Best IT Recipes

What is the advantage of using ONLY OpenID authentication on the site?

From my experience with OpenID, I see a number of significant disadvantages:

Adds Single Point of Failure to the site
This cannot be fixed by the site, even if it is detected. If the OpenID provider does not work for three days, what site resource should allow its users to log in to and access the information they have?

Takes a user to other content on the site and every time you visit your site
Even if the OpenID provider does not have an error, the user is redirected to his site to enter the system. The login page has content and links. Thus, it is likely that the user will actually be removed from the site to go down the rabbit hole on the Internet.

Why do I want to send my users to another company site?
[Note: my provider no longer does this and seems to have fixed this problem (for now).]

Adds a non-trivial amount of time to register
To register on the site, a new user is forced to read the new standard, select a provider and register. Standards are what technical people must agree to in order to make the user work without friction. They are not something that should be imposed on users.

This is Fisherā€™s dream
OpenID is incredibly insecure and stealing a personā€™s identifier when they log in is trivially easy. [taken from David Arnault Answer below]



For all the flaws, one of them is to allow users to have fewer logins on the Internet. If the site has the OpenID option, users who want this feature can use it.

I would like to understand:
What is the advantage of a site in order to make OpenID mandatory ?

+51
openid
Sep 13 '08 at 9:35
source share
15 answers

The list of minuses will miss the most obvious: this is a fisher sword. OpenID is incredibly insecure and steals a personā€™s identifier at login. Itā€™s just a trilogy.

Matt Sheppard hits the nail on the head, but the answer to this question is because the advantage of OpenID is that the creator of the site requires less hassle, since there are no user names and passwords to process and no code to create a user account.

+3
Oct 06 '08 at 7:31
source share

The advantage of using OpenID is that the login code for the website should not be written (other than OpenID integration), and no precautions should be taken when storing user passwords, etc.

Lack of your own login code also means no need to deal with many support problems, such as resetting lost passwords, etc.

Of course, most of your shortcomings are valid, so I think this becomes a compromise.

What surprises me is that on sites that do not maintain a close relationship with a particular OpenID provider, there is simply not an account registration phase, i.e. some "you can use any OpenID that you like, but you can also create it right now by entering a user account and password, etc., which automatically creates a new account for you with the selected provider.

+21
Sep 13 '08 at 10:06
source share

This is a good way to transfer part of your infrastructure. You do not need to worry about lost passwords, etc., someone else does it for you.

I'm not sure that I will use it exclusively. I have not used OpenID enough to fully trust it, and the registration process should be optimized until 90% of users have OpenID.

+8
Sep 13 '08 at 9:44
source share

Adds a critical point for site failure

The third highest idea for uservoice for Stackoverflow is to allow an OpenID provider change. And in the comments there is a proposal to allow associating more than with OpenID. On sites where multiple OpenIDs may be associated with an account, if your regular OpenID provider is not available, you can still log in with another provider (if you have already linked it to the site).

In addition, this is only a critical point of failure for users of the OpenID provider, which does not work. All other users of other OpenID providers can continue to register it. Over time, you expect users to switch to the most trusted providers.

Takes a user to other content on the site and every time you visit your site

If you installed your OpenID provider to always trust the site (or OpenID consumer in the range), and you are already logged into your OpenID provider, they will redirect you directly to the site, even if you do not see your OpenID providers.

Adds an extrajudicial amount of time for registration

This may be true at present, but, andyuk said, "it becomes less of an issue than more sites that support OpenID." I would expect that in a few years, most users will already have OpenID and they will know what it is.

+7
Sep 13 '08 at 13:26
source share

One of the big advantages of the OpenID transition just from a technical point of view is that abstracting the credential authentication part allows users to choose authentication methods that are much more complicated than anything you would like to build for your site. Yes, some OpenID providers are easily phishing. On the other hand, other OpenID users are registered in information cards, hardware tokens or phone verification, and these are credentials that cannot be captured and played by a phisher.

