Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m concerned

Isn't getting an OpenID like using the same key for your house, car, office, locker, etc.?

For the reason specified in the question, OpenID strikes me as inherently insecure. Aside from that, it seems likely to me that using it also presents a threat to my privacy. Couldn't an OpenID provider use the technology to trace my steps across the Internet? In light of these concerns, why would I want to use it?
Reply
  • Both problems you're asking about already exist for most of us on the web; people use the same password across many sites and our ISPs can see our entire browsing access.

    With OpenID, you can change the password for all the websites you visit at once. This is easier than changing your password at websites individually in case someone gets hold of a password you use at multiple sites.

    Choosing a good provider is important. OpenID does not necessarily require usernames/passwords for authentication. So, in theory, you can choose a provider that uses key fob authentication or some other strong mechanism that avoids the password problem altogether.

    Choose a trustworthy provider or run your own OpenID server (quite easy, Google it) and you won't have to worry about the provider seeing your history.

    Cheers,

    http://aaron.binprop.org
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • Thank you Aaron for your insightful and informative response! Since I don't use the same password at multiple sites, I don't see that as a problem. And if I was worried about my ISP tracking my browsing, I'd use Tor, remote in to a machine, or something similar.

    In any case, I'll look into having us run our own OpenID server. Which leads to another question: If your OpenID server is down or inaccessible over the Internet, is there a backup means of accessing services on the sites you usually log in to via OpenID?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited

  • On reflection, I have one other question. Let's assume I don't have the resources to put together a two-factor-ID-based OpenID platform. If someone makes off with my username/password credentials, and uses them to log in to my OpenID server, couldn't they change my password and lock me out of all of my OpenID-based services in one fell swoop?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned sad, anxious, confused, frustrated happy, confident, thankful, excited