Stefan Brands wrote a post slating OpenID and talking about why his company’s proprietary software is unlikely to ever be OpenID compatible. He raises a few valid points amongst the provocative language. Most his arguments are, in my view, either non-issues, untrue (no list of OpenID consumers) or true of any single sign on system.
I see the valid criticisms of OpenID are:
- Phishing – If users login to a url that’s not theirs (http://spamsite.etc/blah) then they’ll give away their logins (same as PayPal, your bank, or any other site).
- DNS Poison – If a hacker can convince your ISP to send traffic to the wrong server, they can steal your login details (as above, true of all logins).
- Privacy – You need to choose an OpenID provider you can trust, personally, that would mean my own server or not at all.
Overall, I think OpenID is a good thing, and I think it will lead to increased security if it’s widely adopted. Primarily because if your OpenID password is the key to your online life, providers will hopefully force you to look after it better than your Hotmail password!