Tuesday, November 9, 2010

Thoughts on OpenID

I've had an OpenID for over two years now, since I joined StackOverflow during the beta. A lot has probably happened since then. If memory serves correct, at least one OpenID provider went out of business. Others may have changed ownership - and new ones have surely emerged.

How have my first 2 years with OpenID been? Well, I've only set it up on a whopping 2 websites, both of which are technically oriented. I have recently started seeing OpenID as an option on a few more websites, but not a lot.

I attempted to set it up on a third (DZone), and although it allowed me to login, I could not verify my account, or join it to my non-OpenID account. This is probably just an issue with DZone, but if it was important enough, I would hope it'd be resolved.

What implications are there to third party authentication such as OpenID over time? (say, 5-10 years). Quite a lot can happen to a company in that timeframe. Especially tech companies.

Is it easy to switch OpenID providers? It seems like that is limited by whether every site you use supports adding a second OpenID or not. That may be a requirement of participating, I have no idea - so far, the two I care about have supported this.

What happens if my OpenID provider, say, starts getting hosted in China. What happens if my OpenID provider goes down for good? Will I ever be able to reclaim my account?

What happens, for instance, if my OpenID provider's SSL certificate expires? I can't get to my websites unless I accept an expired cert?

For the record - back in August (when first typing this), the MyOpenID login page was doing just this - showing expired certificate messages. Even though it wasn't apparently needed for authentication (because rest assured - I reject expired certs), it was still alarming. I hadn't even seen the domain name before - which was also worrisome.

This is what got me pondering OpenID. The concept is nice, but is it succeeding?

I am glad Google is a provider - would OpenID be at all usable still if they weren't? I at least feel safe that my Google account isn't going anywhere anytime soon. Also, it is rather convenient as I'm usually logged into gmail and just need to confirm to login.

I am curious what others think. Do you use Open ID? Do you think it is succeeding - is it convenient, or a pain? What provider(s) do you use? What websites use Open ID for the sole authentication system?

No comments:

Post a Comment