The recent theft of confidential documents from Twitter has proven more than ever: Internet logins suck. It's not just that it's too easy to hack our accounts, it's also a pain for us to log in everywhere. I've got 400+ logins at different sites, not to mention a variety of fake accounts and email addresses for sites I don't want an account with. And like everyone else I tend to use the same password at a lot of unimportant places. It's terribly insecure.

There is a solution for the Web login mess: OpenID, what the nerds call "federated authentication". It's simpler than it sounds. You log into a big site on the Internet like Yahoo or Google: this is your OpenID provider. Then when some little blog wants you to log in, it asks your OpenID provider who you are and logs you in on their say-so. One password for the whole Internet; it's very convenient.

OpenID will also be more secure. It allows normal websites to get out of the messy business of logins and just delegate responsibility to a serious authentication provider. Think of it: no more sites storing your password wrong, no more bizarre vulnerable security questions at every web site you go to. Just one safe login at a company with engineers dedicated to getting it right. Your OpenID provider could even use simple hardware to make your authentication significantly more secure. I'd gladly pay $25/year to a smart startup to be my secure OpenID provider.

OpenID is usable now. A variety of services you already use will act as a provider for you. I'm using my Flickr/Yahoo login now; I'd like to use Google, but their implementation doesn't seem to work right. Unfortunately, fewer sites will let you log in via OpenID. But a lot of the big blog sites allow OpenID logins for comments, that's a good start.

OpenID is not quite there yet. Usability is still a bit awkward: my first time logging in via Flickr, LiveJournal decided my name was "M8NL6R93r5YcAH4cOe1pK .tabWS9XTGzFg--" (fixable, but confusing). And there's unpleasant politics associated with user ownership; Yahoo, Google, Apple, and Microsoft aren't interested in having their users use their competitor's logins. That's why it's time for users like you and me to start demanding OpenID logins. It's more convenient for us and it will be more secure.

tech
  2009-07-16 15:42 Z