Understanding OpenID is not easy

openid Last year, I signed up to get an OpenID.

I didn’t fully understand what it could do but I did believe that it would become more important, not to mention useful, to have a means by which you could identify yourself with a trusted common ID on websites where normally you’d have to separately register each time with a user name and password.

I did understand the de-centralized aspect of it all where you’d choose from a selection of organizations who offer OpenID services.

I went with VeriSign’s Personal Identity Provider. Why VeriSign and not one of the other providers? Mainly because I knew of VeriSign and associate them in my mind as a trusted company in the broad area of security online.

Anyway, I’ve had my PIP OpenID identity for some while, but I’ve never actually used it.

And that’s because I still don’t really understand how to.

What is OpenID? Don’t look for an easy explanation on the OpenID website (try and understand this). Instead, the simplest-to-grasp that I’ve seen is in the Wikipedia entry:

OpenID is a decentralized single sign-on system. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. Instead, they only need to be previously registered on a website with an OpenID “identity provider”, sometimes called an I-broker. Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in; OpenID solves the problem without relying on any centralized website to confirm digital identity.

TypePad has something similar with its TypeKey service, although it’s not had wide take-up outside of the TypePad community of users.

Yesterday, I received an email from PIP telling me of a range of improvements to the service.

Things like:

  • Support for OpenID 1.1 and 2.0
  • Ability to create multiple identities managed from within a single user account
  • New “tag based” profile data management interface making it easier to view and sort all of your profile data
  • Ability to download managed Information Cards for each of your created identities to use with technology such as Microsoft’s Cardspace
  • Strong authentication support via second-factor credentials from the VeriSign Identity Protection network (PayPal tokens can now be used on the PiP), along with the ability to have a one-time PIN sent via SMS or email if you’ve forgotten your credentials

Yes, well, that’s all great, and indicates advances in further developing the trusted aspects of this service, but I still don’t feel incentivized to go out and use my OpenID anywhere.

For one thing, I hardly see any websites or blogs that employ OpenID. And that’s when I actually visit websites and blogs, which I don’t do that much because I’m an RSS creator-consumer.

Mind you, one new feature from PIP which looks very interesting is the Seatbelt, a Firefox extension that lets you manage all your OpenID sign-ons without going to the PIP site all the time. Things like this start making it all easier to understand.

And on that point about understanding, I was beginning to think it’s just me with this difficulty. Then I found Jan Miksovsky’s terrific post in which he starts out with this:

[…] [OpenID] sounds great, but in practice I found the whole process bewildering. In my opinion, it’s not ready for consumer use.

Absolutely right. It seems to me that OpenID is still a very early-adoption technology, the domain of serious geeks and tech enthusiasts.

Well, I’m as enthusiastic as the next geek but I just don’t really get OpenID yet.

Maybe it’s by using tools like Seatbelt and paying attention to people like Jan Miksovsky that will bring some enlightenment.

Neville Hobson

Social Strategist, Communicator, Writer, and Podcaster with a curiosity for tech and how people use it. Believer in an Internet for everyone. Early adopter (and leaver) and experimenter with social media. Occasional test pilot of shiny new objects. Avid tea drinker.

  1. Armin

    Sounds similar to encryption. All this private and public key and this and that and the other make it far too complex for “normal” people to understand it, therefore pretty much stopping general adoption. Just too much to read, too complicated geek language, something someone who just wants to get things done doesn’t want to deal with.

    I’ve had a quick look at OpenID and gave up fairly quickly as I just didn’t “get it” and with so few practical uses so far just couldn’t be bothered to spend a huge amount of time on it.

  2. Jorge García Gil

    I am a 54 year old spaniard.
    I have nothing else to do all day but reading new technology (my hobby) and like everything in live OpenID is coming here to stay.
    It is very handy to travel around with just one key for all the allowed sites. In few days I applied myself for several OpenID keys and I like best Verisign so far.

    Please give it a chance, innovation is risky but ends up settling in.


  3. Tibor

    I came across a blog that had an OpenID form field in it’s comment section, but I still had to fill in my name, email etc. Did not make much sence at all taht way; just an extra field to fill in.

