I think I’ve only posted about it once, but I’ve long been extremely skeptical of “digital identity” technologies — evil, hopeless, overhyped (no, giving users control of their identities will not save democracy nor make a pony appear, and there are no scare quotes around the preceding words because I haven’t cornered the market on scare quotes), often more than one of these.
OpenID has been the most reasonable identity technology to come along, mostly because it does very little and builds on existing standards. I still think it’s overhyped. Evan Prodromou recently posted an informative essay on OpenID Privacy Concerns. This bit jumped out at me:
The key to mitigating this, of course, is using strong security on the OpenID provider. The good news is that since your authentication is centralized, you can use much stronger authentication than most Web sites support. I really appreciate using browser certificate authentication on certifi.ca — it’s a very strong system that’s (almost) immune to phishing, brute-force attacks, or other password-stealing scams.
The good thing about OpenID is that it moves authentication to parties that are presumably good at that and can offer stronger authentication methods, without the sites and services you want to login to having to know anything about authentication technologies (apart from having implemented OpenID login).
I knew that an OpenID provider could authenticate however they want, but the usefulness of this did not click until reading the above, though I’m sure it’s been pointed out to me before.
I fairly frequently use the total lack of adoption of browser certificates as a negative example to be learned from when people try to solve supposed problems by throwing crypto into a supposed solution. Perhaps in the distant future this example won’t work, because OpenID (or something else that abstracts out authentication method) is widely implemented, making strong authentication relatively useful and usable.
In the meantime, I’m still a big fan of super simple methods of going passwordless.
Great points about OpenID. This post changed my perspective on it.
A related security benefit is that if sites like Digg don’t have their own auth system, their doesn’t have any user account data or account management software to compromise.
I’m starting to think that the benefit is better security. Convenience is the same or worse until the ocean has been boiled and everybody is using OID. Usability is definitely worse, since the whole handshake is confusing as heck.