37Signals remove’s openID authentication

Usernames and passwords are everywhere. With the web’s growing ability to reach more consumers, and offer more customised content, the amount of accounts a web-user can have has increased significantly.

Is it time to call Fail for OpenID?

How many usernames and passwords do you have? Email, Facebook, YouTube, MSN, Skype, Twitter, and that’s what I can think of off the top of my head. That’s probably the most common accounts people would have that use the Internet. Being a web developer though, I have a lot.

I’ve always believed that there should be a better way for users to be able to log into websites. Rather than needing to create a new username and password, there should be a way to authenticate securely, and when the user changes his password, it’s changed on all of his websites he has access to. That I thought was achieved by OpenID.

OpenID allows you to login to a website (that supports OpenID) with the one username (or URL) and password. Using this approach, you can automatically carry all your settings and information over to the website you want to access, without having to fill in lengthy online registration forms.

This technology isn’t new. Anyone remember the old .net passport? This was Microsofts attempt to centralize all of its logins to one account. For example, if you had a hotmail email account, that was your .net passport, allowing you to login to any Microsoft website that used the .net passport. This included MSN Messenger, msn.com, Xbox Live and Microsoft support. eBay also offered passport login for a short period of time, before it was scrapped.

I think Microsoft’s .net passport worked in theory. However because it wasn’t open, it wasn’t highly adopted. Bring in openID. Running the same kind of theory, openID allows you to login to any website, and keep the one account. You can manage which websites have access to what data, and if you decide you want to leave/close an account, you have the option to do so.

Because openID is open, it’s been widely adopted. Chances are you probably already have an openID account you can use. Google Accounts act as openIDs. Wherever you see the openID logo, you can enter your Google Account profile URL and your google account password, and you’ll be logged in.

Although openID has been widely accepted (you can login to Facebook with your openID Google account for example), there are some things which haven’t worked out well at all. My biggest criticism is the fact you have an openID URL, instead of a username or e-mail address. I understand the reasoning behind this, however URLs are not an easy thing to remember. I don’t know my Google Profile URL off by heart to login to websites, which is a pain if I want to quickly login somewhere to view something.

This is the situation that has happened with 37signals, the owners of the popular Basecamp team collaboration service. When I first signed up for Basecamp, I used my Google Account to login to Basecamp, as I didn’t want another username and password. This was a big mistake. Everytime I wanted to send a basecamp message, or view an attachment, I’d have to search through my email for my openID URL, and then click “allow access” on the Google account screen. After a while, it was sometimes impossible to login to Basecamp at all, and I would have to create a temporary sign-in link.

If the sign-in process was easier, then openID would have been more widely adopted. I also think URLs for usernames was a fundamental flaw in openID. Instead, email addresses could have been used.

Recommended Posts

Start typing and press Enter to search