Best IT Recipes

What are the reasons NOT to use OpenID?

You see an honest bit (in the Geek community) regarding OpenID. That seems like a good idea. I’m developing a website that will target a slightly less challenging audience (but not really mom and pop), so I need to wonder if OpenID will be too “difficult” for some audiences.

What do you think? What aside, are there any other technical or non-technical reasons for NOT using OpenID?

+57
security web-applications openid
Jan 03 '09 at 23:32
source share
17 answers

Average users still do not understand what OpenId is, what it is for, or how to use it. For example, my parents could not enter Stack Overflow.

Speaking of which, it mainly concerns the user interface. There, nothing initially prevents them from using OpenId - they just need a user interface that abstracts them from OpenId and just allows them to log in to their Google account (for example).

+45
Jan 04 '09 at 0:10
source share

It may be a little inaccurate to say that the average person does not understand OpenID.

In most cases, with a little convincing marketing (for example, “USE ONE LOGIN ON ALL SITES! 11!”) They can understand that it allows them to register on sites using one login, and not have a bunch of different usernames and passwords on different sites .

The problem, however, is that for the average user, the entire OpenID experience runs counter to what they think is online security.

  • Users will not automatically trust him.

    When using ordinary logins / passwords, users understand that the password must be kept secret and protect their privacy when entering the site. How do they understand the exchange that occurs between the OpenID client site and their OpenID provider? All they know is that they don’t need to enter a password (assuming they are "always logged in" with their OpenID provider) - so is it not safe? I mean, in the eyes of the user, how can it be safe if they do not give a password? This can lead to mistrust of users.

  • This makes phishing easier.

    (Many) users know that it is wrong to repeat using the same password for different accounts, but this seems to be exactly what OpenID does. What if the user simply assumes that all that their OpenID provider does is exchange their password with all participating sites? I mean, how else could OpenID “log in to them” on all of these sites? If the user assumes that through OpenID their password will be known to all participating OpenID sites, they may assume that it is reasonable to issue this password to any of these sites. This is a phishing nightmare. Imagine that you put this phrase on your website: "Please enter your (some OpenID provider name) [] and password []." You are already phishing people.

    We also must not forget that the user would be right in his suspicions in one respect, even if for some other reason: if someone gets access to his OpenID provider, he gets access to his identity on all sites where they used this identification, which is the same disadvantage of using the same password on multiple sites.

  • It deviates too much from understanding by users.

    Many user names / passwords on different sites are not difficult for users to understand. Users understand the concept of usernames and passwords well because they are used for them, and the security point (the fact that a password is a secret) is really obvious to them. It is really clear how the password works. Having multiple combinations of username and password does not make it more confusing or complicated - it is one and the same thing, but more than one of them. Although remembering multiple passwords can be difficult, users at least know how to do it and how it works.

    OpenID tries to solve the problem of remembering several passwords, but in the process it creates a completely new paradigm, completely opaque to users. Unlike a password whose security is obvious (it just needs to be secret), all OpenID security goes behind the scenes, with sites exchanging with each other, keys and hashes, etc. The user no longer fully understands how their privacy is protected or what is hidden from anyone, because they do not understand how the system works. Thus, in an attempt to solve the problem of remembering several passwords, OpenID created a mystical key exchange system that violates the user's understanding of how authentication works and why it is protected.

+70
Mar 01 '09 at 15:52
source share

OpenID is impressively susceptible to phishing attempts. If you run the OpenID website, try changing the login page one day to request a password and , instead of the usual approach, only request an identifier and redirect the user's password request to the OpenID provider. I bet you can get more than a quarter of your user passwords this way.

+19
Jan 4 '09 at 18:19
source share

Yes, security. Using OpenId allows you to manage your accounts. You have no control over password protection and user IDs. You trust any other organization to make sure that the people who come to your site are what they call themselves. If you really need to make sure that someone is who they are. You will not get this with an open identifier without having to do any secondary verification yourself. in this case, you may simply not use OpenId.

http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions

+12
Jan 03 '09 at 23:37
source share

This is a lot.

Good rule:

If you need to collect and save an individual personal identifier for information, do not use OpenID.

If you do not need to collect and store an individual personal identifier for information, offer OpenID as a login method.

For e-commerce or anywhere else that you need to comply with PCI / DSS certification, I would not use OpenID.

I do not mind that SO is exclusively OpenID, however I would not have made a site that used it exclusively.

+9
Mar 01 '09 at 16:07
source share

  • The interface is terrible.

    but. Registration with OpenID takes more time and is savvy. Normal registration takes very little time or is savvy. Registration takes place once, but this is a big upfront investment, so the site should be very attractive.

    b. Signing includes: three pieces of data instead of two; two web pages instead of one (three in StackOverflow, actually); and an external website. EVERYTIME.

    from. There are better interfaces for such a solution. For example, I use KeePass.

  • Name mappings. There is no way to guarantee unique names.

  • Security is terrible.

    but. He encourages fisher-like behavior. It's not as bad as Visa Verified, but it's close.

    b. The only point of failure: if you lose something, you lose everything. KeePass at least allows me to physically protect the password (it should have a hard drive with an encrypted database on it).

    from. Cross site tracking. Credit card companies do have rules that determine how much tracking they are allowed to do. Cookies can be selectively disabled or prevented in modern browsers. OpenID has no rules and no governors.

