OpenID is a very cool concept that allows user’s to control and carry their own user name and authentication credentials.  You pick your ID, your authenticating provider and then can use those same credentials with any site that supports OpenID.

This is an excellent video I found on YouTube, explaining the process..OpenID according to Dave(no relation):

I really, really like the idea of being able to take your ID with you to any site.  It would make most of our lives much easier; one user name, one password.  Further I think as the process evolved, we’d find OpenIDs to be a reliable way to identify people on the web.  If I post on the Intradoc messageboard and then the Oracle ECM board, is there any way to determine that both David’s are the same?  Not really, unless I share more personal information in my profile. 

As great as all those things are I still have some reservations about OpenID.  I think there are a couple problems that in it’s present form prevent OpenID from being a fit for many business.

The Security Question

Fundamentally OpenID is a secure process and if your user’s select a reputable provider like Yahoo or Verisign there shouldn’t be an issue.  The thing is though that you have to ask yourself; how much do you trust your users?  They get to pick their authentication provider so there’s no way to ensure their authentication process is up to your organization’s standards.  Probably not a big deal if you’re running a blog/wiki/messageboard or some other social site.  If a users compromises their ID maybe just some spam posts from Nigeria, but how much access would you be willing to give them? If you can’t control the authentication process, would you let them administer or moderate your site?  Many companies have security and compliance standards, which I am not sure OpenID can meet given that thier users would control how and where they authenticate.

Advertising

The other thing I think is going to happen is that we’re going to start seeing(and perhaps we already are) ad-word advertising on the provider’s login pages and I think things will be very interesting when that happens.  Let’s say you’re signing in to Amazon or some other commerce site with OpenID, when does that normally occur?  Right before you’re getting ready to make a purchase.  Advertisers will have the ability to throw up a message the moment a customer makes a buying decision.  I am no online marketer, but I think I would pay a premium to reach customers who are initiating a purpose.  They’ve already made a decision to spend money, all I need to do is pull them away from the site they’re on and bring them to mine.  If I’m Buy.com, I’m getting OpenID ads that look at the referring site’s URL and if it’s Amazon, my message is “Forget Amazon, we’ll give you X% off whatever you were about to get at Buy.com”.  Maybe it’s a two sided coin, Amazon could do the same thing, but if I’m an online retailer, I think I would definitely invest in OpenID advertising if my competitors support it and wait as long as possible before I do.

Just needs to Mature

I think as OpenID matures and more major players like Yahoo begin to support it, these issues will be resolved.  If there was a way to some how validate that providers are implementing certain security standards and potentially even know what their advertising policies are, companies would have the ability to say “we support OpenID, but unfortunately your provider is an unknown to us”.

What do I know?

Let me know what you think.  I have to confess that I just recently set up my own OpenID and that most of my knowledge is from reading online.  If I’m way off base I’d love to hear from you.