NYT says passwords, OpenID suck
Randall Stross, the same guy who recently said Microsoft should abandon Windows, says on the NY Times site that passwords aren’t good because they’re vulnerable to spoofing attacks, and that they should be replaced by “information cards.” Well, he’s got a point here, and many companies and services already use non-password authentication mechanisms. Microsoft uses them for lots of the services used by employees – so why not for consumers too?
Well, for one, it’s not exactly a user-friendly system yet. Maybe that will change soon, who knows. It isn’t the only way to address the problem of spoofing, though. My bank’s website makes use of a “site key” (an image tied to a string that I associated with that image) with the goal of assuring me that I’m at a real Bank Of America login page and not some spoofer. It may not be foolproof, but it’s a lot better than nothing (assuming the user would notice its absence, which is another issue entirely).
Anyway, what bugged me more about this article was the way it ragged on OpenID. Randall seems to think that OpenID’s only purpose is “single sign-on,” and explains that it works like Microsoft’ Live ID in that you only need one set of credentials.
But that’s not quite true. Many people like OpenID not for having a single password but simply for a single username (or “identity”). Some sites may trust an OpenID source to verify your credentials and have that be good enough for them. Others may impose their own passwords or security restrictions. And what’s stopping an OpenID identity provider from using a certificate-based or other non-password authentication mechanism? As far as I can tell, nothing.
Another advantage OpenID has is that my credentials don’t need to be shared with everybody. If I want to create an account on Zooomr, I can login to my WordPress account and have it verify my identity to Zooomr. Since I’ve never heard of Zooomr, I like this approach, because they never get my password. Only WordPress does. They verify it, and then tell Zooomr, “Yup, he is who he says he is.”
I have to admit that I’ve never taken the time to really learn the nitty gritty details about OpenID, but I find it to be a very interesting concept. I’ve also been very interested in OAuth lately and been meaning to dig more into how that works. Heck, I don’t even know if it is related to OpenID in any way.
So what do you think of OpenID? Is it a fad and a distraction from better advances, as Stross seems to suggest? Or do you think it’s the future of identity on the web?