60 minutes without MyOpenID but what if..

MyOpenID is going to be down for 60 minutes today which means that for 60 minutes any site that I used MyOpenID to create an account with will be unavailable to me regardless of whether or not that site is down.

This is a notice that MyOpenID will be having a maintenance
outage starting at 14:00 on 2008/02/03, US Pacific Time
(GMT -7 hours).  The outage may last as long as 60 minutes,
but is expected to be considerably shorter.

The reason for this outage is:

    Network modifications to enable new services

During the outage, the MyOpenID website may be unavailable or
unresponsive, and users will be unable log into OpenID-enabled
websites using their MyOpenID accounts.

What happens if MyOpenID has an extended outage, say 48 hours long? Or even worse, what if it folds?

The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. […] In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. […] if you use someone else’s openID server then you’re screwed.

Now I know I could set up a new temporary account on the site I’m suing, but who wants to do that? It defeats the purpose of having an OpenID doesn’t it?

Another option would be to have multiple OpenID’s on multiple providers, but then we are starting to get back into the territory of having lots of usernames, id’s and passwords to remember again, although admittedly not as many.

Before you all start screaming at that I can setup my own domain to act as an OpenID provider and just my own URL all the time (which I have already set up BTW), but what about the millions of people who will never own their own domain (for whatever reason)?

For those people relying on a single OpenID provider could be a disaster if the company folds and creating multiple OpenID’s is almost as bad as multiple usernames and password because you have to remember which OpenID you use on which forum or blog so that commenting would remain consistent.

Further more, using OpenID’s as your main login means everywhere is very much like putting all your eggs in one basket. If it’s compromised you are royally screwed and there is no two ways about it.

Once your OpenID has been compromised the keys to the kingdom are out and the compromiser can now happily log in as you on every site you’ve ever used OpenID on (a growing issue as OpenID becomes more prevalent).

It may be the case that for many users a good well encrypted password manager will still be best way to go about managing their online life.

If you have are a regular OpenID user or plan to be one then I highly recommend you check out the post by Stefan Brands over on The Identity Corner. It provides a great overview of many of the security, trust, privacy, usability and adoption problems of OpenID.

The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.

Also, if you’re completely knew to what OpenID is supposed do then this video will do a good job explaining it.

Leave a Reply