Benefits of OpenID

I jumped on the OpenID (wiki) bandwagon a few months ago when I realized that, through its widespread adoption and use, we may one day never have to register (and thus memorize or record) a username and password for every single website we want to interact with. However, benefits of OpenID are not only for users -- there are huge advantages to both the website developer and website owner as well.

What does OpenID mean for me as a user? Well, do you have an account with Yahoo/Flickr, Google, MySpace, LiveJournal, or AOL/AIM? I shouldn't even ask, since 99% of you probably use one or more of those companies on a daily basis. And while you might not realize it, that means that you already have an OpenID! Any website you visit that supports OpenID Logins or Signups will accept your OpenID, and you will not have to register a unique username/password combination for that site.

Perhaps you don't care much about this because maybe you use the same exact username and password for every different web service you visit, to keep things simple. If that's the case, there is a possible security risk in doing this: suppose one of the sites that you're signed up with gets hacked (which can happen to websites even as big as monster.com), and suppose your username/email/password combination is obtained my a malicious party -- that malicious party may attempt to access your information on other popular websites via that same username/password combination. The information may even be sold to others who might continue those attempts. If the hacked site happened to be using the OpenID protocol, it would be safe to assume that the data stolen would be limited to data that you shared specifically with that website, and would not open up channels to other websites.

The other advantage for users comes in the form of raw speed. Assuming the website was set up properly, and assuming you have already logged in to your OpenID company-- lets say you logged in to Google or Yahoo to check your mail-- you can log in to the website you're at with just about 2 clicks and little or sometimes NO typing at all. This is because Google and Yahoo already know you're logged in with them, via the use of cookies, so all you have to do is confirm the authorized login with a click of "Yes" or "OK".

What does OpenID mean for me as a developer? As a developer, it saves you the time and effort of developing and maintaining a log-in system for a website, and many of the error-handling and security checks that go with it. The benefits are not huge here because obviously you would still need to store user information specific to your website (preferences and so on), and you'll have to associate that user record with an OpenID, and you'd still have to make sure your OpenID system was working. Regardless, you don't have to worry as much about security with user's identity.

What does OpenID mean for me as a website owner? Although I do not know of any published studies on the subject, I believe that by supporting OpenID log-ins on your website could increase interaction with the site and thus increase popularity or return visitors, simply because the process of logging in becomes faster and safer. Every now and then I come across a blog to which I'd like to post a comment, but requires a registration and I end up leaving the site, annoyed, having not interacted.

Open Nature It is important to note that OpenID is a protocol (and an open one at that, much like HTTP or FTP), not a private service or API such as FaceBook Connect or the Twitter API. The OpenID Foundation exists only to develop and improve the OpenID specification, which is free to use by any individual or company. It's not like you have to be tied to any one company; advanced users can even become their own OpenID provider if they have their own website. This is analagous to running your own FTP or HTTP server.

Gripes

1. A minor gripe is that the use of OpenID itself does nothing to keep track of websites with which you are interacting, although your own OpenID provider could be modified to track which websites you've logged into; it's just outside of the scope of the specification's purpose.
2. The specification says nothing about extra information about a user such as e-mail, address, homepage, or photos -- although all of this can be implemented using extensions that would be gracefully dropped on sites that don't support it.
3. Sometimes websites provide buttons to "Log in with your Google Account" or "Log in with your Yahoo Account", which make the process very user-friendly. Other times they simply provide a box to "Enter your OpenID URL" which many people do not understand. Depending on how that site and/or the OpenID Provider is configured, sometimes simply entering the domain name of your OpenID provider will work, such as yahoo.com or myspace.com (if you have one of those accounts, it works just like that on Rustybrick.com). Other times it won't work and you'll have to enter a longer, non-memorable URL (http://openid.aol.com/YourScreenNameHere or worse, https://www.google.com/accounts/o8/id for Google ).

I believe that to make OpenID more widespread, websites implementing it should assist users with entering their OpenID URLs for the most popular providers, but still allow a custom URL for others.