What reasons are there NOT to use OpenID?
You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I'm developing a website that will be targeted at a somewhat less geeky audience (but not quite Mom and Pops either) so I have to wonder if OpenID is going to be "too hard" for some audiences.
What do you think? That aside, are there any other technical or non-technical reasons NOT to use OpenID?
Solution 1:
It may be slightly inaccurate to say that the average person doesn't understand OpenID.
In most cases, with a little persuasive marketing (ie "USE ONE LOGIN ON ALL SITES!!!11!) they can understand that it allows them to log in at sites using one login rather than having a bunch of different usernames and passwords at different sites.
The problem, however, is that to an average user, the whole OpenID experience goes against what they believe online security to be.
-
Users won't automatically trust it
With normal username/password logins, users understand that a password should be kept secret, and that's what protects their privacy when they log in at a site. How are they to understand the exchange that goes on between an OpenID client site and their OpenID provider? All they know is they didn't have to put in a password (assuming they're "always logged in" at their OpenID provider) - so it's not secure, right? I mean, in the eyes of a user, how can it be secure if they didn't give a password? This can lead to user mistrust.
-
It makes phishing easy
(Many) users know that it is wrong to re-use the same password for different accounts, yet this appears to be precisely what OpenID is doing. What if a user simply assumes that all their OpenID provider is doing is sharing their password with all participating sites? I mean, how else could OpenID be 'logging in for them' on all these sites? If the user assumes that through OpenID, their password becomes known to all participating OpenID sites, they may assume that it is quite reasonable to give out this password to any of those sites. It's a phishing nightmare. Imagine putting this phrase on your site: "Please enter your (some OpenID provider) username [ ] and password [ ]". You're phishing people already.
We mustn't forget, too, that a user would be right in their suspicions in one regard even if for a slightly different reason: if someone gains access to their OpenID provider they gain access to their identity at all sites where they have used that identity, which is the same downside to using the same password at multiple sites.
-
It deviates too much from what users understand
Having multiple usernames/passwords at different sites is not difficult for users to understand. Users understand the concept of a usernames and passwords well, because they are used to them, and the point of security (the fact that the password is a secret) is really obvious to them. It's really clear how a password works. Having multiple username and password combinations does not make this any more confusing or complicated - it is just the same thing, but more than one of them. While remembering multiple passwords can be difficult, users at least know how to do it, and how it works.
OpenID tries to solve the problem of remembering multiple passwords, but in the process it creates an entirely new paradigm, one which is completely opaque to the users. Unlike a password, whose security is obvious (it just has to be secret), all of the security of OpenID goes on behind the scenes, with sites communicating with each other, keys and hashes, etc. The user no longer fully understands how their privacy is being protected or what is to be kept secret from whom, because they don't understand how the system works. So, in an attempt to solve a problem of remembering multiple passwords, OpenID has created a mystical system of key-exchanges that violates the user's whole understanding of how authentication works and why it's secure.
Solution 2:
Average users still don't understand what OpenId is, what it's for, or how to use it. My parents would not be able to login to Stack Overflow, for instance.
That being said, this is largely about user interface. There's nothing inherently preventing them from using OpenId - they just need a user interface that abstracts away OpenId from them, and just lets them login with their Google account (for instance).
Solution 3:
OpenID is spectacularly susceptible to phishing attempts. If you run an OpenID site, try changing the login page one day to request the identifier and password, instead of the normal approach of only requesting the identifier and redirecting to the OpenID provider to request the user's password. I bet you can get over a fourth of your user's passwords this way.
Solution 4:
Yeah security. Using OpenId puts you at the mercy of them administrating their accounts. You have no control over password security and user ids. You are trusting some other organization to verify that the people coming to your site are who they say they are. If you need to really verify that someone is who they say they are. You won't get that with open id without doing some sort of secondary verification yourself. in which case you might as well just not use OpenId.
http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions