Why openID will fail

Martin Strandbygaard just gave an introductory talk about openID, at Open Source days in Denmark, Given the recent discussion about openID and security, mostly the phishing opportunities it created I was interrested to hear the talk.

Yes I have an openID, I use it at like 2-3 sites.. why.. because most of the sites haven't adopted yet..
Martin gave an overview of different sites already allowing people to use openID to log on. And also which sites today allow you to create an openid identity with them that you then can use elsewhere. Yes you can use your LiveJournal, or Yahoo Account as an OpenID. I'm not doing that. I'm running my own Open Source Open ID server (funny he didn't touch that subject).

When he continued to discuss adoption he mentionned that even the company from RedMond was starting to allow people to logon with their OpenID , however just an OpenID from a restricted set of OpenID servers.

I asked where on the Yahoo site I could log on using an OpenID, and my fear was confirmed, you can't. So yahoo indeed is promoting OpenID, but why .. so they can see which other services their users are using so they can quickly acquire them ?

And according to Martin different other sites that allow OpenID authentication are gearing towards allowing just a limited set of OpenID services, the ones that they have partnerships with.

Now I don't want to use a 3rd party OpenID server, I have my own.. I want to control my own data. For services that use the above mentionned mode, trusting a limited set of openidproviders, my presonal OpenID is useless. I would once again endup having to sign up with different OpenID servers , which kind of makes the whole idea of not having to keep different username/password combinations around void :(

One of the questions from the audience was about how strong the authentication of an OpenID logon was. fact is that you can make it as strong as you want. If you build an OpenID server you could go with plain text authentication over http, basic authentication over https or even build an authentication system based on a challenge response framework.
The bigger question however is how and what data goes to the OpenID consumer.

So apart from the existing security challenges today , there are a lot of organisatins claiming to support OpenID, while they actually aren't, and that's the first blocking factor for quick openID adoption. And the ones that are adopting aren't doing it open enough.

I fear it was a nice attempt .. but I don't really think it's going to be a big success.
It should have taken of allready ..


Martin Strandbygaard's picture

#1 Martin Strandbygaard : It's a matter of trust ....

Hi Kris,

I hoped you liked the talk. A couple of notes to your post.

My essential point is a matter of trust. Does the relying party trust your identity provider (which may be yourself or e.g. www.myopenid.com) to properly identify you? Just like you show a photo ID issued and verified by someone else when you open a bank account, so will you have to present an OpenID issued and verified by someone else, if you wish to use your OpenID as identification when you open a bank account.

In many cases the relying party doesn't really care what your real identity is, in which case using your own identity provider is perfectly fine. However, if your "real" (e.g. physical) identity is important to the relying party, which could be your bank, then the relying party is going to need more proof of your identity, than you can provide by running your own identity provider, because you can claim to be anything.

I didn't touch on the subject of running your own identity provider, as I was trying to focus on mass use and adoption, and I don't see the average Internet user running their own OpenID servers - just like the average users don't run their own mail servers (many IT pro's have even stopped doing so).