Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

To OpenID or not to OpenID? Is it worth it?

People also ask

Is OpenID app harmful?

OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.

When should I use OpenID Connect?

A wide variety of clients may use OpenID Connect (OIDC) to identify users, from single-page applications (SPA) to native and mobile apps. It may also be used for Single Sign-On (SSO) across applications. OIDC uses JSON Web Tokens (JWT), HTTP flows and avoids sharing user credentials with services.

Why do we need OpenID?

OpenID Connect lets developers authenticate their users across websites and apps without having to own and manage password files. For the app builder, it provides a secure verifiable, answer to the question: “What is the identity of the person currently using the browser or native app that is connected to me?”

Is OpenID better than SAML?

OpenID Connect is gaining in popularity. It is much simpler to implement than SAML and easily accessible through APIs because it works with RESTful API endpoints. This also means it works much better with mobile applications.


I respect your need for a business reason to use OpenID rather than a tech-geeky reason. So here it is:

Reason #1

OpenID is way easier than username+password. "Oh no", I hear the responses now, "OpenID is confusing and scary for users. They'll run away." That's why you don't tell the user it's OpenID. Just offer Yahoo and Google buttons and say "use an account you already have" or something to that effect. Users will love you. Underneath you're using OpenID, but don't advertise the fact, and perhaps don't even offer an OpenID text field, until OpenID becomes more mainstream.

A strong majority of users are already logged into Yahoo or Google, so "Click here to log in using your Google/Yahoo account" buttons will mean it's faster and easier for your customers -> more sales.

Reason #2

Do it for your customers, even if they're not asking for OpenID. OpenID is more secure than username+password, since your customers won't be reusing the same username+password on your site as all their other sites. It's bad security to reuse username+password across web sites, but that's what users do. Using OpenID (without telling them) to get them to reuse their existing [pick your small list of major OPs here] accounts will mitigate this and give your users added security. If your site is hacked, their credentials won't be stolen. And if other sites your customers have accounts with are hacked, there's a good chance your customers account with you won't be compromised.

Reason #3

Fewer support calls and web pages to support users who forgot their passwords.


What I like most about OpenID is that it doesn't feel like I'm creating an account at all. It's more like I already have an account for the entire Web, and StackOverflow is taking notice of it when I log in. I'm really tired of having to create a new "identity" on every site I run across because they want to have a bigger user count.

I also like that sites that (only) use OpenID tend to make the whole account experience more flexible: no email confirmation required, no enforced-unique usernames, use of Gravatar, etc. The upside is that there is no registration; I just log in like I was already here.


It seems to me it is easier and faster for the user to simply enter a username and password in a signup form they have to go through anyway.

I think, on the contrary, that often it's easier and less of a hassle if the user can login with his existing OpenID, instead of creating separate credentials for every site. (Isn't that the main point about it.)


Maybe it isn't worth the effort on the large scale (yet), but I am very reluctant when it comes to registering on the sites that do not support OpenID: coming up with yet another password, confirming email (which, sometimes, involves waiting for the email), etc. They basically lose me as a user unless I really have a good reason to register there.

But also keep in mind that OpenID is not only about single sign-on, it's the way to maintain your identity, to prove that you are who you claim to be. OpenID sign-on is great, but the ability to perform action on the site on your own behalf (e.g. leave a comment) without registering is even more important.


It's great not having to make too many user accounts all around. All those passwords.... then again, I far prefer a solution like 1Password for the Mac. OpenID is better for sites I'll return to than a separate username, though


Well the promise of OpenID is a single sign on for multiple websites. The issue is that it's still pretty obscure from a mass-market perspective. I personally would not implement it in a broad customer-facing application just yet.