I recently ripped standard accounts out of my web app and put in OpenID support with the ability to assign a password optionally in case all your OpenID providers magically go down at once. I'm very sold on some kind of login/password non-proliferation treaty and the general idea behind stopping the DRY nonsense around avatars, favorite books, favorite movies, quotes, yada yada.<p>I have two problems with OpenID. First, big service providers seem to be offering OpenID but not allowing you to use it on their site. I know the market reason behind this, but that's just disrespectful to users. Until they change this, I don't see it getting enough exposure to convince non-early-adopting mid-tier or low-end sites that they should support it as well.<p>Second, OpenID doesn't seem to really carry any of that other repetitive profile data with it and only solves the username/password situation. Until more value can be achieved, it seems like finding a good username and trying to sign up for new services before someone takes it isn't that bad.<p>I just don't see OpenID making it yet. I was hoping Clickpass would make some headway, but that definitely hasn't made it out of the technical circle and I don't see their list of supported sites increasing these past few months which makes me nervous. I also find OpenID hard to explain to people who are actually smart and fairly technical. It seems to fill people with low-level dread and confusion. I try explaining it as "a way to log in to a site using an account you already have at another site." That's the most condensed I can get the explanation.
I don't understand most of the arguments centering around "single point of failure."<p>Not too long ago I was a victim of partial Identity Theft; somebody gained access to my credit card information and started making random charges. My credit card was a single point of failure for my finances. It took me a long time to figure this out and to fix it considering I was stuck in Afghanistan at the time, but a phone call and explanation to American Express is all it took to get my card reissued and the charges removed.<p><i>You can't do this when you're using passwords.</i> If somebody compromises your "strong" password and changes the password at important sites before you find out, you're pretty much screwed. You could use "I forgot my password," but that same password is likely on your e-mail, so forget that.<p><i>With OpenID, there are fixes for this.</i> Say, for instance, the ability to completely disable it if you've used it recently and have the browser cookie. Okay, so now you can't get to your bank account, but neither can the person using your OpenID. You could then use some sort of other verification method to ensure you're the actual owner and reset it.<p><i>But forget all this; consider probability!</i> A SSN is basically a single point of failure for your identity; it identifies you specifically and could not possibly represent somebody else. That doesn't mean that the military actually <i>worries</i> about the fact that your SSN is used for <i>everything</i>, including signing into chow. I can't even fathom how many thousands of documents out there have my Social on them. The reason they don't care is because being a victim of identity theft is pretty rare, even when hundreds or thousands of people see your SSN every single day.
I would say "a typical web user" uses the same passwords or slight variations on at least 3 different sites... that being said I wouldn't want my openID hacked...(single point of failure) are the at least demanding strong passwords?
One aspect that's been overlooked is that single sign-on is only the beginning of what OpenID makes possible. Once you've got an identity that you can use across website boundaries, all kinds of network effects open up.