This was a huge complaint I had during the stackoverflow beta. Those that are believers in OpenID are zealots. They won't change their opinions no matter how much the general populace hates on it. They likely are public figures (with URL related to their personas - like a website or blog). In this case OpenIDs work beautifully. It's the rest of us that have trouble.
I currently have 4+ OpenIDs and I can never remember URLs or usernames. It inevitably involves me going to my second gmail account and searching for OpenID. Then I choose randomly one of the OpenIDs that show up in the search and use it. That or I end up creating yet another OpenID. So now I spend my time managing OpenIDs instead of user accounts. To me an even bigger waste of time. Meta-account management. And god forbid you start forwarding or attaching one OpenID to another one... that'll REALLY hose things with whichever account you are logging in as. Sites rarely allow the user to tie all those IDs together to a single account - which would at least simplify things a bit. To me this is wayyyy too complicated for average end users. Maybe if it were designed into everyone's web-email accounts and things could be managed there. I've attempted using the Yahoo OpenID and always run into problems with that too.
When I've asked my tech-savvy non-developer friends - none of them even know what it is. I've rarely heard positive feedback outside of people in the tech industry. But then again I haven't gone looking for it.
The compromise between being decentralized and centralized in my opinion is what causes so many problems. There is no one place to go get an openid (try explaining that to the average user). There is no standardized way to get one (every third party site is a little different). And it adds an extra level of indirection - with no perceived benefits to the end user. There are a lot of benefits but none that the end user readily cares about.
I'm not surprised it isn't working so well for you, in that case.
I think some of the centralization/privacy concerns related to OpenID sound like valid points to debate and discuss.
But saying you have too many OpenIDs and that managing them has become a pain is like complaining that you can't remember which of the four wallets you're carrying has your credit card in it, and concluding that wallets suck.
Ya I agree that is one of the problems. But since it's so decentralized and just finding your existing OpenID account can be difficult - it is still a problem. Part of the problem was having multiple emails and multiple types of OpenIDs (Work, Coding and Personal). Add to that - switching web email accounts midway through - and I ended up with multiple accounts.
If I could cut back to just one or two accounts I would. But I've found the management tools lacking both on the client website and OpenID side of things.
I was part of the anti-OpenID movement on StackOverflow. Our complaints, unfortunately, fell upon deaf ears. Fortunately I have my own domain so I decided to be my own OpenID provider with phpMyID, but I don't plan to use it for anything else besides StackOverflow. It's just not worth the hassle.
I'm another huge fan of OpenID, but after being the only one arguing for it the last couple of times it came up, I've gotten sick of speaking up for it.
Personally, I would love it if almost every site out there would let me log in with an openID. I'm apparently in the minority here, but I'm sick of having to make a new account every time I want to check out some site or forum that looks like it might be interesting.
While there are issues in the implementation, I am very much unconvinced that there is anything particularly more difficult about the concept than that of current logins.
When I ran non techie friends through it, the biggest complaint was usually that there were too many different screens they had to click through, and there was some confusion about where to go to get an openID, but as far as I can see these are all things that can be improved without sacrificing the core concept of OpenID.
It's not too hard to pick a unique username, and for a password, just start with a base password that you memorize and then apply your own "hash" based on the domain you're visiting.
Example: Your base password is "fun" and you're visiting Gmail -- if your hash is taking the first and last letters of the domain then your password is "funGl".
BAM! Single breach problem solved! Picking a unique username is up to you.
OpenID does solve a problem, and it's even a problem that average-Joe users agree is a problem - once you spend 10 minutes explaining to them just what the hell the field that wants something called an OpenID URL is supposed to do.
The name isn't the problem, the expected action is the problem. People expect to enter a password to log into things.
Seeing as you were a participant in the design of OpenID I must ask - what happened? Why is OpenID so awkward and confusing? Why URLs instead of email addresses or something else people already have?
And yet they remain problems that are unsolved. The phishing one in particular (send the user to a fake login page that just facades the real one and steals the password) is a showstopper all by itself.
