[Marketing] Bullet points in the OpenID core message...

Simon Willison simon at simonwillison.net
Mon Jul 2 23:04:34 UTC 2007 

> Another OpenID advocate I talked about this with last weekend
> pointed out to me that a common pushback he got was "we dont
> want to trust some random outfit with our users's identity".
>
> He pointed out that if you have a "I forgot my password, please
> email me a new one" button, you are already trusting some
> random outfit with your users identity, you're trusting his
> email provider.
>
> "Please email me a new password" has pretty much the same security
> profile as OpenID, it's just slower and with a worse user experience.

That was me :) I used the same argument in my Google Tech Talk last Monday:

http://video.google.com/videoplay?docid=2288395847791059857
http://www.slideshare.net/simon/implications-of-openid-google-tech-talk/148

The more I think about it, the more I realise that virtually every
criticism that can be levelled at OpenID applies equally to
forgotten-your-password e-mail, and has for years.

Worried about having one account that, if stolen, betrays all of your
accounts? You already have one, in the form of your e-mail.

Worried that sites will collaborate to build up a much larger profile
of your online buying habits by correlating your OpenID? They can
already do that using the e-mail address you used to sign up for your
accounts there. You're protected by privacy laws and terms of service,
which apply equally to OpenID.

Worried that identifier recycling will let someone else steal your
accounts should someone else claim your abandoned identifier? Once
again, this is already a problem with e-mail accounts (which are
frequently recycled).

I don't feel too good about rejecting problems with OpenID  by saying
"but e-mail has that problem too" - much better to offer real
solutions - but it's a pretty good way of explaining how it doesn't
make things any worse.

When you explain to people that forgotten password e-mails are just
SSO with a deliberately bad user experience, OpenID suddenly stops
seeming like such a radical proposition!

Interestingly, that argument works both ways. I can say that if a site
has forgotten password e-mails  they have no excuse not to use OpenID,
but there are some sites (such as banks) that DON'T do forgotten
password e-mails, presumably because they don't want to outsource
their security to their user's e-mail provider. The logical conclusion
then is that banks shouldn't support OpenID - at least not without
some kind of scheme for certifying providers that have bank-approved
levels of security.

Cheers,

Simon

More information about the marketing mailing list