The Story With OpenId

There has been a lot of buzz around OpenId lately, sparked by the announcement made by 37Signals to discontinue the support for OpenId as a way to log into the site1. Some people even conclude OpenId might be dead already. So what’s wrong with OpenId?

Technically, OpenId is a standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities.

The promise of OpenId is to no longer need literally dozens of passwords to authenticate to the variety of sites visited over time. Just present your OpenId to the digital bouncer. Your trusted OpenId provider will vouch for you and – boom – you’re in. It’s that easy. In theory.

This is particularly auspicious as some people tend to re-use passwords that can easily be memorized2 for different sites. Once one of the accounts get compromised attackers have a good chance to find additional sites that have accounts associated with the pitiable user for further attacks.

OpenId has gained some momentum when the Stack Exchange family of sites started to use OpenId as the primary means to authenticate with the site. I have no idea, however, whether this means that every StackExchange user is really happy with OpenId or whether it is just something you have to accept and live with.

Let’s apply a reality check, how does it work? Logging into a site that supports OpenId primarily requires you to be logged into your account at your OpenId provider. If you are not logged in you will be prompted to do so.

After you logged into your account at the OpenID provider the latter will ask for confirmation that your OpenId shall be cleared for the site you were originally trying to log in. Then you will be forwarded to the site you would like to log into again. I can sort of see where the complaints about support effort come from.

Given this scenario, I’m not sure whether this approach is really to be preferred over using traditional per-site passwords if (and I’d like to be very clear about this constraint) trusted password manager software is utilized. This way, the need to memorize different passwords for different sites and the problem of re-using weak passwords for several site at least potentially3 goes away.

Of course, this works best if the passwords are created out of a randomized seed rather than using the names of all aunts and uncles down to third-degree relatives. Passwords that aren’t re-used on several sites by definition can’t become a security risk once the security of one of the sites gets breached.

  1. “We’re sad to see OpenID go. The promise was grand. Life would be simpler if we only had one login, but in this case, the cure was worse than the disease.”

  2. and thereby impose a big security risk.

  3. Of course, it all depends on how rigorously the user applies password management.