So while it's true that (short of doing stuff like RSA & PKI in Javascript) you can't fix these problems with browsers as they exist today, that doesn't mean that a solution that ignores the problems is a good idea.
> (short of doing stuff like RSA & PKI in Javascript)
The only thing that I can see which would actually help, without breaking the "install nothing" goal of OpenID or making the existing usage path any more difficult, is to build some sort of OpenIDRequest object into browsers. And you'd want to design an unspoofable credential request window to go with it.
When I join a Google Group, Google asks me "What nickname do you want people in this group to see?". I pick something and I'm in. End of story.
Why can't I do this with every other site? I'd like to be able to go to foobar.com, click on Register and be taken to a Google page where Google says "What nickname do you want foobar.com to see?". The default is my gmail username but I can change it. I'm in. Foobar doesn't see my email address or a password or my address book contacts or anything else. Can people poke holes in this suggestion?
When OpenID people say they're "solving a problem" what they really mean is "we're solving a problem inasmuch as it advances our agenda."
Things like Google and Facebook are so ubiquitous as to be effectively universal, but OpenID people object to using them as an authentication mechanism on ideological grounds.
They'd rather have a pure solution tomorrow than a good solution today.
I think this is interesting and definitely something to discuss. The whole idea of having a username/password for a service that can be used across several services is kind of abstract. I could see this being confusing to the non-tech public, because at times it's confusing to me.
I don't think it is - I implemented my own private OpenID-provider in a 130-line Mason component (using Net::OpenID::Server) in a couple of hours, and I like very much not having to create accounts everywhere, and only sending a login/password combination to my own server.
Using and trusting some existing OpenID-provider would be a bigger leap for me - the fact that it is possible, and not terribly complicated, to create and run your own is a big plus in my book.
My problem is rather that I don't trust it enough. Maybe because I don't understand good enough how it works. But by keeping passwords to myself and using different passwords and usernames for different sites I don't have to trust anyone beside myself to keep that data safe. And also I have no trouble creating as much identities as I want to have.
The concept is less confusing than multiple sign ons for a lot of people, but the execution of it is not always clear. Things like redirection for logins definitely throw users off track.
This was a huge complaint I had during the stackoverflow beta. Those that are believers in OpenID are zealots. They won't change their opinions no matter how much the general populace hates on it. They likely are public figures (with URL related to their personas - like a website or blog). In this case OpenIDs work beautifully. It's the rest of us that have trouble.
I currently have 4+ OpenIDs and I can never remember URLs or usernames. It inevitably involves me going to my second gmail account and searching for OpenID. Then I choose randomly one of the OpenIDs that show up in the search and use it. That or I end up creating yet another OpenID. So now I spend my time managing OpenIDs instead of user accounts. To me an even bigger waste of time. Meta-account management. And god forbid you start forwarding or attaching one OpenID to another one... that'll REALLY hose things with whichever account you are logging in as. Sites rarely allow the user to tie all those IDs together to a single account - which would at least simplify things a bit. To me this is wayyyy too complicated for average end users. Maybe if it were designed into everyone's web-email accounts and things could be managed there. I've attempted using the Yahoo OpenID and always run into problems with that too.
When I've asked my tech-savvy non-developer friends - none of them even know what it is. I've rarely heard positive feedback outside of people in the tech industry. But then again I haven't gone looking for it.
The compromise between being decentralized and centralized in my opinion is what causes so many problems. There is no one place to go get an openid (try explaining that to the average user). There is no standardized way to get one (every third party site is a little different). And it adds an extra level of indirection - with no perceived benefits to the end user. There are a lot of benefits but none that the end user readily cares about.
An interesting article on OpenID from Jeff Atwood: http://www.codinghorror.com/blog/archives/001121.html
I attempted to find the uservoice thread about OpenID in stackoverflow but it's been deleted: http://discuss.joelonsoftware.com/default.asp?joel.3.685860....