A cure for gigazillion account syndrome
This whole thing is moving so fast. Ain't it a great time to be alive? I mean, the Net.
What is Web 2.0? I don't know. I think it doesn't exists yet. At some point, Web application were templates over a databases. You used the application and you knew exactly what was the schema. Fortunately, Web apps now see a bit further than the socket to MySQL. They talk with other apps. The SQL schema is no more leading the flow, the users are.
"I'm not interested by politics." You hear that all the time. But it's not true. Men and women have lost interest in Federal, Provincial, and City level politics, this is true. But, politic is more than that. Look at a white collar office, at someone walking his dog, at a crowded restaurant lineup. People love to give their opinion, to look for approval, to influence others. They love authority, no mater how indirect it may be. Authority is too diluted by broken voting systems at the Federal level but people love politics. And this is what Web 2.0 is all about.
"Create an account, it's free." Oh my, not again. Politics is more fun if fair rules are enforced or if you are alone to cheat. A reasonable measure to prevent abuse is to authenticate users. But I already have a gigazillion accounts, I'm not sure I want to create a new one, even if it's free.
I was having a good time coding yet another Web application requiring login and password when Jon Rosebaugh pointed out that this might not be the right solution.
OpenID is a single sign-up solution that doesn't suck. Essentially, it lets you use one of your gigazillion account on more than one website. It doesn't suck because you, the user, get to pick who is going to handle your password for all those website. And it doesn't suck because me, the coder, don't have to rely on the good will of a single password provider to keep traffic coming to my website. The spec is open (and readable) and there are several implementations available under liberal licences.
How it works? The simplicity is beautiful. When you register for an account to my website, I contact your OpenID provider, say Live Journal. I give him a secret token behind your back then I send you to Live Journal so you can login there. Live Journal will ask you if it's OK to use your Live Journal account on my website. If so, you'll receive the secret token and when you return to me I know you've been authenticated by Live Journal. I don't receive your password or anything else. You change your password on Live Journal and every time you login on Live Journal, you'll be logged on my website too. What if you don't like Live Journal anymore? No problem, you just tell me to use your new OpenID provider and we are all set. There is no vendor lock in.
I was able to implement OpenID with less than 100 lines of code using Python OpenID. OpenID is convenient for the user and for the developer.
Things are moving fast these days. It's hard to stay up to date but at least with OpenID I won't have to waste time creating another gigazillion account. Ain't it a great time to be alive?
Who guarantees that the identity provider's security standards are strong enough? How about the security "best practice" that states you should not have same login/password for different accounts? Think of the damage one can cause if they discovered your login and password.
I personally think the idea of a decentralized single sign-on is very attractive but OpenID has resolved only one of the problems that brought oblivion to Passport and Typekey. If this technology is broadly adapted by popular sites, the community will spend the required time to improve and perfect it.
There is not way to assert that an identity provider handles your data safely. OpenID is not a cure for thinking by yourself. You need to decided who you trust and how to test your trust. The beauty of OpenID is that if you trust no one, you can be your own identity provider.
You should not re-use your password. But if you have 500 accounts, you either:
With OpenID, if your account provider is compromised, you change one password and you're back on track. With the alternative, if your password store is compromised you need to updated a gigazillion account.