- I understand user names and passwords. OpenID is an evolving open standard. It will be implemented differently by different ID brokers. It will also be implemented differently by web sites for authentication and security purpose. There is a lot I don't understand about OpenID.
- I don't want security to be transparent and unobtrusive (see below). I want to log in as I move about the Internet, so I know when I am more or less anonymous versus when I am a client or customer. I want to fill out a form to register on web sites so that I control what different organizations know about me. If security is transparent and unobtrusive, I won't be able to tell when security is on, and I won't know who knows what about me.
- The OpenID authentication process is vulnerable to man-in-the-middle phishing schemes. If one of your OpenIDs is stolen, the potential for harm to you is substantial.
- People are probably going to have more than a few OpenIDs, each with several profiles, with different ID brokers (AOL, Yahoo!, VeriSign, et al.). Keeping track of these ids and profiles will be no simpler than managing user names and passwords. Unless and until OpenIDs replace user names and passwords, OpenIDs will be an extra layer of complexity for users to contend with.
- Having users with multiple OpenIDs presents real challenges for organizations doing business on the Internet. One individual's data at a given organization may be associated with multiple OpenIDs. This will complicate that organization's data mining and customer service efforts.
|Unobtrusive Security: One of the promises of OpenID is that it will make it easier for users to gain access to web sites (originally blogs). No more filling out forms to register to use a site. Just use your OpenID. Web sites may request your OpenID and check with your ID Broker to register and authenticate you. Once you log in with your ID broker, your OpenID is verified and certain authentication and demographic information that you have provided to your ID broker is passed to the requesting web site. |
If you have an active session with your ID broker, all you have to do is give your OpenID, and the authentication and demographic information is passed to the web site. No login required. To further simplify the process, a web site may unobtrusively read your OpenID, register you and log you in without your involvement in the process.