The news of OpenID’s Death is greatly exaggerated


I am not one to get on the blog and add to the argument over some stupid post from another tech pundit, but this one is too much to pass on. The reason I am tossing my hat in here is that I am now seeing SECURITY PROFESSIONALS adding to the crowd with the death knell of OpenID. Seriously?

Let me start with this example from my morning routine. I logged into my Facebook account with ClavID instead of the standard Facebook authentication mechanism. A little known Facebook feature is the ability to use OpenID providers to login instead of the email+password. I do this because ClavID supports secure multifactor authentication so instead of a simple user+pass, I have user+pass+token. Many of the websites I frequent support OpenID and in all of those cases I remove their ability to store my authentication information.

OpenID was pitched as the ability to remove the need to memorize all your logins for each site. That may have been where it started, but in today’s world it is my Multi-factor authentication mechanism. OpenID has a place in today’s online community for just that, security. As security professionals we moan and groan about the poor security of websites (Gawker, POF, etc.) and by then jumping on the “Death to OpenID” bandwagon make ourselves look incredibly silly.

What we should be doing as geeks is making the process more streamlined for OpenID implementation. It isn’t that OpenID itself is broke, but that the installs are somewhat difficult to use for users. By pushing to kill OpenID we are breaking the war into hundreds of small battles. I would rather take on a single issue (OpenID ease of use) rather than pushing every website, CMS coder, etc. to implement MFA. In the heat of the battle we should hold the line and attack on a single front.