Thursday, November 29, 2007
OpenId we need you now!
I was reading Robert Scoble's blog today. He was talking about the number of Id systems in use at eBay - 21, Yes Twenty-One! I am 100% in line with Scoble. Managing userid and passwords is a complete PITA! I recently needed to change passwords. I started this process a week ago and I have not finished yet! I still keep coming across sites that need to be updated. I am already up at around 45 sites and I know there are more to do. Boy do I want OpenId to succeed!! It gets even more fun as sites cross link. Suddenly you find feeds not working because your blog account password changed but that isn't reflected on the feeder site. I have written about Identity before. It is the big stumbling block in Web 2.0. I have seen it referred to as Sign Up Fatigue. It is true. I actively look for OpenId support because I positively do not want to manage yet another userid and password combination. Yes, I know people will say that Firefox, Camino, IE, Safari or any modern web browser provides tools to automate sign-on management but that is not the point. If I need to change my password - and I should do that more than once a decade - then I want the process to be quick, simple and easy. The current mess is just totally unacceptable. Security will always be lax on internet web sites until we solve this problem in an open, cross-platform way. One of the problems I see is that Enterprises moving to the web are not going to think outside their traditional mind set. I have been working with one company and the more I discover the more I believe they interpreted Single Sign-on to mean a "Sign-on for each application" and not "one sign-on for all applications!" People will point to weaknesses in OpenId. They will say it can be spoofed. They may be right but the simple fact is that a vast number of people adopt lowest common denominator security by using a single userid and password across many internet applications. If OpenId adoption really grabs hold and becomes common place then I believe it will become more prevalent for OpenId platforms to use Securid or similar hard to crack tokens in order to beef up security. This becomes feasible because if we can change a password in one place and have it applied across tens if not hundreds of sites and services then we are more likely to use a strong password that is changed frequently.