OpenID in Layman's Terms

This is for Jake, since he asked about it in an off-topic question on another post :-) Hopefully my explanation will be (mostly) accurate and (mostly) in plain language.

OpenID is supposed to provide a single internet identity for its users so people don't have to remember 2, 7, or 50 different log in/password combinations. For this to work, you need two parties supporting the system: First, you have an identity provider. This could be anybody - yourself on your own website if you know how to set it up, or a more notable and trusted company, such as Yahoo! or Sun, or what-not. Second, you need to have websites which allow login with OpenID. I have an OpenID through Yahoo!, specifically my Flickr account. This means my login would be "http://flickr.com/photos/ploafmaster" and my password would be whatever I choose.

That sounds simple enough in theory, but in my experience with implementations, it's not so simple, having potential security pitfalls and human-computer-interaction problems. I'll use Yahoo! as an example since they're a pretty big player and I also happen to use them for my OpenID.

Let's say I go to a friend's blog, like Alexis' "Mined Like a Diamond." If I want to leave a comment, I have several options that identify myself, and one is using OpenID. So I select that choice and enter my login as mentioned above. When I click "Publish Your Comment" the problems begin. I'm redirected to a Yahoo website where I'm supposed to enter my password. If that's successful, I'm redirected again, back to the blog where I posted my comment.

Why is this a security hazard? I'll paraphrase Wikipedia... Essentially this creates a vulnerability to phishing attacks. If you visit a site that's (unknown to you) malicious, you could be redirected to a false login page. Likewise, man-in-the-middle phishing attacks, where a third party intercepts your login attempt, could catch a user without his or her knowledge. And while sites like Yahoo! attempt to allay such fears by suggesting (on their redirected-to login page) that users confirm where they are before entering password info, this puts extra onus on all of us to remember graphical badges, URLs, login rules, et cetera.

How much easier is an online identity system if I have to remember extra stuff? And how is this easier and more secure than a person using the same user name and password for multiple web services? Let's not forget, also, that having a single set of login information creates a single point of failure if you forget your password or your account is compromised.

Beyond the potential security risks (which, lets face it, isn't as much an issue for the nerds currently using OpenID), there's a usability problem here as I see it.

Consider a website with a conventional log in system. You visit the log in page, enter your user name and password on that page, click "Log In" or "OK" or something else, and if you're successful you're transferred to the page you were trying to reach. With OpenID, on the other hand, you enter your login, click onward, and you're sent to a different site with a different look-and-feel, different interface, form fields and text in unexpected places, and somewhere on there is your password field. And if it's Yahoo!, you also have your security warnings and such. When you enter your password and confirm who you are, you're taken back to where you were trying to go in the first place - the logged-in version of the website you're visiting.

I think this visual interruption and feeling of extra steps is a problem. It's not easier if I have to enter two related pieces of information in two different places that look and feel unrelated. Besides, what happens if there's a connection problem or other error during one of the steps or in between? Am I guaranteed to be placed back on the site I visited in the first place?

To make a very geeky and long story short, I think the concept and goal of a single set of login credentials is great. OpenID, however, has a long way to go in convincing your average Joe that it's easier, quicker, and more secure. For my part, I'll stick to the old-school for now.