From my experience with OpenID, I see a number of significant downsides:
Adds a Single Point of Failure to the site
It is not a failure that can be fixed by the site even if detected. If the OpenID provider is down for three days, what recourse does the site have to allow its users to login and access the information they own?
Takes a user to another sites content and every time they logon to your site
Even if the OpenID provider does not have an error, the user is re-directed to their site to login. The login page has content and links. So there is a chance a user will actually be drawn away from the site to go down the Internet rabbit hole.
Why would I want to send my users to another company's website?
[ Note: my provider no longer does this and seems to have fixed this problem (for now).]
Adds a non-trivial amount of time to the signup
To sign up with the site a new user is forced to read a new standard, chose a provider, and signup. Standards are something that the technical people should agree to in order to make a user experience frictionless. They are not something that should be thrust on the users.
It is a Phisher's Dream
OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy. [ taken from David Arno's Answer below ]
For all of the downside, the one upside is to allow users to have fewer logins on the Internet. If a site has opt-in for OpenID then users who want that feature can use it.
What I would like to understand is:
What benefit does a site get for making OpenID mandatory?
OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.
OpenID Connect is a simple identity protocol and open standard that is built using the OAuth 2.0 protocol. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user.
The benefit of making OpenID mandatory is simply that login code for the website does not need to be written (beyond the OpenID integration), and no precautions need to be taken around storing user passwords etc.
Not having your own login code also means not having to deal with a lot of support issues like resetting of lost passwords etc.
Certainly most of your downsides are valid, so I guess it becomes a trade off.
What surprises me is that there are not more sites forming a close relationship with a particular OpenID provider to simply the account signup phase - i.e. some sort of 'You can use any OpenID you like, but you can also create one right now by entering a username and password etc' login page, which automatically creates a new account with the selected provider for you.
It's a good way to outsource a part of your infrastructure. You don't have to worry about lost passwords etc., someone else does it for you.
I'm not sure I'd use it exclusively, though. I haven't used OpenID enough to entirely trust it, and the sign up process needs to be streamlined until > 90% of users have an OpenID.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With