What reasons are there NOT to use OpenID?

Question

You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I\'m developing a website that will be targeted at a somewhat less geeky audienc

Answer 1

Everyone can connect the things I do on one site to the things I do on other sites when using an OpenID, because it's the same everywhere. So I wouldn't use the same ID I use here for a porn site, for example.

Answer 2

there are a lot of reasons thats one account which makes access to all. if this is compromised you get in trouble.

if you are setting up a page which uses openid, then you should know everybody can setup a one openid server (also spammers can do that).

--

but openid has good ideas and i like to use it!

Answer 3

I'm surprised that somebody that has used Stack Overflow couldn't think of a reason to NOT use OpenId - because it's annoying as hell?!

Ted Dziuba did a much better job of ripping into OpenId than I would, so just read what he wrote.

Another good reason - Facebook Connect already seems to be doing very well. As Facebook's membership continues to grow, it's going to make Facebook Connect support that much more valuable.

At some point I suppose Facebook could make Connect an OpenId provider... but really, why would they want to?

Answer 4

The number of OpenID account provider you have (google, yahoo, twitter, etc...) equals the number of accounts you can automatically use to login to an OpenID powered website. This is certainly not an advantage but it can be a big disadvantage.

Answer 5

OpenID is still as insecure as every other password-based authentication method out there. In fact, it is even worse because if someone gets access to your OpenID, they have more than just that one account now. Of course there's also phishing attacks, but we're all savvy programmers, database and system administrators, so we wouldn't fall for such things, right?

Authentication security is based on trust. As others pointed out, why would you trust a third party to potentially sensitive information? Sure, you can set up an OpenID server yourself, but how much hassle is that vs. maintaining separate passwords on multiple systems? Sure, you can create secure passwords that are long and full of non-alphanumeric characters, and even store them all in a password manager (I do), but some sites are flawed in that a simple password recovery form can be filled out to gain access to reset the password.

I would probably be inclined to support and even evangelise OpenID if it did secure private key-based authentication, a la SSH or PGP. Maybe that's a matter of a provider offering such a method - I haven't looked into it [yet].

Finally, while we all trust OpenID enough to use it to authenticate on Stack Overflow, my OpenID is a "throwaway", and its not like I'm using this as a professional reputation building tool (ie, my real name isn't involved ;-)). I'm sure I'm not the only one (as cool and awesome as this site is!).

Answer 6

It's funny for me to read this topic, it reflects exactly my experience with OpenID:

StackOverflow.com was for me the reason to get an OpenID.
Many Google searches led me to this website, and I were never able to leave comments.
I thought about registering many times, but I didn't because of OpenID. It was not clear to me what it was exactly.
But one day, I took the decision to register and it took me a while, but I don't regret it because I use it every day. It gives me a more secure feeling although I'm aware that it's only one account which would lead to many problems if it gets phished.

So for me, OpenID is a really nice way to quickly login on sites I don't know, but also on bigger websites such as StackOverflow.com
The main problem is that new users need to be pushed into the registration process then discover how great OpenID actually is.