[OpenID] EU regulators call for tighter privacy provisions onOpenID, Facebook (U)

Fri Jun 19 03:07:03 UTC 2009

The problem with having  multiple OpenIDs on a single account is that 
the OP's approval screen will have to ask the user to choose an OpenID 
when visiting a new site, complicating the sign in process. Asking users 
who are unfamiliar with OpenID to choose a persona or an OpenID during 
the sign in flow will probably confuse a lot of people.

If  OpenID is viewed as a replacement for traditional Login/Registration 
flow, most users are already familiar with having to give their email 
address to a website when they register, and users will give a different 
email address when they want to use a different persona. In most cases, 
different email addresses are tied to different accounts, and users 
either switch accounts when switching email addresses from the same 
email provider, or they'll have accounts with multiple providers to 
avoid having to switch accounts on a single provider.

Many email providers give users the option to create aliases for a 
single account, but this tends to be mostly a feature only used by 
relatively few power users (probably like the people on this list). 
Also, despite the best efforts by providers to "silo" the aliases, 
accidents and bugs do happen on occasion. In contrast, separate 
accounts, even on the same provider, are typically accessed controlled 
using account-specific credentials, so it's extremely unlikely for a 
provider to accidently "cross the streams" as they say, when different 
accounts are involved.

The possibility that an OP accidentally "crosses the streams" when 
different personas tied to a single account are used is much higher than 
if multiple accounts are used. This is why I mentioned that it's 
inherently safer that users choose different accounts to manage their 
personas. Truely Paranoid users should use accounts from different 
providers to minimize the risk that the personas are unintentionally joined.

Allen

Andrew Arnott wrote:
>
>
> But it won't work so well if users are forced to have multiple 
> accounts at the OPs in order to manage their multiple personas.  For 
> instance, if I must have two Yahoo accounts to manage my two personas, 
> then I can only be logged into one of them at once, which forces me to 
> keep logging into "the other one" each time I visit an RP that happens 
> to use a different persona than the last RP I visited.
>
> Contrast that to Yahoo supporting multiple personas: I'm logged into 
> all of them at once, so no matter which RP I visit as a Yahoo! 
> customer, Yahoo can implicitly log me into those RPs regardless of 
> which claimed_id and/or persona from Yahoo I used to log in with them.
>
> -