How Gabe Wahob put it :

People who want to implement authentication methods [...] do not have to be the same people who innovate in the provision of services on the Internet (any of the millions of people working with Mediawiki, Drupal, etc.). This ā€œdisintegrationā€ of authentication innovations and service innovations is valuable in OpenID.

Thus, using OpenID, you can offer your users more reliable authentication methods. Abstraction allows you to implement one interface, and then you can choose any provider that you can work with, regardless of whether they use eight-character passwords in cleartext or neural implants with responsive responses.

+6
Oct 6 '08 at 22:00
source share

It encourages users to subscribe to OpenID, learn more about it, and hopefully evangelize it themselves.

Stack overflow proves that OpenID support can work.

"Adds a critical point to site failure"

If the OpenID provider does not work, the site must have a mechanism that allows users to log in and add / modify OpenID providers. Perhaps the site may send a temporary link to bypass security so that users can access their account.

"Forces the user to add content to other sites and every time you go to your site"

My OpenID provider allows me to trust this site, so I donā€™t even need to browse their website.

"Adds extrajudicial amount of time for registration"

This becomes less of a problem than more sites that support OpenID.

+2
Sep 13 '08 at 10:17
source share

As a web developer, I am a big fan of the OpenID idea. Writing Auth code is a pain in the ass. As a web user, I am a big fan of OpenID - for non-critical uses such as SO, forums, etc. - because, as soon as you have an identifier, this is a very easy way to join the site.

I think that with a few exceptions - as a community for developers - you currently cannot force OpenID. The "average" network user (no matter what this means) does not receive it. However, promoting it on a similar site raises the awareness of developers, and this idea will eventually leak out. As OpenID appears on more and more sites, people will look at it, understand what they are, and then start using it. In order for OpenID to be a great idea - to catch, there must be a critical mass of users and sites that support it.

In the end, it will be just ā€œas it is,ā€ and we will wonder why we ever created an authentication code for each individual website that we created, or why we would create unique identifying information wherever we are went online

+2
Sep 13 '08 at 14:36
source share

As discussed in one of the podcasts, he adds a barrier to entry into the wanderer, which arises by wondering if this could be where they should post their Yahoo! Answers to the question.

This is somewhat elitist, but given the focus of this website, in particular, it is perfectly acceptable to reject those who cannot understand the Open ID process, and anyone who really has a real question they need may be concerned to work through small difficulties.

+2
Oct 06 '08 at 22:05
source share

From my experience with OpenID, I see a number of significant problems:

If you decide to log in using a trusted OpenID provider, for example. Verisign PIP + VIP you can take advantage of SecureID authentication mechanisms. This should be seen as a major advantage that outweighs ALL others. You no longer trust any kind of authentication based on the rigid form on the website you are accessing, you trust Verisign VIP or whatever your choice of OpenID provider.

Internet rabbit hole? It sounds like a bad implementation, and I don't know what you're talking about.

You cannot easily steal authentication, it can be made as possible as possible than what we already have! You can trick me into thinking that I am contacting my provider, but Verisign for one has the ability to not allow or accept redirects. I see these phishing issues as something trivial, especially again if you have weighed it against the benefits of external authentication mechanisms that you can get through your OpenID authentication provider. So say that you specified the details of the RSA key once, that would be wrong the next time, or maybe just useless if you said you were using a browser certificate.

In conclusion, OpenID is just an evolution of the current system, an email address to verify. If your email account is your current single point of failure, then yes, your OpenID may be your new only point of failure if the OpenID that you control is no longer under your control. Therefore, if you trust only your mail server, just post your own OpenID URL. If you trust Gmail, use the gmail URL for your OpenID, because with the same token you already trust Gmail as your SSO, since your gmail account can ultimately recover your account passwords.

This is not a problem, but I see that for some people it may be difficult to understand the basic concepts of authentication mechanisms. If I CAN log in with my SecureID card (through my OpenID provider) to the site on which I have an account, I WILL. If this was the only option, I will take it!

+2
May 27 '10 at 12:41
source share

Adds a critical point to site failure

This critical point of failure may be sending a confirmation email, but the userā€™s mailbox a) is unavailable due to a typo, b) full, or c) the down provider.

