SXSWi: A Critical Look at Open ID

Open ID panel

Artur Bergman, George Fletcher, Jason Levitt, David Recordon, Andy Smith, and Simon Willison.

Simon started off. Open ID attempts to solve the username and password mess. It’s a single sign on. Many attempts from the past have not worked, but some have changed names and evolved somehow. He says single sign on (SSO) betrays the principles of the web, but Open ID is a decentralized SSO. Open ID is a URL, a unique identifier. You only have to prove you are the owner of that URL. Can help you with signing in and with registration.

OpenID 2.0 just came out from Yahoo. Cuts out some of the steps involved in entering your ID. He showed a chart comparing OpenID with the way email works. Interestingly similar.

Artur commented that OpenID is more secure than email. Then the planned conversation fell in disarray because nobody could get Jason’s computer to show on screen. The bunted by allowing questions and just talking more casually.

Someone asked if Open ID 2.0 had more methods for anonymity than 1.0. The answer was that it came from elsewhere. It’s also possible to be redirected to an evil site instead of the open id site. A good relationship with an open id provider can help protect you from pfishing attacks. There may be a system of building up trust for certain Open ID providers.

Jason finally put his stuff on a thumb drive and used someone else’s computer to display it, so the discussion went back to the planned talk. He talked about Open ID at Yahoo. It’s a provider, not a relying party, for Open ID. Yahoo only supports Open ID 2.0. Ususally if something just says Open ID without the 2.0, it won’t be 2.0.

There’s a lot of support in open source for open id (Drupal, Joomia). Once one company, such as 37 Signals, starts using open id, other businesses in the same niche adopt it as well.

The organizations that benefit from open id right now are small organizations. As people become accustomed to open id on various small sites, the demand for it will grow. Open id helps with authentication.

A problem mentioned is “single point of failure” where if somebody gets your open id and then they have access to 50 sites where you do business. Keep something like “I can’t sign in to my account,” function for the single point of failure problem. You can fall back to a different open id provider that way. Or allow users to associate more than one open id with an account.

In a case of identity theft, one way to deal with it is have redundant providers.

SXSW photos at Flickr. Can’t upload photos today, dunno why, but look for photos later.

Technorati Tags:

One thought on “SXSWi: A Critical Look at Open ID”

Leave a Reply