Is OpenID a flawed concept?

Question

I'm not asking about specific implementations, I'm not asking about the global world view of cross site single sign on mechanisms, I just want to know what the community thinks about the underlying usability of OpenID. Do you think using a URL issued by a (to the non-technical observer) random assortment of providers in place of an actual user name is something that people are going to prefer? If not, does anyone have a better mechanism? If there's enough interest, I'll follow up with a more general SSO question.

Answer 1

NO.

I don't think it is fundamentally flawed system. In terms of usability I'd say it is flawed as it is a departure from the norm, and harder to get used to, i.e. URL instead of a username, having to pick a provider. But I think they are the only problems, and things can be and are being done that improve them (usability tweaks on log-in pages, Yahoo and Google raising awareness to the idea).

Aside from that, I think it's a great system:

• I remember one account ID password combination (I don't need to rely on software solutions to the many ID->password problem)
• I don't need to fill out a form when I go to a new website, and wait for registration emails to confirm it.
• If I don't trust an OpenID provider, I can become my own provider, relatively easily, which I personally think is a great achievement for a standard. Making something so versatile, and (AFAIK) easy is to me, really something.
• It decouples the responsibility of building a website from password storage and security, when both jobs are becoming increasingly difficult.
• I don't actually know much about this next point, but I think it's very easy to use one OpenID account to host multiple personas, which can be used for different websites e.g. "that's my work persona, that's what I present when I sign up for ilovemyjob.com. And this is my friend persona, I use that for facebook" and the different personas have different information tied to them. Like I say I don't know much about how this is done, or exactly why it would be useful... but I will find out what it could be good for.

That's about the main benefits I see with OpenID. In terms of disadvantages, there's the usability aspect, which I admit is a problem. The main other point that people use to criticise OpenID is that if the account is compromised, then many logins are compromised. In my opinion this is no worse than the current system of having emails tied to accounts, which could be similarly compromised, and used for that "forgot your username?" function on many websites. I'd also like to point out that OpenID is not meant to solve that problem - it's a solution to the multiple ID/password problem. However, having one password gives a greater license to keep updating it for added security - without having to rely on software remembering it for you, or forgetting all the time.

So, OpenID has it's problems, but I'd say it's a good solution to the multiple ID/password problem.

References:
Interesting Google Talk on the subject

Answer 2

Yes.

First, choosing a provider is difficult. If I was a less experienced user, I would ask "why do I need to share my information with X to use a site run by Y?" And then, once you get over that, you have to choose who to trust with your information. I, personally, went with Verisign because I trust Verisign. But some people might never have heard of some of these providers and would not be in a position to make an informed decision.

Second, logging in is difficult. Rather than entering a user name, I have to enter a URL (although StackOverflow makes it easier where you choose a provider and your provider user name and it makes the URL for you).

Third, if my OpenID is compromised, then all of the accounts on sites that I use OpenID on are also compromised. Some people suggest having multiple OpenIDs to overcome this, but I think that defeats the entire purpose of OpenID.