An OpenID is not an account!
10th January 2007
I’m excited to see that OpenID has finally started to gain serious traction outside of the Identity community. Understandably, misconceptions about OpenID continue to crop-up. The one I want to address in this entry is the idea that an OpenID can be used as a replacement for a regular user account.
Update at 23:55pm: I originally tried to illustrate this misconception with a quote from Don Park; unfortunately I misunderstood the quote and consequently misrepresented his position, for which I apologise unreservedly.
What about trust?
This is not a trust system. Trust requires identity first.
OpenID solves the identity problem, not the trust problem. When a user authenticates with OpenID, what they are doing is stating “I have the ability to prove my ownership of this URL”.
I used the phrase “have the ability” deliberately. Just because the OpenID authentication was successful doesn’t mean that the user is the only person who can authenticate against that OpenID. It would be trivial to create the OpenID equivalent of Mailinator: an identity provider that says “Yes, that’s them!” to any identity request. I’m tempted to build it just to emphasize this point! Update: Jayant Gandhi has built one.
The key thing here is that you should never trust an OpenID on its own. It could be a real person, or it could be a spammer, psycopath or general undesirable.
Does this mean OpenID is completely useless? Absolutely not! You just have to think of it in the same way that you think of username and password combinations: as the “key” to an account.
Most web application signup processes work something like this:
- Bob selects a username
- Bob enters a password, twice
- Bob enters his e-mail address
- Bob clicks a validation link in an e-mail sent to that address
Some sites throw a CAPTCHA in there for good measure.
OpenID replaces at most the first two steps of that registration process. Instead of having a user set up a new password you get them to authenticate with their OpenID at the start of the process. After that you might still want them to pick a username (especially if you are integrating OpenID in to an existing account system) and you’ll almost certainly want them to jump through the e-mail and/or CAPTCHA steps.
In the future, they can sign in to your site using their OpenID rather than having to dig around for whichever username and password they used.
A nice thing about the above flow is that it demonstrates how easy it should be to add OpenID support to an existing Web application. If you’ve already got a user account system that’s fine—just give your users a mechanism to associate an OpenID with their existing account so they can log in without using their password. You could even require new users to set up a full account (complete with password that they never intend to use) and then associate it with their OpenID, although doing so eliminates the lower barrier to entry advantage for OpenID users.
The trust issue is now null and void. An OpenID is just as trustworthy as a regular username and password (which could have been posted to bugmenot and shared with thousands of people).
One last time: an OpenID is not an account. Just treat it as an alternative to a traditional username and password and you can’t go wrong.
More recent articles
- Datasette Enrichments: a new plugin framework for augmenting your data - 1st December 2023
- llamafile is the new best way to run a LLM on your own computer - 29th November 2023
- Prompt injection explained, November 2023 edition - 27th November 2023
- I'm on the Newsroom Robots podcast, with thoughts on the OpenAI board - 25th November 2023
- Weeknotes: DevDay, GitHub Universe, OpenAI chaos - 22nd November 2023
- Deciphering clues in a news article to understand how it was reported - 22nd November 2023
- Exploring GPTs: ChatGPT in a trench coat? - 15th November 2023
- Financial sustainability for open source projects at GitHub Universe - 10th November 2023
- ospeak: a CLI tool for speaking text in the terminal via OpenAI - 7th November 2023
- DALL-E 3, GPT4All, PMTiles, sqlite-migrate, datasette-edit-schema - 30th October 2023