You must have heard about OpenID, haven't you? OpenID is an open authentication framework that allows an entity (a web site) to verify if you are the user you claim to be. The authentication happens at the site of your OpenID provider, and the process is common to all the entities that want to verify your authenticity. An entity just receives an answer to the request it issues: is the person that currently operates the web browser an owner of the identity it claims?
Simplification of development?
In this post I'll refer to the concept itself and to the name of the approach as "OpenID" (with some caps), and an identity URL will be named without any caps: "openid".
It seems like a neat concept to cover all kinds of authentication tasks. First, it conforms with the private infrastructural use as a universal login to a series of sites (like on StackExchange network, for instance). The openid is not shown to public when used like this.
You might think that requiring all users to use OpenID aids the development of a website, since it abstracts away the authentication process. It does not. Aside from authentication you most likely need authorization, and this alone makes you implement most of the authentication infrastructure at your site.
What OpenID actually makes possible is to associate automatically your activities across several sites. When you log in to one web site, it may automatically collect your information on another site, and be sure that the account found is yours. Based on the properties of the account found, it may, for example, grant you certain privileges. For instance, you get the ability to vote on all StackExchange sites if you have large enough reputation on one of them, and this association makes this without requiring anything from the user. However, even that was problematic to the StackOverflow.com developers, which are surely among the top professionals in the Web technologies.
Better user experience?
Who benefits the most from that usage is the user. Instead of making a lot of accounts in different sites they can just make one, and log in to different places, their password never being compromised due to the protocol design. However, everyone is used to the current situation, and the users rarely realize that there are benefits of that sort... well, more about it later.
Another way to employ OpenID is to provide credible authenticity information on the content in a Web 2.0 social site. The most widespread use of it is the openid of a commentator published near their comment. Personally, I think it's largely underused (I wrote about it in my previous article about OpenID), but that doesn't matter now. It is not the problem with OpenID.
You see, OpenID has been around for quite a time. I recall LiveJournal adopting OpenID as one of mechanisms to authorize comments in 2006. According to Wikipedia, OpenID 1.0 spec was released in 2005, and still hasn't changed much, nor it has gotten much traction. What's the matter?
I guess there are two reasons. Tightly coupled, these demeanors imminently appear where the technical progress comes, and poison it. These are conservatism and stupidity of the crowd.
If you read nearly any of anti-OpenID rant (like this: "OpenID is a Nightmare"), you'll inevitably notice the dependability among the primary concerns. "How come? Our business depends on something!", they say. Well, let's look at some history.
Remember the times when there was no centralized electric energy production? People just used torches to light their homes, animal labor to plough their farms, and dug underground storages to keep food in a cold environment. That was awful. You may test how this feels if you spend a weekend without electricity in the country—if you have a supply of candles, of course.
What do the opponents of OpenID as authentication systems propose? They say that dependence on externally provided utilities weakens their system, and leads to outages. But the same happens with electricity and with transportation in cities, and people eventually learned how to deal with traffic jams, lack of electricity and other such problems. And without depending on various external entities we would still read by candlelight, and our cities would have never achieved the today's scale of millions inhabitants. Wouldn't you want that for your website?
What does it require you to do? Just accept that 0.1% of the time users would use the backup password, or use your services for free (anyway, you do not reimburse subscription costs if a user is unable to access your site because of their Internet provider, do you?). I think it will make the Internet a better place by finally decoupling different services to different vendors. Time to stop the feudal division of the Net!
Stupidity of the crowd
But the conservativeness of the vendors is the minor issue here. The other imminent component of a successful acceptance is the users. And here lies the serious problem.
Users, as a massive crowd, are just stupid. They do not get it.
What should OpenID be, for the end user? It should be an open protocol that allows you to claim authenticity of your actions performed on various websites in a universal way. Is an average "end user" able to understand what it is about—or at least just read it? Hardly.
A Web search engine? Too hard: it is a concept. Now they call it "Google" even if they actually use Bing, Baidu or Yandex. For instance, I know for sure that developers in Yandex, the largest Russian Web search engine, use "google it" in their daily conversations.
A small computer which is also a phone (a.k.a. smaprtphone)? No, too hard. They buy iPhones. A PC that looks like a tray? No, too hard too, I want an iPad.
I'm glad that my Nokia n900 smartphone (or, a small PC?) is hard to confuse with an iPhone, because it resembles a brick more than an electronic device.
See what's happening here? OpenID on its own doesn't have a chance. It did not succeed and it will never will, because it's a concept rather than a product. To make it succeed, popular web services should promote themselves as products—and use OpenID as a backend. This way web site developers wouldn't care if you log in with Facebook, Twitter or any other kind of services, they'll just attach to OpenID part of them.
On the contrary, services that call themselves "OpenID providers" (such as myopenid.com) do a lot of harm to OpenID acceptance. They sell concepts, they sell backends to people, to whom they're unsellable. Backends should be sold to programmers, products—to people.
Facebook, Livejournal, Blogger, Telnic, Linkedin — a lot of sites store identity information, but only one of the listed serves as an OpenID provider, and, by unfortunate coincidence, outside of Russia it is mainly to host blogs of teenage girls.
"None of us is as stupid as all of us," said Joel Spolsky three years ago, but the idea had surely been there for centuries. There is too much abstraction there; OpenID is a concept, as well as a concrete protocol. The crowd doesn't want concepts, it wants products. And developers want the products to comply to concepts. Then, make all products comply to OpenID, and the Internet would be a better place. Will you?..
So, while the wide acceptance of OpenID would surely make the Internet a better place, the effort required is beyond anyone's reasonable expectation. Including mine.
Author Paul Shved
Modified April 20, 2011
License CC BY-SA 3.0