OpenID: The Web’s Most Successful Failure (opens in new tab)

The top response on Quora is enlightening: http://www.quora.com/What-s-wrong-with-OpenID (also, it's annoying that I can't directly link to a response on Quora).

I really agree with the breakdown there. It's an over-engineered solution to a problem that doesn't really solve it all that well. I also use it to log into SO and the related sites, but frankly it's a PITA. I don't use OpenID to log into HN, and I never have to type in my credentials here, since my browser has the cookie saved.

I also use a password manager, so OpenID doesn't offer any additional security to me. As for privacy, the potential problems are too abstract for me to understand. I'm technical, but I don't understand OpenID on a deep level. I'd hardly expect your casual home user to know this either.

OpenID seems like a product that was designed in a vacuum, and should have had a stronger vision behind it. It's put together well, but the thing as a whole just doesn't do what it needs to do.

I love OpenID and use it as much as possible. The only problem I have with it is the URL-as-username approach it takes. When a site asks me for the URL, I don't use OpenID as I always forget it. If the site asks me to "log in with Google using OpenID" or something similar I will use it. I don't see how people say that OpenID is a solution in search of a problem: I DO have the problem that I don't want to create a new account for every site I use. The problem is there, and some uses of OpenID really do solve it.

OpenID isn't "done" yet. There very much is a market for 3rd party identification and I think that people will really want some level of neutrality from their identification provider.

Unfortunately, it seems that facebook is filling that market-- albeit without the neutrality. I don't like that. It just feels "icky" when I sign-on anywhere other than facebook using my facebook identity. I might NOT want my facebook picture to be seen on the sidebar of random websites by my friends. I don't particularly feel good about facebook monetizing my preferences even if it is done in an anonymous statistical fashion. Nor do I like that sometimes I have to worry about what exactly facebook is going to broadcast about me to the rest of the world or to my friends.

This might be nothing deeper than a superficial perception, but I simply don't trust facebook with my identity as much as I do OpenID participants.

Both Livejournal and Dreamwidth use OpenID to allow commentors to claim an identity. I also use it to log in to Disqus, Hacker News, Slashdot, Stack Overflow, and a bunch of other sites. Oh, and to leave comments on a bunch of different blogs.

It's not the answer to everything - but it still works remarkably well for many.

Somebody said it days ago, we should use our email address as openID and every big email provider should comply with openid standards. Problem solved.

So the real reason it failed is because it was a purely technical solution and didn't have a canonical usability example?

Or maybe that big sites like Facebook decided it would remove the monetization opportunities by creating their own universal login?

There's been a lot of talk on OpenID recently; it's nice to see one that doesn't simply bash it.

TL;DR: OpenID wasn't revolutionary in itself but the idea behind it is.

Here's how I had hoped that OpenID was going to work, when I first heard about it, but did not know many details. Initial conditions: I have an account at some OpenID provider, and I do not have accounts at Hacker News, Reddit, or StackOverflow, and all three of these take OpenID.

1. I decide to sign up for HN. I enter the URL of my OpenID provider. HN sends me to my OpenID provider, along with something that uniquely identifies HN.

2. I authenticate to my OpenID provider. It tells me I have not associated an ID with HN yet. I tell it to create a new one. It creates an ID for me, which I can name for my convenience, and it assigns a UUID to that ID, say 5F29ADF6-132A-43D0-889E-AD38A48D2419.

3. I'm returned to HN, and HN is given that UUID, 5F29ADF6-132A-43D0-889E-AD38A48D2419, and told that I've been authenticated. HN sees there is no HN account associated with that, and lets me create one. I get to pick a name to use on HN. I pick "tzs". HN remembers that "tzs" is associated with 5F29ADF6-132A-43D0-889E-AD38A48D2419.

4. Next time I come to HN, assuming my cookies have been deleted so I need to login again, the steps are similar. I tell HN my OpenID provider and go authenticate there. It sees that I already have associated 5F29ADF6-132A-43D0-889E-AD38A48D2419 with HN, so provides a one click way to send that ID to HN.

5. Now I decide to sign up at SO. Similar to signing up at HN. When the OpenID provider says I have no identity associated with SO, I tell it use the same identity I use with HN, so 5F29ADF6-132A-43D0-889E-AD38A48D2419 gets sent to SO. I create my account there, again getting the name "tzs".

6. Finally, I sign up for Reddit. I decide I'll probably not be able to refrain from staying out of the technical groups there, and will end up in the politics groups, and will probably make a lot of enemies. I think I want to keep that identity separate from my more professional/respectable personas at HN and SO, so I have my OpenID provider generate a new UUID for use with Reddit: DE982C60-3164-4399-B8E5-C9F84FCE2B21.

7. With each identity I can associate personal information, if I wish, such as real name, address, phone number, email address, even credit card information if I dare. When a site sends me to OpenID to login, it can send a list of what personal information it would like. At my OpenID provider, it shows me what is being asked for, and I can decide what actually gets sent. It would have a reasonable system for managing defaults to make this unobtrusive most of the time.

With this kind of OpenID, I can easily solve the problem that is most important to me: having one good password to control access to a bunch of sites, without having to actually give that password to the sites. It is up to me if I want to use the same identity on multiple sites or not. It is up to me how much information for an identity I wish to share.

(The low level details in the above are simplified to get the ideas across. In a real implementation, there would be some kind of public/private key system involved to identify the user, rather than a simple UUID system, so that one could reasonably implement a way to let someone move their identities to a different OpenID provider without having to have HN, SO, and so on all update things on their end to recognize the new provider).