What reasons are there NOT to use OpenID?

You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I'm developing a website that will be targeted at a somewhat less geeky audience (but not quite Mom and Pops either) so I have to wonder if OpenID is going to be "too hard" for some audiences.

What do you think? That aside, are there any other technical or non-technical reasons NOT to use OpenID?

It may be slightly inaccurate to say that the average person doesn't understand OpenID.

In most cases, with a little persuasive marketing (ie "USE ONE LOGIN ON ALL SITES!!!11!) they can understand that it allows them to log in at sites using one login rather than having a bunch of different usernames and passwords at different sites.

The problem, however, is that to an average user, the whole OpenID experience goes against what they believe online security to be.

• Users won't automatically trust it

With normal username/password logins, users understand that a password should be kept secret, and that's what protects their privacy when they log in at a site. How are they to understand the exchange that goes on between an OpenID client site and their OpenID provider? All they know is they didn't have to put in a password (assuming they're "always logged in" at their OpenID provider) - so it's not secure, right? I mean, in the eyes of a user, how can it be secure if they didn't give a password? This can lead to user mistrust.

• It makes phishing easy

(Many) users know that it is wrong to re-use the same password for different accounts, yet this appears to be precisely what OpenID is doing. What if a user simply assumes that all their OpenID provider is doing is sharing their password with all participating sites? I mean, how else could OpenID be 'logging in for them' on all these sites? If the user assumes that through OpenID, their password becomes known to all participating OpenID sites, they may assume that it is quite reasonable to give out this password to any of those sites. It's a phishing nightmare. Imagine putting this phrase on your site: "Please enter your (some OpenID provider) username [ ] and password [ ]". You're phishing people already.

We mustn't forget, too, that a user would be right in their suspicions in one regard even if for a slightly different reason: if someone gains access to their OpenID provider they gain access to their identity at all sites where they have used that identity, which is the same downside to using the same password at multiple sites.

• It deviates too much from what users understand

Having multiple usernames/passwords at different sites is not difficult for users to understand. Users understand the concept of a usernames and passwords well, because they are used to them, and the point of security (the fact that the password is a secret) is really obvious to them. It's really clear how a password works. Having multiple username and password combinations does not make this any more confusing or complicated - it is just the same thing, but more than one of them. While remembering multiple passwords can be difficult, users at least know how to do it, and how it works.

OpenID tries to solve the problem of remembering multiple passwords, but in the process it creates an entirely new paradigm, one which is completely opaque to the users. Unlike a password, whose security is obvious (it just has to be secret), all of the security of OpenID goes on behind the scenes, with sites communicating with each other, keys and hashes, etc. The user no longer fully understands how their privacy is being protected or what is to be kept secret from whom, because they don't understand how the system works. So, in an attempt to solve a problem of remembering multiple passwords, OpenID has created a mystical system of key-exchanges that violates the user's whole understanding of how authentication works and why it's secure.

Average users still don't understand what OpenId is, what it's for, or how to use it. My parents would not be able to login to Stack Overflow, for instance.

That being said, this is largely about user interface. There's nothing inherently preventing them from using OpenId - they just need a user interface that abstracts away OpenId from them, and just lets them login with their Google account (for instance).

OpenID is spectacularly susceptible to phishing attempts. If you run an OpenID site, try changing the login page one day to request the identifier and password, instead of the normal approach of only requesting the identifier and redirecting to the OpenID provider to request the user's password. I bet you can get over a fourth of your user's passwords this way.

Yeah security. Using OpenId puts you at the mercy of them administrating their accounts. You have no control over password security and user ids. You are trusting some other organization to verify that the people coming to your site are who they say they are. If you need to really verify that someone is who they say they are. You won't get that with open id without doing some sort of secondary verification yourself. in which case you might as well just not use OpenId.

http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions

This comes up a lot.

A good rule:

> If you need to collect and keep > private personally identifiable > information, don't use OpenID. > > If you do not need to collect and keep > private personally identifiable > information, go ahead and offer OpenID > as a method to login.

For e-commerce, or anywhere else that you need to comply with PCI/DSS certification, I would not use OpenID.

I don't mind that SO is exclusively OpenID, however I would not make a site that used it exclusively.

1. The interface is terrible.

a. Registering with OpenID takes more time and savvy. Normal registration takes very little time or savvy. Registration happens once, but it's a large upfront investment, so the site has to be very compelling.

b. Signing in involves: three pieces of data instead of two; two web pages instead of one (three at StackOverflow, actually); and an external web site. EVERY TIME.

c. There are better interfaces for this kind of solution. I use KeePass, for example.

2. Name collisions. There's no way to ensure unique names.

3. Security is terrible.

a. It encourages phish-like behavior. It's not as bad as "Verified by Visa," but it's close.

b. Single point of failure: If you lose anything, you lose everything. KeePass at least allows me to physically protect the password (you must have the hard drive with the encrypted database on it).

c. Cross-site tracking. Credit card companies actually have rules in place governing how much tracking their allowed to do. Cookies can be selectively disabled or prevented in modern browsers. OpenID has no rules and no governors.

