfs/bla...

http://www.usenix.org/publications/login/2009-10/pdfs/bla...

The end of OpenID?

Posted Feb 3, 2011 8:10 UTC (Thu) by ekj (guest, #1524) [Link] (13 responses)

I dunno. Seems odd to complain about the pseudonymous nature of an openid-url when the alternative, asfar as most sites are concerned, is an email-address.

In what way is bar@example.com less of a pseudonym than http://example.com/bar ? Doesn't quite make sense to me.

The email-address though, does typically make it possible to contact me, something knowing my openid-url does NOT. And this is a negative, from the POV of many website-operators, because they would just *love* to send you "important updates" aka marketing-material.

The end of OpenID?

Posted Feb 3, 2011 8:42 UTC (Thu) by mjthayer (guest, #39183) [Link] (4 responses)

> The email-address though, does typically make it possible to contact me, something knowing my openid-url does NOT.

This makes me imagine some middle ground. An OpenID-like system that used an e-mail address - but one of it's own - as a login. Websites that you log into would be able to send things to the e-mail address and the provider would forward them to your real address, but would only accept things signed by known, and known-well-behaved parties. Said parties might also pay a small fee (a couple of cents per e-mail?) to the provider to cover the provider's costs.

The end of OpenID?

Posted Feb 3, 2011 8:52 UTC (Thu) by ekj (guest, #1524) [Link] (3 responses)

Yeah, cos THAT is gonna sell !

Instead of: With OpenID you're unable to communicate directly with your users, you get: With OpenID some external organization gets veto-power over what communications you are allowed to send to your own users, and by the way, you get to pay them a few cent for performing the valuable service of censoring you.

I realise that's not quite how you meant it, but this suggestion really would go over like a lead balloon.

The end of OpenID?

Posted Feb 4, 2011 11:12 UTC (Fri) by mjthayer (guest, #39183) [Link] (2 responses)

> Instead of: With OpenID you're unable to communicate directly with your users, you get: With OpenID some external organization gets veto-power over what communications you are allowed to send to your own users, and by the way, you get to pay them a few cent for performing the valuable service of censoring you.

I do think though that while most users aren't worried about privacy in general, many are more concerned about spam. I would have thought that there would be a certain value to the providers to be able to say "give us your address and you can be sure it won't be misused", particularly if the customer doesn't know the provider very well.

The end of OpenID?

Posted Feb 4, 2011 11:16 UTC (Fri) by ekj (guest, #1524) [Link] (1 responses)

I sorta doubt it. Most users aren't worried about giving their email-address to some random site they want to register at, and single-source spam is in practice close to a non-problem anyway, because worst-case, you just filter it.

For those users who do care, there's already free solutions, even *hotmail* which isn't exactly the epitome of technically sophisticated users, today allow creating throw-away aliases for your email-account, for purpose of being able to give a valid email-adress, that can be dropped if it ever starts receiving much spam.

The end of OpenID?

Posted Feb 5, 2011 0:09 UTC (Sat) by giraffedata (guest, #1954) [Link]

A complete centralized identity manager would have in the same database with your password your email address and all other personal information typical websites might want about you. With your permission, the web site could get that whenever it wants it, thus saving you the trouble of filling in forms to register with each web site, and then updating them all when the information changes.

A mail forwarding service might be useful, but I don't think it adds much to the server just giving the sender the email address.

I would love it if I could use a web site for the first time (and every time) by just saying who I am (with some short string such as an OpenID URL).

And if that doesn't tell the web site enough about me, it can tell me to come back when I've added the required information to my identity manager and released it.

The end of OpenID?

Posted Feb 3, 2011 9:18 UTC (Thu) by epa (subscriber, #39769) [Link]

More to the point, everybody remembers their email address. Nobody remembers some weird URL you have to type (not unless every site started using OpenID all at once), and few people reliably remember their user id for a particular website. This is why all websites should support logging in with email address and password rather than some made-up 'username' and password. (You can still have usernames if you really want.)

The end of OpenID?

Posted Feb 3, 2011 9:19 UTC (Thu) by spaetz (guest, #32870) [Link] (6 responses)

> In what way is bar@example.com less of a pseudonym than http://example.com/bar?

Because I know my email address very well while I always have to look up my openid url (https://me.yahoo.com/spaetz) :-)?