  • This is not universal. Google provides OpenID ... but does not use them. The same goes for Yahoo. And for AOL. There is no incentive for the OpenID provider to allow the use of OpenID from other providers.

  • OpenID is useful for authentication, but not for authorization, especially for anything sensitive (such as credit cards).

For me personally, I use one login / password for each site, and I use KeePass (which I can protect physically and with two layers of passwords that need to be hacked) to support a single-entry abstraction for everyone.

This includes StackOverflow: I created OpenID specifically for you guys and I will never use it anywhere else. I did this and I am in pain in registering because the content is compelling.

But if a real auth method was provided for StackOverflow, I would pounce on it in an instant, just for ease of use.

+6
Sep 30 '09 at 18:03
source share

OpenID is still insecure, like any other password-based authentication method. In fact, this is even worse, because if someone gets access to your OpenID, they have more than just one account. Of course, there are also phishing attacks, but we are all savvy programmers, databases, and system administrators, so we won’t fall for such things, right?

Authentication security is based on trust. As others have pointed out, why do you trust a third party with potentially confidential information? Of course, you can configure the OpenID server yourself, but how much trouble is there in storing separate passwords on several systems? Of course, you can create secure passwords, long and full of non-alphanumeric characters, and even store them all in the password manager (I know), but some sites are mistaken in that a simple password recovery form can be filled in to gain access to reset password.

I probably tend to support and even evangelise OpenID if it were to protect authentication based on a private key, as well as SSH or PGP. Perhaps this is the question of the supplier offering such a method - I have not yet studied it [yet].

Lastly, although we all trust OpenID enough to use it for Stack Overflow authentication, my OpenID is a “jailbreak”, and it’s not as if I use it as a tool for building a professional reputation (i.e. my real name isn involved ;-)). I am sure that I am not the only one (as cool and awesome as this site!).

+5
Jan 05 '09 at 8:07
source share

OpenID is good if all sites use it. But registering with OpenID is just for using ONE site, that's too much. Registration on OpenID is not as simple as direct registration on the site (from the point of view of the consumer).

+3
Jan 03 '09 at 23:38
source share

It’s funny to read this topic, it accurately reflects my experience with OpenID:

StackOverflow.com was for me the reason for getting OpenID.
Many Google searches brought me to this site, and I could never leave comments. I have thought about registering many times, but I'm not because of OpenID. It was not clear to me exactly what. But once I decided to register, and it took me a while, but I do not regret it, because I use it every day. This gives me a safer feeling, although I know that this is only one account that would lead to a lot of problems if it would be phishing.

So, for me, OpenID is a great way to quickly log in to sites that I don’t know, but also to larger sites like StackOverflow.com
The main problem is that new users need to be introduced into the registration process, and then find out how great OpenID really is.

+3
Jan 02 '09 at 13:27
source share

Today I came across one article that makes a very strong argument in favor of skipping OpenID, from someone who was initially enthusiastic about this.

Open ID Is A Nightmare

I have always been a major proponent of Open ID. I like the idea and intention - this is a great solution for a long-term problem and solves many problems for developers. Unfortunately, this creates more tons for business owners.

Read the rest here: http://www.wekeroad.com/2010/11/17/open-id-is-a-party-that-happened/

This is not my story, so I take no doubt about it.

+3
Nov 17 '10 at 21:27
source share

This is good as an addition to the usual registration, but not very easy to use if this is the only way to enter your site. Take a look at stackoverflow signups - all sites are specifically mentioned to help people understand what it is. And this site is for geeks :) So minus is complexity.

Also see this link

+2
Jan 04 '09 at 17:37
source share

If you have a website that requires a high level of security, you do not want to leave the credential processing to be entered by an external provider where you do not have access control. If the OpenID provider is hacked, you will leave your security to them.

+1
Mar 01 '09 at 16:03
source share

Everyone can relate what I do on one site to what I do on other sites when using OpenID, because it is the same everywhere. Therefore, I would not use the same identifier I use here for porn sites, for example.

0
Jan 03 '09 at 23:41
source share

There are many reasons for this is one account that provides access to everyone. if this is compromised, you are having problems.

if you are setting up a page using openid, then you should know that everyone can set up one openid server (also spammers can do this).

-

but openid has good ideas and I like to use it!

0
Jan 03 '09 at 23:42
source share

I am surprised that someone who used Stack Overflow couldn't think of a reason to NOT use OpenId - because it is annoying like hell ?!

Ted Dziuba did a much better job copying it into OpenId than I did, so just read what he wrote.

Another good reason - Facebook Connect already seems to be very good. As Facebook membership continues to grow, this will make Facebook Connect support much more valuable.

At some point, I believe that Facebook could make Connect an OpenId provider ... but really, why do they need it?

0
Jan 09 '09 at 5:54
source share

From what I can say, it seems that the OpenID provider is not required to give out the email address of the account holder, although some do.

If your service requires an email address to communicate with your users (for example, to send a newsletter that many people who have never heard of RSS prefer), you may need to grab OpenID and verify the email address.

A system that requires only an email address and password and uses an activation email will work less for users.

0
Sep 27 '09 at 2:54
source share

The number of providers of your OpenID account (google, yahoo, twitter, etc.) is equal to the number of accounts that you can automatically use to log in to a site that supports OpenID. This, of course, is not an advantage, but it can be a big disadvantage.

0
Apr 12 2018-10-12T00:
source share


More articles:


All Articles