Takes a user to other content on the site and every time you visit your site

I see this, but IMHO - this is not so bad. I mean, Y! seems to be one of the most cluttered logins, and it also never works for me .;) Also, most OpenID providers don't look so bad (yet).

Also, remember your audience. If mom and pop are your users, OpenID is probably confusing. But this is probably a lot on the Internet. In the case of SO people, people with some caution and know what they want.

Adds an extrajudicial amount of time for registration

It's not a problem. See the list of suppliers: http://openid.net/get/

Many people have at least Yahoo! account, therefore, if it really works. That would not be so bad. I agree that if the user does not have OpenID and does not know what it is for. It is not easy to educate them.

And think about the implication - "to register on site A you need to register on site B". And we all know that registering on its own is a pain in the ass. But ultimately, this is also what OpenID is aiming for.

In mainstream, I currently see no value in making OpenID mandatory. However, I like this as a supplement. Just how people provide links to "login with your Facebook", etc. Then people who don't get it (or don't care) don't need to worry. But others may still use it.

+1
Sep 13 '08 at 9:46
source share

OpenID may be the biggest thing from sliced ā€‹ā€‹bread, but I had no reason to trust ā€œthemā€ with my identity - except for Jeff Atwood / Joel Spolsky made me do this to be here complaining about it; )

+1
Oct. 06 '08 at 5:48
source share

One thing to mention. You already have a database with OpenID, they just need to log in.

0
05 Oct '08 at 14:53
source share

I am a proponent of OpenID, mainly in terms of ease of use. I am still convinced of safety, but he has great potential. There are many things that could be said about this, but I just wanted to answer the following two points:

Adds a non-trivial amount of time to register

Only for the first time. Also, with companies like Yahoo now providing support, many people donā€™t even have to worry about setting up OpenID if they donā€™t want to. If you used Google or someone similar to your OpenID provider, would you consider them inherently unsafe? And how often do you expect them to have downtime?

This is Fisherā€™s dream

I agree that this may be partly true. But phishing is not a social problem, rather than a technological one? OpenID could make this easier, but it does not eliminate the fact that the real problem is the user. It is much more important to inform users about how phishers work than to try to securely protect them with technology.

0
Oct 17 '08 at 13:37
source share

At a minimum, OpenID sends you to your OpenID provider to log in.
I read a blog on blogspot, and there is a link to follow this blog (presumably tell me when there are newposts), to do this, it displays a window asking you to enter your Gmail username and password.

Even if we assume that this is a genuine and not a phishing site, now they (potentially) have a login for my Gmail, my Google documents, my Google applications - that's all!

0
Oct 24 '08 at 2:03
source share

The main advantage of having OpenID will be seen in the long run. Instead of accessing other sites for identification, you do this once, and then use it on all sites that require unique identification. Of course, for secure sites such as banking and commerce, this will require a completely different mindset. But for social networking sites, etc. You can easily use it.

Mom and Dad will also find this easy, because now they only need to remember one username / password. Many times, it has become difficult for us to remember which logins we have on which site, and ultimately use the correct username / password of site A on site B. OpenID will solve this. It is also a good revenue model for both the provider and the OpenID user. I can indicate to one of these suppliers all the details that I am ready to give, and each such detail that I give can earn.

Perhaps the provider can persuade me to tell you more about myself, using this as an incentive that he can then sell to sites that I have registered. Therefore, site A pays for OpenID for my information. OpenID then passes a section of it to me. Site A does not have to manage users, OpenID receives money, user receives money, everyone is happy :)

This way you do not have to force OpenID. People themselves will want this. OpenID providers will then compete among themselves to provide better services, and where there is competition, better value will be provided to all interested parties. I think this is an awesome idea.

Edit: Regarding downtime for one particular provider; if OpenID A is not sure about 100% uptime, he can use the help of another provider B, and a user from provider A can choose one of the option providers A. The site that is sent to provider A to authenticate the user will know which contact other providers if provider A is down. This will be automatically saved in his database at the first login. Anyone want to brainstorm implementation details? :)

-one
06 Oct '08 at 8:48
source share


More articles:


All Articles