What reasons are there NOT to use OpenID?

后端 未结 17 1127
伪装坚强ぢ
伪装坚强ぢ 2020-12-07 11:59

You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I\'m developing a website that will be targeted at a somewhat less geeky audienc

相关标签:
17条回答
  • 2020-12-07 12:54

    I ran across an article today that makes a very strong case for skipping OpenID, from someone who was originally enthusiastic about it.

    Open ID Is A Nightmare

    I've always been a major proponent of Open ID. I love the idea and the intention - it's a great solution to a long-standing problem and solves a lot of issues for developers. Unfortunately it creates a ton more for business owners.

    Read the rest here: http://www.wekeroad.com/2010/11/17/open-id-is-a-party-that-happened/

    It's not my story so I'm not taking any credit for it.

    0 讨论(0)
  • 2020-12-07 12:55

    Average users still don't understand what OpenId is, what it's for, or how to use it. My parents would not be able to login to Stack Overflow, for instance.

    That being said, this is largely about user interface. There's nothing inherently preventing them from using OpenId - they just need a user interface that abstracts away OpenId from them, and just lets them login with their Google account (for instance).

    0 讨论(0)
  • 2020-12-07 12:56

    Yeah security. Using OpenId puts you at the mercy of them administrating their accounts. You have no control over password security and user ids. You are trusting some other organization to verify that the people coming to your site are who they say they are. If you need to really verify that someone is who they say they are. You won't get that with open id without doing some sort of secondary verification yourself. in which case you might as well just not use OpenId.

    http://www.computerworld.com/s/article/9179224/Researchers_Password_crack_could_affect_millions

    0 讨论(0)
  • 2020-12-07 12:56

    It is good as an addition to normal registration, but is not very easy to use if it is the only way to log into your site. Look at registration on stackoverflow - all sites are specially mentioned to help people understand what is this all about. And this site is for geeks :) So the minus is complexity.

    Also see this link

    0 讨论(0)
  • 2020-12-07 13:01

    It may be slightly inaccurate to say that the average person doesn't understand OpenID.

    In most cases, with a little persuasive marketing (ie "USE ONE LOGIN ON ALL SITES!!!11!) they can understand that it allows them to log in at sites using one login rather than having a bunch of different usernames and passwords at different sites.

    The problem, however, is that to an average user, the whole OpenID experience goes against what they believe online security to be.

    • Users won't automatically trust it

      With normal username/password logins, users understand that a password should be kept secret, and that's what protects their privacy when they log in at a site. How are they to understand the exchange that goes on between an OpenID client site and their OpenID provider? All they know is they didn't have to put in a password (assuming they're "always logged in" at their OpenID provider) - so it's not secure, right? I mean, in the eyes of a user, how can it be secure if they didn't give a password? This can lead to user mistrust.

    • It makes phishing easy

      (Many) users know that it is wrong to re-use the same password for different accounts, yet this appears to be precisely what OpenID is doing. What if a user simply assumes that all their OpenID provider is doing is sharing their password with all participating sites? I mean, how else could OpenID be 'logging in for them' on all these sites? If the user assumes that through OpenID, their password becomes known to all participating OpenID sites, they may assume that it is quite reasonable to give out this password to any of those sites. It's a phishing nightmare. Imagine putting this phrase on your site: "Please enter your (some OpenID provider) username [ ] and password [ ]". You're phishing people already.

      We mustn't forget, too, that a user would be right in their suspicions in one regard even if for a slightly different reason: if someone gains access to their OpenID provider they gain access to their identity at all sites where they have used that identity, which is the same downside to using the same password at multiple sites.

    • It deviates too much from what users understand

      Having multiple usernames/passwords at different sites is not difficult for users to understand. Users understand the concept of a usernames and passwords well, because they are used to them, and the point of security (the fact that the password is a secret) is really obvious to them. It's really clear how a password works. Having multiple username and password combinations does not make this any more confusing or complicated - it is just the same thing, but more than one of them. While remembering multiple passwords can be difficult, users at least know how to do it, and how it works.

      OpenID tries to solve the problem of remembering multiple passwords, but in the process it creates an entirely new paradigm, one which is completely opaque to the users. Unlike a password, whose security is obvious (it just has to be secret), all of the security of OpenID goes on behind the scenes, with sites communicating with each other, keys and hashes, etc. The user no longer fully understands how their privacy is being protected or what is to be kept secret from whom, because they don't understand how the system works. So, in an attempt to solve a problem of remembering multiple passwords, OpenID has created a mystical system of key-exchanges that violates the user's whole understanding of how authentication works and why it's secure.

    0 讨论(0)
提交回复
热议问题