wkossen’s blog

Just another FSFE Fellowship Blogs weblog

Don’t Lock Me Out

OpenID Closed

ADVANCED WARNING: This post is going to be a bit rant-like… But you may will still like it. There’s some good information, too, that might keep you out of trouble… Another Note, This was originally posted on my personal weblog.

You may already know I’m quite fond of OpenID. In fact, any security system that makes life easier for me is very welcome. For some time however, there’s something going on that makes the OpenID system a bit less attractive. Providers that quit. ‘Quit?’ I hear you ask? Yes, Quit!

And that wouldn’t necessarily be so bad if they told their users with advanced notice they were going to do just that. That’s just not what’s happening. I’ll just list a few of the OpenID providers that aren’t anymore:

  • Technorati Read about that one here
  • Identity.net
  • Yiid.com (which is also Identity.net) I got the mail from them this week telling me they just turned of OpenID. So much for advanced warning…
  • Cliqset.com I don’t even know what happened. It just stopped working.
  • Logmij.in (Dutch OpenID provider) The site doesn’t even exist anymore.
  • If you check each one on the list on this site, you’ll find quite a few more that seam to be terminated…

Just imagine that you’re using an OpenID from one of those providers. They gave you an OpenID which you actually used to log-in to other sites, for instance to update your weblog at LiveJournal. Now the provider quits. How are you going to access the sites you’re a validĀ member of? I’ll tell you, you’re not going to access it, and you’re going to have long talks with the helpful support team of those sites (if those even exist) to get your account back.

Since I’ve been fond of OpenID for a long time, I’ve been keeping multiple OpenIDs. That’s a reasonable back-up strategy, but unfortunately not all sites allow you to assign multiple OpenID’s to your account. This really puts you in a tight spot if your provider thinks it’s a good idea to quit. There are some good examples though. Plaxo for instance allows you to add many OpenID’s. What I don’t understand is why they put the management screen hidden as a sub-screen behind a link on the e-mail-addresses-management page, but this post isn’t about Usability…. šŸ™

Even better as a back-up strategy is the ‘Roll-Your-Own’ method. phpMyID allows you to do just that. Host your own private OpenID provider. It will only quit if you decide it will… I’ve been running mine for a long time and that’s the OpenID I add to a site first. If it’s possible to add more, I’ll do so because my site can be down as well and that would lock me out immediately…

Another (very useful) method is to have your own domain or website delegate to your current provider. If you switch providers, you just delegate to the next one from the same domain or website. That way the OpenID doesn’t change even though the back-end provider does… Delegation is easy to set up if you have access to the HTML source-code of your website. In the <head></head> section, you add the following code:

<link rel="openid.server"
      href="https://www.myopenid.com/server">
<link rel="openid.delegate"
      href="http://wkossen.myopenid.com">

Naturally, the entry in href=”” changes depending on who serves your OpenID. Your OpenID provider will tell you what settings to implement or with a bit of thinking, you’ll figure it out… Just note that again, if the delegating website is down, or the OpenID behind that is down, you’re still locked out…

There’s a natural trade-off here. You get to use ONE log-in for MANY sites, but if that breaks, your locked out EVERYWHERE. The alternative is remembering all those passwords and user-names on all those sites the way you used to do. I’ll opt for the first strategy and try to alleviate it as much as possible by adding multiples…

Let me end with stating the obvious here:

  1. If you’re providing essential services people rely on like OpenID, don’t just quit,
  2. If you have to quit, tell the customer well in advance,
  3. Give those people options to move their data (it’s theirs in the first place) –> Dataportability,
  4. Assist them in setting up their OpenID elsewhere and tell them how to move their accounts,
  5. Even better, why not maintain their OpenID URL and let the user delegate it towards another OpenID?

It’s like the company that sells you petrol just quit and you come to the station in the middle of nowhere with your empty tank. What are you going to do, Push????

Your comments as always are very welcome below. Thanks for reading!

Tags: