I've been farting around with Jeff Atwood's StackOverflow for a few weeks now as a beta tester.Everything was all well and good until I had to figure out how to use OpenID. I've been watching the development of this shit from the sidelines for a while (well, if reading something about OpenID blah blah blah on TechCrunch and saying, aw, that's cute, then getting back to work counts). I understand the problem that OpenID is trying to solve, but the approach is way too, uh, how to put this, San Francisco.
What I mean to say is that the pathologically-idealist, pedantic approach to universal authentication makes to too hard for users to understand.
A Problem That Doesn't Need Solving
Alright, here's the ideal scenario. I have one set of credentials for everything I use. I can use the same username and password pair for Facebook, my blog, my e-mail, whatever.
We have had a solution to this problem for decades: using the same God damned username and password for every website that needs them. Users will forever continue to do this no matter what cutsie shit Diffie-Hellman key exchange you come up with.
But for the benefit of the doubt, let's try OpenID as a normal user. I am visiting a website that uses OpenID for authentication, and I don't have an OpenID account. OK, how do I get one?
Well, that's easy. Just pick one of these OpenID providers that you trust and head over there!
OK, I pick VeriSign. I've seen their name before with stuff that has to do with security. I went to Verisign's website and entered in all my information. It gave me the name of some website, http://teddziuba.pip.verisignlabs.com/, am I supposed to go to that website to log in to your website?
No, no no. That's the address of the OpenID provider that you're supposed to blah blah a bunch of smart talk that makes me really sound like I know what I'm talking about and make the user feel small for not realizing how fucking awesome this whole scheme is.
See where this is going? This shit is too pedantic, too convoluted, and violates too many preconceived notions of how authentication works.
Instead of trying to figure out your bullshit, a user will just use the same username and password that he uses for everything. Problem solved.
As A Developer
Let's suppose that by way of some miracle, OpenID takes off. There are millions of them who understand just how brilliant and altruistic Brad Fitzpatrick is, and can figure out how to deal with this identity provider nonsense.
(Side note: but Ted! There are hundreds of millions of OpenID users who have accounts by virtue of having accounts on such-and-such websites! Yes, but how many of them know this? How many of them care? That's what I thought.)
I'm a lazy ass developer. Making a table with usernames and MD5'ed passwords is pretty damned easy. Now I've got to figure out something about attaching OpenIDs to my existing user accounts, gotta do some shit with HTTP given that URL the user is going to use to sign in, probably have to redirect them somewhere off my site if they're not logged in. What a pain in the nuts.
There aren't enough people using OpenID now to make it worth my while. People will be turned away from your website for hundreds of other reasons before it comes down to you supporting OpenID.
tl;dr
OpenID is too idealistic to be useful.