Fortunately and that is too little known, it is very easy to insert a redirect header in any webpage you control and use that URL as openid url. Which makes it very conventient to use as I know the URL of my private homepage by heart...

Logins via openid can ask the openid provider for a email address and get it prefilled *if the user consents*.

The end of OpenID?

Posted Feb 3, 2011 22:09 UTC (Thu) by bangert (subscriber, #28342) [Link]

having driven websites with thousands of signups a day, i can tell you that people do NOT generally know their email -- or the spelling thereof...

...even if you ask the user to input the email twice!

The end of OpenID?

Posted Feb 5, 2011 21:11 UTC (Sat) by madhatter (subscriber, #4665) [Link] (3 responses)

Spaetz makes a very good point there. Being a fan of OpenID myself, and having read both the 37signals and the webmonkey articles, I was struck by the extent to which people seem to be misusing OpenID.

If you're trying to remember an OpenID URL of the format http://OddSubdomain.OpenIDProvider.tld/WeirdAccountName, you're doing it wrong. The right way to use it is to have your OpenID as http://my.vanity.domain/ , perhaps appending /openid or some simple string, and from that domain, which you control, nominating your OpenID provider _du jour_, which can - and probably should - change regularly.

This gets rid of the "I forgot my account details with my provider so I got locked out" problem, which seem to be many of the problems in both the articles mentioned above. I have in fact locked myself out of my provider twice, and each time, I found a new provider and switched in minutes, because the OpenID URL I had registered was on a domain under *my* control, not some third party's.

I'm a big fan of OpenID and I'm sorry it won't catch on with most sites, and I'm fairly sure the reason why it won't is, as has been said here already, the benefits are all to me, not to the site owner. I look forward to being able to use it on LWN soon.

The end of OpenID?

Posted Feb 7, 2011 13:24 UTC (Mon) by spaetz (guest, #32870) [Link] (2 responses)

yep, that's how I do it too. There is not even a need to append /openid to the url.

These 2 lines in index.html is all I need to be able to use http://sspaeth.de as my openid url.

The end of OpenID?

Posted Feb 8, 2011 12:40 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

And unless you're an OpenID geek there's no way you'll realise that. I've got an OpenID identity that I can never remember because I can never remember the URL. Would I have thought of the trick you propose? Not in a million years.

The end of OpenID?

Posted Feb 8, 2011 12:47 UTC (Tue) by madhatter (subscriber, #4665) [Link]

I rather agree with you, but I still think it's due to the way that OpenID is being mis-sold (as it were). None of us comes into the world fully versed in the protocol, so we all have to learn about it from somewhere or someone. I was lucky that I caught it early on, and read the protocols, and saw how it was supposed to be used - it's not a trick, it's clearly what's intended by the authors.

But there's no reason why those providing OpenID authentication servers couldn't do a better job of telling people how it's supposed to be used. Except, presumably, that they, too, don't want to help their user community free themselves from linkage to their providers.

I despair, really I do.

The end of OpenID?

Posted Feb 8, 2011 14:53 UTC (Tue) by jamesh (guest, #1159) [Link]

If you are using Yahoo as your provider, you should be able to enter "yahoo.com" as your identifier for most sites.

This will trigger an Identifier Select authentication request, where the actual OpenID identifier is only determined when the response is sent to the relying party. This way, all users of an identity provider can use the same starting URL.

The end of OpenID?

Posted Feb 3, 2011 9:54 UTC (Thu) by talex (guest, #19139) [Link]

Does anyone know what's happening with Mozilla's Account Manager plugin (https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager)? Their web-site shows 0.0.10 as the latest release (2010.03.05), but it's a broken link. There's no obvious link to a mailing list or bug tracker, and OpenID support is listed as a low priority future feature.

I also found Verisign's Seatbelt (https://pip.verisignlabs.com/seatbelt.do), but it seems to require custom support from the OpenID provider, and Sxipper (http://www.sxipper.com/), which I couldn't get to work.

Having a Login button in the browser chrome would be really useful. Then I wouldn't have to type my OpenID, somehow check that I'm not being phished, and confirm that, yes, I really do want to log in to this site.

The end of OpenID?

