Oli Warner About Contact Oli on Twitter Subscribe

Pros and Cons of OpenID

Tuesday, 20 February 2007 openid webdev

The term “OpenID” has been banded around a lot in the previous few days with people on both sides of the fence making their views on the system known.

More importantly (some would think), major account providers have said they are going to support the system, the biggest at the time of writing is AOL who switched OpenID compatibility on over 63million of their accounts.

If you want to know more about OpenID, you can read some of my previous posts (OpenID gets support, 63,000,000 new OpenID accounts overnight) or go to the OpenID project page.

Note: This is a working document. If there is something that you feel I haven’t addressed, say so in the comments and I’ll edit it in.

Contents

  1. Complexity means failure
  2. Security, hacking and more security
  3. Performance
  4. What's the point?
  5. Privacy
  6. Spam

1. Complexity means failure

The concern is: increasing the complexity and processes involved in authenticating people will invariably mean there are higher failure rates (ala Murphy's Law)

Con: There is truth in that bringing other providers into the equation is going to weaken stability. If a provider's server is down, people with that provider cannot login to your site.

Pro: Implementing OpenID means you're taking the old step of authentication out of the equation. You don't have to deal with people not being able to login due to user error because that is all done with their provider.

2. Security, hacking and more security

Another sentiment from would-be implementers and users alike is the security of their account. Surely if they can get your OpenID, they get everything you use it for.

Con: Yes, your whole identity can be used until you sever access to the account.

Pro: This is no less secure than existing systems that run through email. If your usernames and passwords get sent to your email address (the current "popular" form of identity centralisation) and your email account is hacked, you've lost just as much.

The security behind OpenID is also a lot more complex. Some people believe this provides more "weak points" than traditional username/password systems.

Pro: The weak point in the system is the user. 99% of users pick details that are far too weak and this is primarity because they have too many of the damned things to remember in the first place. Bring the number of accounts down and you bring the ability to remember a stronger login up. Whether people can be educated into this is another thing.

Pro: The security is also scalable between providers. If you want SSL encryption when you login, you do not have to rely on the server to provide it because your provider can give it. If you want SmartCard authentication with crazy custom-made applications, you can build your own system that does this. Security on OpenID is not limited to the lowest denominator.

Semi-Con: Keylogging can still be an issue, just as it would be with your email account. Nothing worse than existing systems and so much better for most instances.

3. Performance

Some people think that performance will suffer due to the added complexity — even that the performance of their web-applications' performance is at the mercy of 3rd party providers.

Con: Redirecting people through their provider for authentication does have overheads.

Semi-Pro: As long as the provider is up and running overheads are truly very minimal.

Con: And if the provider is down? Well quite.

Semi-Pro: If people have dodgy providers, they can change. Delegation means you can keep your URL and use whichever provider you like, with as much, or as little security as you like.

4. What's the point?

For many non-techie types, I'm sure that a lot of people will just see this as another account. Why should they have one especially if sites they use don't support it?

Pro: OpenID will likely be provided by services that they already have an account to. There's no additional burden on them.

Con: ... Apart from the URL, you mean?

Pro: Yes okay, okay. But the point is to allow you to identify yourself as yourself around the web. Why should your online persona consist of 150 different accounts and logins when you're one person? One URL to show who you are is the future

5. Privacy

Does one URL on everything you use mean no privacy?

Con: Yes. If you URL is publicly visible people can track where you are. If you don't want this, you shouldn't use the same URL everywhere.

Semi-Pro: This is just the same as using the same distinctive nickname around the place. If you don't want to be recognised, don't use the same OpenID URL everywhere.

6. Spam

Does OpenID affect how we manage spam?

Semi-Con:No — but it's not supposed to. If anything OpenID makes it easy for somebody to make one OpenID account and then make a billion URLs that all delegate to that one account. You could block certain providers, but that's equal to blocking an email provider. Not great news.


Personally, I feel there's more to be gained than lost in a system like this. It is more complex and as developers, we'll need to move around various techniques to ensure quick service. I don't see this as "another Gravatar" mishap waiting to happen because we're talking about completely different things. For starters, Gravatar was as centralised as it gets. Their servers crumbled under load and that was that.

As I said near the beginning, if you have anything else that you feel should be in here, just wham a reply in the comments (soon to support OpenID =]) and I'll edit it into this document.