wkossen’s blog

Just another FSFE Fellowship Blogs weblog

Don’t Lock Me Out

OpenID Closed

ADVANCED WARNING: This post is going to be a bit rant-like… But you may will still like it. There’s some good information, too, that might keep you out of trouble… Another Note, This was originally posted on my personal weblog.

You may already know I’m quite fond of OpenID. In fact, any security system that makes life easier for me is very welcome. For some time however, there’s something going on that makes the OpenID system a bit less attractive. Providers that quit. ‘Quit?’ I hear you ask? Yes, Quit!

And that wouldn’t necessarily be so bad if they told their users with advanced notice they were going to do just that. That’s just not what’s happening. I’ll just list a few of the OpenID providers that aren’t anymore:

  • Technorati Read about that one here
  • Identity.net
  • Yiid.com (which is also Identity.net) I got the mail from them this week telling me they just turned of OpenID. So much for advanced warning…
  • Cliqset.com I don’t even know what happened. It just stopped working.
  • Logmij.in (Dutch OpenID provider) The site doesn’t even exist anymore.
  • If you check each one on the list on this site, you’ll find quite a few more that seam to be terminated…

Just imagine that you’re using an OpenID from one of those providers. They gave you an OpenID which you actually used to log-in to other sites, for instance to update your weblog at LiveJournal. Now the provider quits. How are you going to access the sites you’re a valid member of? I’ll tell you, you’re not going to access it, and you’re going to have long talks with the helpful support team of those sites (if those even exist) to get your account back.

Since I’ve been fond of OpenID for a long time, I’ve been keeping multiple OpenIDs. That’s a reasonable back-up strategy, but unfortunately not all sites allow you to assign multiple OpenID’s to your account. This really puts you in a tight spot if your provider thinks it’s a good idea to quit. There are some good examples though. Plaxo for instance allows you to add many OpenID’s. What I don’t understand is why they put the management screen hidden as a sub-screen behind a link on the e-mail-addresses-management page, but this post isn’t about Usability…. :(

Even better as a back-up strategy is the ‘Roll-Your-Own’ method. phpMyID allows you to do just that. Host your own private OpenID provider. It will only quit if you decide it will… I’ve been running mine for a long time and that’s the OpenID I add to a site first. If it’s possible to add more, I’ll do so because my site can be down as well and that would lock me out immediately…

Another (very useful) method is to have your own domain or website delegate to your current provider. If you switch providers, you just delegate to the next one from the same domain or website. That way the OpenID doesn’t change even though the back-end provider does… Delegation is easy to set up if you have access to the HTML source-code of your website. In the <head></head> section, you add the following code:

<link rel="openid.server"
<link rel="openid.delegate"

Naturally, the entry in href=”" changes depending on who serves your OpenID. Your OpenID provider will tell you what settings to implement or with a bit of thinking, you’ll figure it out… Just note that again, if the delegating website is down, or the OpenID behind that is down, you’re still locked out…

There’s a natural trade-off here. You get to use ONE log-in for MANY sites, but if that breaks, your locked out EVERYWHERE. The alternative is remembering all those passwords and user-names on all those sites the way you used to do. I’ll opt for the first strategy and try to alleviate it as much as possible by adding multiples…

Let me end with stating the obvious here:

  1. If you’re providing essential services people rely on like OpenID, don’t just quit,
  2. If you have to quit, tell the customer well in advance,
  3. Give those people options to move their data (it’s theirs in the first place) –> Dataportability,
  4. Assist them in setting up their OpenID elsewhere and tell them how to move their accounts,
  5. Even better, why not maintain their OpenID URL and let the user delegate it towards another OpenID?

It’s like the company that sells you petrol just quit and you come to the station in the middle of nowhere with your empty tank. What are you going to do, Push????

Your comments as always are very welcome below. Thanks for reading!


5 Responses to “Don’t Lock Me Out”

  1. Daily Digest for October 6th 11:02pm | Willem's LifeStreamer Says:

    [...] New blog post: Don’t Lock Me Out http://blogs.fsfe.org/wkossen/?p=19 [wkossen]. Tweet This Post Posted on October 6, 2010 at 11:02 pm by wkossen · Permalink [...]

  2. mina86 Says:

    The other alternative would be to use your browser’s password manager. Personally, I consider it to be more convenient and secure (providing you generate a random 40-hex-digit password for each site) way of dealing with passwords.

  3. replica chanel Says:

    Mostly for the reason that Chanel is generally a popular regarded to get common product. fake chanel bags uk besides purses and clutches include applied ones unique well worth after for years There’re necessary simply by contemporary wives or girlfriends as introduction, are usually your virtually all favorite to all bags, and most definately will certainly will certainly nevertheless be for an extended time of which arrive. At the moment comprehensive issue. your Chanel handbag on the other hand a nice selection of you are struggle to be given every one. Chanel is promoting in to a desired caddy for decades and provides these days thinking of opted when using the genuine premiums substantial having Gucci coupled with Legend. But even now a nice selection of can’t acquire all these. The vast majority of Chanel clutches your local library may possibly price $500 money and up, with the exception of you are looking for your phony that can mixture whilst in the price framework affecting $100 capital to assist $500 money. On the other hand were do you discover common replica chanel accessories on discount sales premiums. Properly, here i will discuss a few regions.

  4. ralph lauren sunglasses Says:

    Very good article, thank you for sharing

  5. Lock Team Says:

    Very interesting blog post. Thanks for posting this. I’m sure a lot of amateur website developers will appreciate the educational blog posts you’re putting up here. Thanks once again!

Leave a Reply