Question
What’s wrong with OpenID? Why hasn’t it taken over the world?
Answer
Yishan has a pretty extreme indictment. Several valid issues there, but I don't agree on 2 fronts: that there isn't a real problem, and that OpenID is valueless.
First front. There IS a problem. I don't like any of the "solutions." They are jury-rigged non-solutions that we use only because nobody has come up with a better one. The closest "good" solution we are all used to is physical locks and keys plus identity documents like driver's licenses and passports/visas. The fact that engineers quibble that security and identity are distinct is one element of why they don't get it right. Security and identity are intimately, inseparably related in the user's mind. If I am caught opening a door with a key, it is my driver's license, cross-checked against a list of legitimate building residents, that shows whether my access is legitimate or not. So you shouldn't even attempt to solve one problem in isolation. Solve both or neither. There is a reason why identity documents like ID cards have security elements (watermarks, biometrics whatever), and security artifacts like keys have identity elements (serial numbers etc.).
That process works well. We all carry a handful of keys and magnetic access cards and ID documents. We mostly trust the system and the location of our own keys and our sense of who else has keys and why, and how new people can get keys. Ditto identity.
From the point of view of the lock-and-key-and-ID-documents metaphor, the Web asks us all to become janitors and carry a hundred keys around to feel truly secure. Worse, we carry these around with a very poor sense of who else has keys, why, and what it takes to steal a key.
The situation with identity is slightly better if you are used to international travel. The identity scheme in the physical world (driver's license, SSN, passport, visas) is more lightweight than the Web's within a single country, and more heavyweight if you travel internationally and aren't carrying a common "no visa needed" passport like a US passport.
But overall, the remembering of login/passwords is fundamentally more annoying process than the carrying of keys. Basically no solution feels truly trustworthy other than remembering a unique password for every important service in your head. I for instance, solve the problem with a tiered, triage solution: unique passwords that I change frequently for critical services, somewhat formulaic but quasi-unique passwords for the next tier, same username/password for non-critical, and passwords I actually share with others for truly irrelevant situations.
Facebook is starting to make the bottom layer or two unnecessary. Good.
But there is still no good solution for the top few. I don't think there CAN be one without a physical/hardware artifact in the loop. Bits are just too easy to copy. The only thing all of us really trust is a physical artifact that really cannot be in 2 places at once, and requires a physical copying process to replicate.
Now on OpenID. Is it as terrible as Yishan suggests? I don't think so. It seems to have delivered some value as an exploratory engineering solution. Learn from it, move on. I don't feel like criticizing it in hindsight, because I doubt I could have come up with a better idea back when it was first proposed, and its issues were not clear. Maybe others had the vision to predict the failure back then.
I think the most important lesson to draw from OpenID is to simply make solutions intelligible. I am moderately technical when it comes to IT stuff, and even I had to struggle for a while before I could wrap my head around the idea of using a domain name as the source of an identity. It is simply not a natural user experience metaphor for the problem it is trying to solve.
A successful solution will probably draw extensively on our familiar security-and-ID user experience metaphors like locks, keys, mailboxes, passports, visas and driver's licenses. Facebook is slowly getting there (it is a passport+visa system in terms of identity, so they need to build out the "citizen of Facebook" end of the metaphor...)
First front. There IS a problem. I don't like any of the "solutions." They are jury-rigged non-solutions that we use only because nobody has come up with a better one. The closest "good" solution we are all used to is physical locks and keys plus identity documents like driver's licenses and passports/visas. The fact that engineers quibble that security and identity are distinct is one element of why they don't get it right. Security and identity are intimately, inseparably related in the user's mind. If I am caught opening a door with a key, it is my driver's license, cross-checked against a list of legitimate building residents, that shows whether my access is legitimate or not. So you shouldn't even attempt to solve one problem in isolation. Solve both or neither. There is a reason why identity documents like ID cards have security elements (watermarks, biometrics whatever), and security artifacts like keys have identity elements (serial numbers etc.).
That process works well. We all carry a handful of keys and magnetic access cards and ID documents. We mostly trust the system and the location of our own keys and our sense of who else has keys and why, and how new people can get keys. Ditto identity.
From the point of view of the lock-and-key-and-ID-documents metaphor, the Web asks us all to become janitors and carry a hundred keys around to feel truly secure. Worse, we carry these around with a very poor sense of who else has keys, why, and what it takes to steal a key.
The situation with identity is slightly better if you are used to international travel. The identity scheme in the physical world (driver's license, SSN, passport, visas) is more lightweight than the Web's within a single country, and more heavyweight if you travel internationally and aren't carrying a common "no visa needed" passport like a US passport.
But overall, the remembering of login/passwords is fundamentally more annoying process than the carrying of keys. Basically no solution feels truly trustworthy other than remembering a unique password for every important service in your head. I for instance, solve the problem with a tiered, triage solution: unique passwords that I change frequently for critical services, somewhat formulaic but quasi-unique passwords for the next tier, same username/password for non-critical, and passwords I actually share with others for truly irrelevant situations.
Facebook is starting to make the bottom layer or two unnecessary. Good.
But there is still no good solution for the top few. I don't think there CAN be one without a physical/hardware artifact in the loop. Bits are just too easy to copy. The only thing all of us really trust is a physical artifact that really cannot be in 2 places at once, and requires a physical copying process to replicate.
Now on OpenID. Is it as terrible as Yishan suggests? I don't think so. It seems to have delivered some value as an exploratory engineering solution. Learn from it, move on. I don't feel like criticizing it in hindsight, because I doubt I could have come up with a better idea back when it was first proposed, and its issues were not clear. Maybe others had the vision to predict the failure back then.
I think the most important lesson to draw from OpenID is to simply make solutions intelligible. I am moderately technical when it comes to IT stuff, and even I had to struggle for a while before I could wrap my head around the idea of using a domain name as the source of an identity. It is simply not a natural user experience metaphor for the problem it is trying to solve.
A successful solution will probably draw extensively on our familiar security-and-ID user experience metaphors like locks, keys, mailboxes, passports, visas and driver's licenses. Facebook is slowly getting there (it is a passport+visa system in terms of identity, so they need to build out the "citizen of Facebook" end of the metaphor...)