When I first heard about OpenID, I thought “great – one central place with only one ID to remember. Then numerous OpenID sites opened, and I realized my assumptions were wrong. Still, I thought, it’s good that we’re working on more secure ways to access multiple sites. Then I went and signed up for an OpenID, found nothing particularly secure about it, and realized the rest of my assumptions were wrong, too.
OpenID is not centralized, and it is not about security. In fact, it’s arguably less secure than getting a separate login for each site you visit.
Here’s how it works:
- You go to an OpenID provider. There are lots of them springing up. Here's a list of OpenID providers. You can even run your own OpenID server on your own domain.
- You sign up, and get your own URL & password.
- When you go to a site that supports OpenID, you’re automatically redirected to that URL, where you say “yes, it’s me”. Different providers handle things differently, but the ones I’ve encountered ask you for a password.
- Once you affirm that you are you, and that you want to log into this other site, you’re sent back to that site with your identity confirmed.
So basically, the site you’re registering for is saying “we’re not going to worry about your name and password – we’ll trust that your OpenID site has handled all that and let you in.” You still need to register for the new site if you want any information about you saved.
Why is this less secure? If everyone switches over to OpenID, I’ll have one login name (URL) and password, so if someone guesses or steals it, I’m really screwed. If someone has that, they can “authenticate” every login without my presence. You could get multiple OpenIDs and passwords, but that would kind of defeat the purpose.
So… why are you using OpenID?