Posted Feb 3, 2011 12:40 UTC (Thu) by ballombe (subscriber, #9523) [Link]

The flaw with OpenID is that it should be easy for a user to setup their own website as their own OpenID provider (not just as an alias), so they actually get control of their authentification instead of relying on a large company which can then log all use of the OpenID usage.

I tried to do that and it was far too hard and intrusive and poorly documented.

Limits of SSO

Posted Feb 3, 2011 18:07 UTC (Thu) by rsidd (subscriber, #2582) [Link] (1 responses)

it would be horrifying to be greeted by your bank's log-in screen asking for your Facebook ID.

Not any worse, in my opinion, than a bank asking for OpenID.

I'd rather have a distinct login and password for each bank account, thanks. And hope the bank has half a clue about security.

Limits of SSO

Posted Feb 3, 2011 22:55 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

If the bank implements OpenID properly you can still have one OpenID for each account, with distinct passwords, personal security certificates, hardware keys, or whatever else you care to use for authentication. Nothing in the OpenID spec forces you to use a single identity everywhere, or to rely on a particular provider. OpenIDs can easily be both more secure and more convenient than most bank sign-in processes I've encountered.

The end of OpenID?

Posted Feb 3, 2011 23:32 UTC (Thu) by Simetrical (guest, #53439) [Link] (1 responses)

I can testify that the reason Wikipedia never implemented OpenID is basically the same as LWN. Wikipedia does no user tracking, it's just that there were never enough people asking for OpenID support to make it worth the development effort. There's even a preexisting MediaWiki extension, but still, nobody could be bothered to put in the work. I don't think cynical theories about user privacy are necessary to explain OpenID's failure -- there just was never any really good reason to use it that I saw.

Of course, if the theory of using OpenID is that it makes signup easier, you'd expect to see significantly more signups and user activity if you supported it. That would be a reason to use it, but I haven't heard anyone claiming that happens in practice. If it doesn't actually encourage user activity, I'd have to say it's well and truly useless from the site's perspective.

The end of OpenID?

Posted Feb 4, 2011 2:57 UTC (Fri) by The_Barbarian (guest, #48152) [Link]

>Of course, if the theory of using OpenID is that it makes signup easier,

It does, that's why I don't sign up for new sites that don't use it.

Unfortunately I still have a lot of legacy logins for sites that are too lazy to set it up.

The end of OpenID?

Posted Feb 4, 2011 0:39 UTC (Fri) by ccurtis (guest, #49713) [Link]

I think Wired has it all wrong. OpenID is simply a classic chicken-and-egg problem. If the browsers supported it natively and you got an @mozilla.org type identifier at installation (or @gmail for chrome; @hotmail / @msn for IE, etc.) things would likely be quite different. Never having had to deal with either OpenID or OAuth, however, I'm not going to press this point much.

What I will complain about though is the notion that privacy is the downfall. Using an OpenID type identity would allow me to log in with some default level of information sharing, and if the site wanted more info, they'd just put up a blocker signup page - just like they would if I had only an email. I expect that whatever data they get from OpenID they're going to stick into their own databases anyway, not expect the remote data to never change.

The end of OpenID?

Posted Feb 4, 2011 11:29 UTC (Fri) by auc (subscriber, #45914) [Link]

People interested in openid and the future of decentralized authentication, watch this: http://esw.w3.org/WebID

OpenID maldesigned

Posted Feb 21, 2011 14:14 UTC (Mon) by job (guest, #670) [Link]

A login system based on shuffling values with HTTP, where your identity is a URL? Only a web guy high on XML and javascript would have designed such a thing.

No one wants to unnecessarily rely on third parties. Who do you contact when it doesn't work? What do you have to do to prove it's their fault? Also most users probably don't want to share their identities between sites. I know I don't. Handling multiple identities on the web is a solved problem, and it's solved in the clients with keyrings and the like. Lost passwords are also a solved problem, where everyone emails one-time credentials.

As for the valid use cases of a SSO system for the web, which is owning your identity and storing credentials off-server, there is already solution as old as SSL: client certificates. It is true that browsers could make this easier but this would happend in a jiffy if people actually used it. It is also true that it requires HTTPS but today I would regard this as a feature, not a bug.

I suspect the completely blind spot to SSL and anything that can be solved in client space is due to major NIH issues with web people rather than anything technical.