I am a self acknowledged “Site Registration Hater” (SRH). I hate registering at web sites. The whole concept behind Web 2.0 is collaboration: the content comes from individual contributors and we build the web together. But every single place where you want to make a contribution, you have to register as a “user” of that site. You then must track the username and password. I suppose most people use the same user name and password at many sites, but sometimes that username is not available, not not allowed by name convention, and sometimes the password is not allowed because they have instituted an arbitrary password convention. (My preferred password has punctuation in it, but a surprising number of sites allow only letters and numbers.) So this means I have to actually remember which ID and which password, which is such a pain that I actually avoid such collaboration. I see a question in a forum, I know the answer, but I don’t reply because to do so I would have to register. I see blogs with discussions that I could but don’t make a contribution to, because I would have to register. A photographer friend distributes the snap shots of local events using SnapFish, and I never look at them, because I have to register to do so. Still I have a thousand login accounts on a thousand sites.
I don’t need to be anonymous. I don’t mind letting the site know who I am. I am very sympathetic about the problem with spam and the need to know that the post is being made by a person and not a mass mailing bot. The reason I hate site registration is simply the hassle of remembering (or recording) the username and passwords.
I am not the only one that hates registrations. Sites such as “bugmenot.com” aggregate random user logins so that everyone can use the same ones, and avoid registration. I feel the pain, but this is not the best solution.
OpenID provides a graceful solution. I can have one ID (or a couple) and use that at every site. I found out that my “WordPress” ID already is an OpenID id, and so I did not need to do anything new. I could immediately start using the WordPress ID at any site that takes OpenID. (Well, almost any, see below.)
Those other sites can’t abuse my OpenID to access anything on my behalf because I never give it my password. Using my OpenID requires that my browser be logged into the OpenID provider at the time. Using browser redirection, which leverages cookies which are keyed to a valid login session, the other site can verify that I have a valid session, without me ever having to enter my password. This is great because I change my password at WordPress any time I want to, and the OpenID continues to work regardless of how often I do this. As for usability: I log in once in the morning to WordPress (or any other OpenID provider) and then I can use web sites all day long.
It also makes things easier for the web site implementors. I run a number of web site applications (wiki, forum, other specialized sites) and I cringe at having to present a login/registration for people to use my sites. When using open source packages, user management is not always integrated, and I am forced to ask people to set up multiple login accounts just to use the capability cobbled together. I can’t leave the sites open because of the spammers. OpenID allows me a simple way to ask who a visitor is, get an authoritative answer, and not have to maintain or manage a password database. Multiple applications, hosted at multiple sites, can have a single consistent login. Tech designers can get out of the business of managing user profiles, and back into providing cool new capabilities.
Adoption is not yet widespread enough. While there are a number of sites that use it, at this time there are a lot more that do not. OpenID may not be not suitable for all kinds of high security identification, but for identifying individuals in a collaborative decentralized environment, it is perfect.
Ironically, sites such as WordPress provide OpenIds, they do not accept OpenIDs from other providers. This asymmetry is strange and disturbing. It is like a kid offering to share equally with everyone as long as he gets the best parts. The whole point of OpenID is to have a single ID that works everywhere, but WordPress does not allow me to use a single ID, I have to have a WordPress OpenID. We don’t need more OpenID “providers”, we need more OpenID relying parties (consumers).
I was going to end this article with an admonition to use only sites that allow OpenID, but then I would be asking you to avoid my own blog, which does not allow you to enter comments using an OpenID. (It actually allows you to enter comments anonymously, but I would prefer that it allows OpenID.) Still, I leave you with a hopeful message: OpenID will rescue Web 2.0 from being crippled by having to register and maintain separate usernames and passwords at so many different sites. This one change might be so significant, that we call it Web 2.1.
I’m with you 150%. I am about to develop an SaaS application and looking around for the best model. Trouble is, the big guys are not doing it: Google, eBay, etc. If one of those guys would adopt it, it would validate it for us little guys. Waiting….
Pingback: How Not to use OpenID « Go Flow
Pingback: Who’s Ready for OpenID « Travaganza - Design and Development Trends
Pingback: REST assured, OAuth security « Go Flow
Pingback: Identity Update: Browsers with OpenID? « Go Flow
Pingback: Cloud User’s Bill of Rights | Collaborative Planning & Social Business
Pingback: AIIM2012 Ted Schadler Keynote | Collaborative Planning & Social Business
Pingback: SSO: What is it « Agile Software Craftsmanship