1. 35
  1.  

  2. 8

    My personal experience with OpenID was that every time I tried to use it as my identity provider I just ended up confused as to how to proceed. But I’m not sure why the UX was so bad, it could be that the providers failed, or it could be that the protocol was just awkward to work with, I don’t know.

    1. 6

      Yeah, same thing with Firefox Persona - great concept, I support it 100% in theory, but it was a real pain to get working right. IMO there ought to be another crack taken at an open authentication system, but there can be no compromise on ease-of-use.

      1. 4

        Yeah, not much was learned from SAML and OpenID with Firefox Persona. It was way too complicated and required JS. OpenID Connect (OIDC) is somewhat better, but still way too complicated for a simple (federated) authentication system (built on OAuth 2.0). WebAuthn may be better, but as far as I know it requires JS, just piling on the complexity, so I haven’t looked at it in more detail.

    2. 8

      That and it’s been phased out in favor of the more-widely-usable magic link log in process.

      1. 5

        That’s almost universally used for resetting passwords. I’m not sure I’ve ever seen it used for just logging in in the first place. It’s not a bad idea though. There are sites I don’t use very often where I have to reset my password every time I use them anyway. I’m thinking primarily of things like the New Zealand Inland Revenue Department website. Once a year I log in, press the ‘calculate my tax refund for me automatically’ button and then the ‘transfer that amount to my bank account please’ button. But I do it once a year, I don’t remember my password. I’d rather not even have a password to it to be honest.

        1. 8

          We’re thinking about using it as the login system for a site we’re putting together at my workplace. We’ve got a big set of users who will only use the site once or twice a year at most, and we’ve already got emails for them. Sending them a magic link that expires after a time skips the part where they feel bad that they forgot their password or feel annoyed that we insist they remember it.

          1. 4

            Yep! Our system has two sets of users – extremely actively daily+ users, and the outside clients they work with who login probably a few times over the course of a project which can be multiple years long. Looking at ‘magic links’ for those users.

          2. 4

            It is hugely on the upswing since Slack started using it. It has existed for years on a few mobile apps, “click here to get magic login link”, but it is getting very popular now.

            I’d rather not even have a password to it to be honest.

            This is actually becoming an option in some systems as well – just went to a meetup where a local startup was talking about exactly that – an option their users could click for ‘no password logins’.

            1. 4

              Yeah, I mean I certainly prefer ‘email me a password reset’ to ‘let me change my password with no email confirmation if you have my mother’s maiden name (which happens to be her last name and which I have given countless websites and businesses)’. So ‘email me a link to log in’ is really just the logical next step in increasing security while not actually making things any less convenient. It’s definitely easier to keep one password secure than dozens. Even with a password manager, changing a lot of passwords regularly is a hassle. But I change my email password every week.

              1. 2

                I’d describe it the opposite way: “just the logical next step in making things more convenient while not actually making them any less secure.”

          3. 4

            I have had a couple logins that used this method, and have suffered from waiting minutes for an E-mail to arrive. Sometimes I haven’t received it for hours. This has been my experience waiting for 2-factor SMS as well.

            SMS as 2-factor is OK security to me, but is a pretty crummy login method. I think it’s easier and sensible to consider “login by E-mail” as similar to “login by SMS”.

            1. 3

              As this ridiculous trend increases, expect to see more and more attacks that aim to get access to a user’s mailbox.

              And the beauty (for them) is that if they succeed, they can often get in, do what they want, and the end-user will know nothing about it, because they aren’t getting a “wrong password” prompt either.

              Every proponent I’ve seen of “magic link” auth systems conveniently ignores all the security and usability downsides.

              Password managers are a thing, and they can work amazingly well. Making users rely on emailed links to login because some users have a shit/no password manager, is like banning sales of raw chicken meat because someone occasionally gets salmonella from undercooked chicken.

              1. 2

                expect to see more and more attacks that aim to get access to a user’s mailbox.

                Getting into a users mailbox is already effectively the universal in, as most of the time that is how they “reset” a password. There are a few systems that will also ask them like “What was your favorite baseball team?” or some other security question before sending the reset link, but that isn’t the norm.

                1. 1

                  There are a huge number of user account/password pairs in the wild, not to mention just known passwords (as opposed to just trying dictionary words, and sequential 6-8 digit alphanumeric combinations).

                  While mailboxes are no doubt currently a target, if you break in via a password reset, it’s a known event - the user will know about the event, and it’s quite common to log extra details for actions like e.g. submitting a password reset, as opposed to a regular login.

                  What I’m saying is - this behaviour (automatic login links sent to a mailbox) will increase the focus put on mailbox breaches - because not only do they have a vector to access your account without your knowledge, they also likely have hints about where you have accounts (from previous login link emails in your deleted items/inbox).

            2. 4

              There are at least three separate groups of thinking here and I really would like to yell at all of them.

              OpenID technically worked but wasn’t intuitive or clear for users at all and had some technical deficiencies. In other words, more of a hobbyist system than one that has wide adoption or appeal to most users.

              Proprietary login systems are basically lock-in and user tracking on a large scale, with the majority of sites not supporting switching between login types.

              Email-as-an-identity-provider is decentralized and flexible, but suffers from the same problems as text message based authentication. Making your mailbox your identity provider has serious security ramifications that most mail hosts are entirely unprepared for. Only very few do email security right.

              An ideal system would take the security of Gmail/Google Auth, combine it with the interchangeability and indirection of email and the ease of use of proprietary systems. A system like this is basically a unicorn jumping over a rainbow.

              1. 4

                Although OpenID may be in decline, several other open standards for distributed services are starting to solidify and have been implemented by several projects.

                It’s not yet supported by any “majors” actor, but I find the indieauth system quite nice :)

                1. 2

                  I implemented my own simple OpenID-provider (in 252 lines including HTML, using the Perl OpenID-libraries), and was very happy with it and its UI. Too bad even Stack Overflow abandoned OpenID.