There are reports that Google, IBM and Verisign are planning to join OpenID Foundation. But it is not clear what does this really mean. Verisign is already an OpenID Provider. Will the other two also become OPs? Since Blogger (which is part of Google) will accept OpenID as a way to authenticate commenters, will Google accept OpenID in other applications as well? Notwithstanding these open questions, this is encouraging. On the flip side, there is a significant amount of skepticism about the utility and usability of OpenID. For example, only yesterday Mark Evans wrote about his poor experience with using OpenID. So much so he feels that OpenID could become an Edsl. He also quotes Devon Young and The Identity Corner to substantiate his points. This clearly suggests that those of us who advocate OpenID must address their concerns and streamline user experience.
Benefits of OpenID – Company line
The current narrative on the benefits of OpenID is that it allows for single sign-on and registering at a new site becomes easy and simple. But the distracters reject the benefits of single sign-on based on privacy and security concerns. They prefer to have different login credentials. Directed identity will allow a user to present a different id to different sites. Still this is not satisfactory because the OpenID provider has the information on a big chunk of the user’s web activity.
As a practical matter, the registration process has not been simplified even with attribute exchange. It is possible that OpenID provider has not collected the information the site is interested in or they are compelled to recollect it for legal reasons. So how do we position OpenID?
Credit cards and OpenIDs
In my opinion it is better to compare OpenIDs to credit cards. A credit card company issues cards to its members and provides monetary guarantee to the retailers. An OpenID provider issues IDs to its users and provides some form of authentication to web sites. Just as a credit card company may place limit on the level of guarantee, web sites are at liberty to restrict the OpenIDs it will recognize and accept. Just as many of us carry more than one credit card, we may have multiple OpenIDs and use them for different occasions. Just as some department store credit card is not accepted outside of that store, it is possible that IDs issued by some OpenID providers may not be accepted by some sites. The credit card companies have good amount of information on our spending habits. But they are expected to maintain certain amount of privacy. Similarly we can expect OpenID providers to maintain privacy of their users. But at least initially, it becomes the users’ responsibility to identify conforming providers.
The beauty of credit card system is that credit management is independent of retailing. It frees the retailers from evaluating the credit worthiness of the card holders and collection activities. Thus even small retailers can afford to accept credit card, which simplifies the consumer’s life. Still, it is possible that a particular retailer asks for extra information like phone number from the consumer. OpenID provides analogous benefits to web site operators.
Restricting OpenID providers
Under certain circumstances, a web site operator may restrict the OpenID providers it will accept. For example a site targeted for senior citizens would like to ensure that a new user is indeed a senior citizen but that site can not reasonably confirm the age of a new registrant. But AARP is in a position to assure that its members are indeed senior citizens. So if AARP issues OpenID to its members, then they can use their OpenID to register themselves in that site. Interestingly, one of the reasons Sun stated for issuing OpenID to its current employees is to facilitate them to get employee discount from Sun’s partnering companies.
OpenID verification protocol has too many redirection between the web site and the OpenID provider. This redirections could be a bit confusing and also prone for phishing attacks. We need to address this concern as well. Verisign has a Firefox plug-in called Seatbelt that simplifies the log-in procedure. But there is a simpler way that anybody can follow as long as the browser allows tabbed window. The idea is to visit the OpenID provider on the first tab and login there and leave that tab open for the rest of the session. Now if we use other tabs to visit the web sites of interest, then there is no need for providing login credentials. So if a web site presents with a screen asking for login credentials, we will know that a phishing attack is under way.