On the inclusion of OpenID in my web apps

Prior to this past week, my impression of OpenID was that it saved time as long as you took the extra time to use it. Some of my developer friends have talked about how difficult it is (or at least was) to implement, but that all seems to have changed.

One of the main advantages of using OpenID, I found out, is that you can tie together multiple logins from a single provider to unlock additional features. Case in point is my previously undiscovered revelation that by clicking that secondary “use OpenID” link while logging into Basecamp or Highrise, you unlock a black bar at the top of your services, letting you jump from one control panel to the next. This is truly a great implementation, although I still think that 37signals should take the time to allow direct tethering even if you don’t use OpenID.

My problem with OpenID is two fold. While I love the initiative and the proposed solution, I feel it still has a ways to go before it becomes my main login solution.

1. Unifying my passwords. While it adds simplicity, it also detracts from security. I have sweeping paranoia issues about my passwords on the internet. Because my worst nightmare involves having my main google account password compromised (and subsequently deleted, losing my email archives), I tend to segment my passwords/services depending on the level of trust I have in them. My theory is that if an unethical or unsecure service exposes this access, the leak will only extend to a certain portion of my programs. Now, while I know that OpenID prides itself on security, and is in essence an additional layer of security from these sketchy 3rd parties, should that “one password to rule them all” get out in the open, so does the data being coveted by all these “unified” services.
2. It has the feel of developing but unfinished technology. Why do I still have to input xx.myopenid.com when I log-in. Correct me if I’m wrong, but if it’s OpenID, isn’t the domain always the same? While OpenID deployment is growing, it is by no means universal. At this point, its an option in about 25% of my web apps. Is it going to be replaced by the “next big thing?”

It was a true pleasure to have two employees stop by EliHorne.com to clarify my post about the 37signals. Jason Fried mentioned the OpenID solution, which had previously been covered by Chaz, and Sam Stephenson explained the 37signals API positioning. I have to say that while I was honored by their presence and attention, I was still left with questions unanswered.

• Why do we depend on a 3rd party to tether together same party services?
• While 2-way communication via API is supported, and it is the responsibility of 3rd party developers to pass the information back (something that probably goes against their business plan), why isn’t it 2-way from within 37signals?

After re-reading my post, I realize that it came off a quite a harsh criticism of 37signals and its products. The truth is that I’m completely inspired by the work of Jason Fried and his various life-changing (no joke!) products. I only critique because I want to see them become even better than they already are. Honestly, lots of love there. I’ll try to include more positives next time I dish out some tough love about a company I happily depend on to get through my work day.