So, recently I went and had a look at stackoverflow.com, and decided to register. And got presented with the whole OpenID fiasco…
Thankfully the creators of the site that runs this blog are OpenID suppliers and thus I had a ready made ID. So I’m good to go.
Then I read that the BBC had hosted a meeting of the OpenID foundation after having joined a year ago. The article goes over the main bugbears I also have with the OpenID experience (quoted directly):
- First, you can be redirected from one website (the one accepting the identifier) to a different domain (that of the provider) and then returned to the first. This is confusing for an average user, especially if different wording, layout and styles are used. The attribute exchange part of the OpenID protocol works: it’s a good idea to exchange the registration parameters and to simplify steps at the receiving site. However, if implemented badly (or not implemented at all), it adds even more confusion to the journey. The confusion also adds a weak point where scammers and phishers can jump in.
- Second, all users are familiar with the username and password as the login paradigm. Suddenly using URLs, like http://openid.foo.bar/john/smith, may be difficult for a mainstream user to understand.
(However, the so-called “Generation @”, which uses instant messaging and social spaces as well as traditional email, is aging, and so the main audience segments will be people used to representing themselves with the URL of a blog, MySpace profile or Flickr account).
Now apart from the parallel the process seems to have with the Credit Card processes (Visa’s “Verified by Visa” and Mastercard’s Securecode) which is in itself a little scary, the main gripe for me is that OpenID is using a token which is at least one step removed from me.
The assumption is that each one of us has a unqiue URL, which you might argue could work if we are all signed up to MySpace, Facebook and so on. But those are social network sites, which by definition do not represent the individuals, so those URLs are out.
Ok, what about that vanity domain you have…
…well so long as you are the only one that has it, and that it matches an OpenID system somewhere and you don’t let it expire…
No. Frankly the one constant we can cope with is that email is the common denominator and that the user scheme for that is very well defined down to an individual. The idea of ” person@place ” has been around for a long time and been refined. If you have an Office PC the chances are you use the same thing, albeit reformatted slightly as: ” \\place\person “, or even ” user@host ” or some other set of synonyms.
The difference between these and the URL, is that the URL is a presentation of your data at an application level, not a user credential for access, it is an index to find your stuff, not “you”. Never mind that a URL is often a symbolic link to information, rather then the actual information, which is all good for information hiding.
There has already been some work done on the usability of the URI vs EMail and OpenID authentication process, which makes an interesting read and ends up with the idea of suggesting possible Ids based on emails. The inconsistency of the flow does worry me, in a world where most websites have become farily sensible about logins, this is just an extra barrier. The oft understated part is also that the OpenID provider is the party that vouches for you. The thing is, I might trust you, but not your provider, and I’m fairly certain my bank – amongst others – will not trust either of you. So while this is supposedly making it easier for me to login into to many places, it does so at a level that suggests that my reputation is now based on the “trustworthyness” of my login provider, rather then “me”.
I’ll be sticking to my person@place for now.