Tuesday, April 06, 2010

OpenID Issues List

Yesterday at the OpenID Summit a number of companies presented on the issues they have experienced with evaluating and/or deploying OpenID. Here is my summarized list in no particular order.
  • Value Proposition is not always clear
    • Authentication isn't enough, need identity attributes (AuthN + AuthZ)
    • The more marketable attributes the better
    • Need a standard "profile" object with "trusted/verified" attributes
    • Data sharing when the user is not present
    • No clear way to push back activity into the user's activity stream
  • Usability
    • User's don't know their OpenID, use email addresses instead
    • Depending on the site requirements, the user may still have a registration to go through (e.g. site must collect age/gender/zip)
    • First time experience is different at each site
    • Customer care is difficult because the user likely doesn't know their OpenID (OpenID 2.0 IDs are often machine generated)
    • User confusion over the logout experience
      • Local logout just from the site
      • Global logout from all sites
    • User confusion over the login experience
      • Every pop-up UI is different
      • Should the user "link" their OpenID to their existing account at the RP?
      • Should the user create a new account at the RP based on their OpenID?
    • OpenID and OAuth both have "login events" but they mean different things
  • Better non-browser support
    • Devices (e.g. netflix, xbox, zune, etc)
    • Mobile devices (lose 70% of population in Japan if OpenID doesn't support mobile)
    • Rich client applications
  • Trust / Certification
    • How does the RP know it can trust the OP to security authenticate the user?
    • How does the OP know it can trust the RP with the identity attributes shared?
  • Security and Levels of Assurance
    • Need an independent security review by an expert
    • Cannot meet higher levels of assurance than LoA1 without protocol changes
    • Need an attribute profile to meet LoA2 requirements
  • E-Commerce
    • Who is liable/responsible if the user can't log in to their paid service because their OP is down?
    • How does OpenID make the check-out process better? more streamlined?
    • More e-commerce related attributes (e.g. billing/shipping address)
    • Portable reputation
    • User's want privacy to control what attributes/info is shared with the merchants
  • Interoperability
    • Need better / automated testing tools for core libraries and services
    • OPs have to tweak their implementation for specific RPs
    • RPs have to tweak their implementation for specific OPs
    • URL length can cause problems for some implementations
    • No way to move a 1.1 HTTP OpenID to a secure HTTPS one
    • Inconsistent implementations of Attribute Exchange
  • Ease of Adoption
    • Not easy to set up based on existing libraries
    • No simple JS library that enables OpenID without server development
    • OpenID + OAuth hybrid has too many secrets
  • Privacy
    • Must protect the user's rights
    • Needs to be under the user's control
    • Activities need to be un-correlatable (if that's what the user wishes)
    • Can't share email if maintaining the no correlation privacy constraint (Contact service?)
    • User must have access to their settings and activities at each site

I'm sure I've missed some so please feel free to add to the list.

1 comment:

amw said...

this is quite the list... to what degree do you think OpenID Connect corrects these issues? mostly interested in higher LoA and trust in the OP.

thx, Mike