What reasons are there NOT to use OpenID?
You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I\'m developing a website that will be targeted at a somewhat less geeky audienc
-
OpenID is spectacularly susceptible to phishing attempts. If you run an OpenID site, try changing the login page one day to request the identifier and password, instead of the normal approach of only requesting the identifier and redirecting to the OpenID provider to request the user's password. I bet you can get over a fourth of your user's passwords this way.
讨论(0) -
This comes up a lot.
A good rule:
If you need to collect and keep private personally identifiable information, don't use OpenID.
If you do not need to collect and keep private personally identifiable information, go ahead and offer OpenID as a method to login.
For e-commerce, or anywhere else that you need to comply with PCI/DSS certification, I would not use OpenID.
I don't mind that SO is exclusively OpenID, however I would not make a site that used it exclusively.
讨论(0) -
The interface is terrible.
a. Registering with OpenID takes more time and savvy. Normal registration takes very little time or savvy. Registration happens once, but it's a large upfront investment, so the site has to be very compelling.
b. Signing in involves: three pieces of data instead of two; two web pages instead of one (three at StackOverflow, actually); and an external web site. EVERY TIME.
c. There are better interfaces for this kind of solution. I use KeePass, for example.
Name collisions. There's no way to ensure unique names.
Security is terrible.
a. It encourages phish-like behavior. It's not as bad as "Verified by Visa," but it's close.
b. Single point of failure: If you lose anything, you lose everything. KeePass at least allows me to physically protect the password (you must have the hard drive with the encrypted database on it).
c. Cross-site tracking. Credit card companies actually have rules in place governing how much tracking their allowed to do. Cookies can be selectively disabled or prevented in modern browsers. OpenID has no rules and no governors.
It isn't actually universal. Google provides OpenID... but doesn't use them. Same for Yahoo. And for AOL. There's no incentive for an OpenID provider to allow the use of OpenIDs from other providers.
OpenID is useful for authentication, but not for authorization, particularly for anything sensitive (credit cards, for example).
For me personally, I use one login/password per site, and I use KeePass (which I can protect physically and with two layers of passwords that must be cracked) to maintain the one-login-for-everywhere abstraction.
That includes StackOverflow: I created an OpenID specially for you guys, and I won't ever use it anywhere else. I did this, and I put up with the login pain because the content is compelling.
But if a real auth method were ever provided for StackOverflow, I'd jump on it in a heartbeat, just for the ease of use gains.
讨论(0) -
If you have a site which requires a high level of security, you do not want to leave handling of your login credentials to an outside provider, where you have no control over access. If the OpenID provider gets hacked, you're leaving your security up to them.
讨论(0) -
From what I can tell, it looks like an OpenID provider is not required to give out an account holder's email address, although some do.
If your service requires an email address to communicate with its users (for example, to send out a newsletter - which the many people who have never heard of RSS prefer), then you may have to capture an OpenID AND verify an email address.
A system in which just an email address and password are required and which employs an activation email message would be less work for users.
讨论(0) -
OpenID is good if all sites use it. But to register to OpenID just to use ONE site, it's a bit too much. Registering to OpenID is not as straightforward as directly registering in a site(from a consumer point of view).
讨论(0)
加载中...
- 热议问题