    I thought the idea would be, that one would be able to use only one profile/identity (as in: your OID-url) for similar purposes anywhere.

  4. neville

    It may well be coming to stay, Jorge, but that will probably be later rather than sooner if people just don’t understand it. To your point, Armin.

    That is the idea, Tibor. At least, that’s what I understand.

  5. Mark Forman

    Good timely post Nev. I must agree. I too am very pre-disposed to going this route due to all the various socnets and social apis I’ve joined. The problem is the wording of Open ID’s site is as clear as mud on a hazy day.

    So if we tech savvy early adopter types are baffled forget about a more popular acceptance. I wonder if the average person feels similarly about using one of the podcast agregator programs?

    We all need to push for good code and clearly written instructions as well. A well constructed app can get pretty still-born if people can’t understand it.

  6. William Tan

    Great article that explains OpenID to the non-geeks, and I agree that for this technology to really take off, it has to be easy for people to grasp.

    Some points of clarification:

    1. i-broker is a term used to describe an entity that provides services to use an i-name with.
    2. In OpenID 2.0, you can use an i-name to login. IMHO, i-names has a much lower mental barrier to cross for users than URLs. Just the mere exposure that OpenID uses a URL (that starts with “http:”) to login is enough to confuse people. “So, do I use a website to login to another website?” With i-names, it is clear that your i-name is your identity, much like your name is in the physical world. I’ve written a non-technical explanation of i-names on my blog.

    p.s. my blog is OpenID-enabled so you’d have to login using OpenID before making a comment.

  7. Prokofy

    Sorry, but open ID is one of the most annoying things on the Internet.

    Time and again, I go to someone’s blog, they’ve established an OpenID protocol, but when you click on the icon of OpenID itself, what you get is this geeky page about its development, and not the simple, plain-vanilla INSTRUCTIONS for how to SIGN UP FOR IT.

    I’m more than happy to put in everything they want and even fax my driver’s license, but they need a simple consumer page for HOW TO sign up.

    In vain, I struggle Googling it, asking people, trying here and there, and finally stumble on somebody else’s page where they’ve actually put in some steps — but they’re not the OpenID people.

    I make an OpenID, which gives me a URL…but of course the next time I go to a blog demanding this, what I have to do is not sign in with my user name and password, as for Live Journal or Typepad, but I have to paste in that URL. Except…now I can’t remember…what was my URL again? And back I go all over hell’s half acre trying to find what my OpenID *is*.

    It’s really insane promoting a tool like this and not having a 3-step how-to page readily available and googlable and understandable when you click on the icon. I don’t care about developing OpenID; I care about using it.

    And I’m getting so when I see an OpenID blog, I simply close it and won’t read and won’t comment.

  8. neville

    You’ve said precisely what I should have said in my post, Prokofy! Thanks.

    Btw, I started listening to Dave Winer’s podcast. Didn’t get past the first 6 minutes as it confused me even more about OpenID.

  9. jimmy

    I’m trying to get my head around OpenID, and I have a vested interest as a security consultant. It is NOT an authentication mechanism. There is nothing in the signon procedure that ensures that the detail you put into your OpenID is actually yours. In a nutshell, your OpenID does not allow any organisation be sure that you are who you say you are.

    At the minute, it is simply a method of using one user id to log on to multiple web sites. As each website forces you to authenticate with your Open ID provider ( you can set a large limit on the trust associated with the site, so you won’t have to re-authenticate each time )

    It does’t provide any single signon capabilities, it doesn’t provide any federated identity management capabilities.

    To an organisation looking to implement OpenID, they would have to become their own OpenID provider to ensure that the IDs provided comply with their internal security policies and that they trust the OpenIDs issued. As I can’t find a way as an OpenID consumer to dictate I will only accept OpenIDs from certain providers that you trust, you’re back at square one. Besides, that would defeat the object of it being open.

    I’ve flagged it as on my radar, but not worthy of further follow up as yet.

  10. סיסמאות » ITbananas

    […] השיטה הישנה: RoboForm בעד: האזנה לפודקאסט בנושא OpenID נגד: כתבה קצרה ועינייניות שמסבירה את הבעייתיות ממבט המשתמש […]

Comments are closed.