4. It isn't actually universal. Google provides OpenID... but doesn't use them. Same for Yahoo. And for AOL. There's no incentive for an OpenID provider to allow the use of OpenIDs from other providers.

5. OpenID is useful for authentication, but not for authorization, particularly for anything sensitive (credit cards, for example).

For me personally, I use one login/password per site, and I use KeePass (which I can protect physically and with two layers of passwords that must be cracked) to maintain the one-login-for-everywhere abstraction.

That includes StackOverflow: I created an OpenID specially for you guys, and I won't ever use it anywhere else. I did this, and I put up with the login pain because the content is compelling.

But if a real auth method were ever provided for StackOverflow, I'd jump on it in a heartbeat, just for the ease of use gains.

OpenID is still as insecure as every other password-based authentication method out there. In fact, it is even worse because if someone gets access to your OpenID, they have more than just that one account now. Of course there's also phishing attacks, but we're all savvy programmers, database and system administrators, so we wouldn't fall for such things, right?

Authentication security is based on trust. As others pointed out, why would you trust a third party to potentially sensitive information? Sure, you can set up an OpenID server yourself, but how much hassle is that vs. maintaining separate passwords on multiple systems? Sure, you can create secure passwords that are long and full of non-alphanumeric characters, and even store them all in a password manager (I do), but some sites are flawed in that a simple password recovery form can be filled out to gain access to reset the password.

I would probably be inclined to support and even evangelise OpenID if it did secure private key-based authentication, a la SSH or PGP. Maybe that's a matter of a provider offering such a method - I haven't looked into it [yet].

Finally, while we all trust OpenID enough to use it to authenticate on Stack Overflow, my OpenID is a "throwaway", and its not like I'm using this as a professional reputation building tool (ie, my real name isn't involved ;-)). I'm sure I'm not the only one (as cool and awesome as this site is!).

OpenID is good if all sites use it. But to register to OpenID just to use ONE site, it's a bit too much. Registering to OpenID is not as straightforward as directly registering in a site(from a consumer point of view).

It's funny for me to read this topic, it reflects exactly my experience with OpenID:

StackOverflow.com was for me the reason to get an OpenID.
Many Google searches led me to this website, and I were never able to leave comments.
I thought about registering many times, but I didn't because of OpenID. It was not clear to me what it was exactly.
But one day, I took the decision to register and it took me a while, but I don't regret it because I use it every day. It gives me a more secure feeling although I'm aware that it's only one account which would lead to many problems if it gets phished.

So for me, OpenID is a really nice way to quickly login on sites I don't know, but also on bigger websites such as StackOverflow.com
The main problem is that new users need to be pushed into the registration process then discover how great OpenID actually is.

I ran across an article today that makes a very strong case for skipping OpenID, from someone who was originally enthusiastic about it.

> Open ID Is A Nightmare > > I've always been a major proponent of > Open ID. I love the idea and the > intention - it's a great solution to a > long-standing problem and solves a lot > of issues for developers. > Unfortunately it creates a ton more > for business owners.

Read the rest here: http://www.wekeroad.com/2010/11/17/open-id-is-a-party-that-happened/

It's not my story so I'm not taking any credit for it.

It is good as an addition to normal registration, but is not very easy to use if it is the only way to log into your site. Look at registration on stackoverflow - all sites are specially mentioned to help people understand what is this all about. And this site is for geeks :) So the minus is complexity.

Also see this link

If you have a site which requires a high level of security, you do not want to leave handling of your login credentials to an outside provider, where you have no control over access. If the OpenID provider gets hacked, you're leaving your security up to them.

Everyone can connect the things I do on one site to the things I do on other sites when using an OpenID, because it's the same everywhere. So I wouldn't use the same ID I use here for a porn site, for example.

there are a lot of reasons thats one account which makes access to all. if this is compromised you get in trouble.

if you are setting up a page which uses openid, then you should know everybody can setup a one openid server (also spammers can do that).

--

but openid has good ideas and i like to use it!

I'm surprised that somebody that has used Stack Overflow couldn't think of a reason to NOT use OpenId - because it's annoying as hell?!

Ted Dziuba did a much better job of ripping into OpenId than I would, so just read what he wrote.

Another good reason - Facebook Connect already seems to be doing very well. As Facebook's membership continues to grow, it's going to make Facebook Connect support that much more valuable.

At some point I suppose Facebook could make Connect an OpenId provider... but really, why would they want to?

From what I can tell, it looks like an OpenID provider is not required to give out an account holder's email address, although some do.

If your service requires an email address to communicate with its users (for example, to send out a newsletter - which the many people who have never heard of RSS prefer), then you may have to capture an OpenID AND verify an email address.

A system in which just an email address and password are required and which employs an activation email message would be less work for users.

The number of OpenID account provider you have (google, yahoo, twitter, etc...) equals the number of accounts you can automatically use to login to an OpenID powered website. This is certainly not an advantage but it can be a big disadvantage.