Is OpenID usable?

For this very first blog entry, I'd like to talk about this very good idea of "OpenID".

As it's stated on the website of the OpenID Foundation:

You may choose to associate information with your OpenID that can be shared with the websites you visit, such as a name or email address. With OpenID, you control how much of that information is shared with the websites you visit.

With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit.  Other than your provider, no website ever sees your password, so you don’t need to worry about an unscrupulous or insecure website compromising your identity.

Securing your identity with a trusted (but, what is effectively trustable on the net?) entity which will only provide the information you want to a given website is a fantastic idea. There are plenty of such providers: Google, Yahoo!, WordPress, etc. One big missing is Hotmail; with their users base, they could push the service adoption. And by the way, Facebook, where are you?

The only concern I would have, both from the end-user's perspective and from the developer's perspective, is the usability of such a service.

Given you identity provider, you'll need to login using a method or another. With Google, you need to click on the "Sign in with your Google Account" and then follow their own process. With AOL, you have to enter "". With WordPress, just enter "". And so on.

First of all, do all users of these identity providers know that they have an OpenID and how to use it? The fact that Google (and some others) decided to have a dedicated button for the authentication process helps the users to re-use their credentials because they known whether they have such an account. But when you need to enter an URL. Is that really easy to remember? (especially for AOL users)

From the developer's perspective, either you'll need to use an intermediate service which will aggregate all possible authentication services, or you'll have to implement all different authentication techniques. Good luck.

So in the end, wouldn't that be simpler to use the piece of information that everybody knows which is the E-mail?

With the E-mail, you have the domain. With the domain, you could interrogate the corresponding DNS server. The DNS server could have a special standardized entry which would tell what is the method to authenticate. Then fine, Google will reply to the website request and start the authentication process. Very well, Microsoft Live services will authenticate.

And in the event there is no such handler, then the website would tell the user: sorry, nobody can authenticate you, please create an account. And the user would do the usual way.

Wouldn't that be much simpler?

Ajouter un commentaire