I am not sanguine on the idea, but the marketing for the idea is beyond terrible. The IDL is a leaky abstraction because the most salient features of drivers licenses are a) you have to apply to the government to get one, b) the government can take yours away with as much ease as they can do anything else, and c) if you lose your license, you will be denied the ability to use one or more critical goods/services (driving).
That is what your mother thinks of when she hears Driver's License. Why on earth would that be the branding you pick for OpenID or federated authentication? You are practically trolling your own idea at that point!
Observe the kinds of things people are going to say about any federated identity scheme which you call a License:
"Jeff Atwood thinks the government should be able to take away your Facebook account! He's fascist!" "I didn't say that!"
"Jeff Atwood thinks your mom shouldn't be allowed on the Internet until she stops calling it 'the Googles'! He's an elitist bastard!" "I didn't say that!"
"Jeff Atwood thinks that if you get kicked off a WoW server you should lose your Gmail account. He's in bed with corporate interests!" "I didn't say that!"
But not everyone had a drivers license or a passport - so they wanted everyone to have a separate ID card. Generally, having a formal ID has only been required in the UK during dire emergencies (i.e. World Wars) and contrary to what the government of the time thought we are not in the middle of such a crisis.
Every German older than 16 is required by law to have an ID card or passport. As of November 2010, ID cards carry RFID chips with the same data that's written on the card plus an optional fingerprint. Passports have had the chip for a while already, but the fingerprint is mandatory there. Driver's licenses are not considered a valid means of identification outside traffic.
Likewise in France, except as far as I know there are no rfid chips in the national id card (yet anyway). And in belgium (where the ID card is the size of a credit card and has a small chip, I don't know if it has an RFID chip)
In Australia it would be a major hassle to not carry around a drivers license, not all the time but things always come up where you need ID and a drivers license usually covers that.
I'd estimate that about half the people I know in Sweden and in Norway, under 35, don't actually have a drivers license. And of those half again have no real intention of getting one.
Personally, the idea I have in my mind of a (US) driver's license is a universally-accepted form of ID that anyone can get. The facts that it has a test, or that it can be revoked, or that some people don't have one, don't actually register in my head until someone points it out. If it weren't in the name, I wouldn't even connect it with driving. Furthermore, it's the only abstraction I have in my head for a universal ID. Passport's aren't universal (at least in the US) because they're bigger and therefore less convenient, and international travel is somewhat rare. We don't have a universal government-issued ID that's just an ID, so the idea of a national ID card sounds scary and government-intrusive to me. A driver's license is literally the most innocuous and least threatening analogy to make. Until you point out the ways in which it doesn't work the way I think it works.
When most people think of driver's licenses, do they really think government certification, or do they think universal ID? I would be honestly interested in the answer.
Personally, the idea I have in my mind of a (US) driver's license is a universally-accepted form of ID that anyone can get.
Don't you have to take a test to obtain a licence? Here in the UK the test is relatively difficult and expensive, so not everybody has a licence. Passports are much cheaper, easier to obtain and don't come with age limits, so they are a more universal form of ID (though they are also bulky and hardly something you would carry around on you).
When most people think of driver's licenses, do they really think government certification, or do they think universal ID? I would be honestly interested in the answer.
When I think of driver's licences, I think of driving a car. Universal ID doesn't occur.
I agree with you that a driver's license is more a form of ID than a public safety credential, if you live in the USA.
Why?
-- You have to take a test to get it, but you do that when you are 16 or 17, and never again. In most states, the test is ridiculously easy.
-- In an average year, you probably use it hundreds of times for its ID value (to buy beer at the grocery store or drinks at a bar, to cash a check, to check in for an airline flight), and (hopefully) zero times for the public safety function (showing it to a police officer after being pulled over).
-- Outside of NYC, the fraction of people over the legal driving age who don't have a license has to be less than 10%
Perhaps a more accurate metaphore would be "Internet Passport". Government's can't take it away and it has no real entitlements. However Jeff Atwood is from the USA which has a strangley low number of passport holders. Perhaps they are used to using a driving licence instead of passport as general ID.
Perhaps they are used to using a driving licence instead of passport as general ID.
No perhaps about it. It seems to the average American, the word "drivers license" evokes "proof of identity" first and "proof of ability to drive a car" second, because they're using theirs as a general ID more often than for its original purpose.
It gets even funnier when American companies operate abroad and require "two photo IDs" in countries where everyone has a government-provided ID card.
It seems to the average American, the word "drivers license" evokes "proof of identity" first and "proof of ability to drive a car" second, because they're using theirs as a general ID more often than for its original purpose.
This is because the idea of a National ID Card is for some strange reason (strange to this American, I mean) seen as an evil thing by the general public here.
I (and most others that I know) don't carry a social security card. There's virtually no need for it in daily life. If you even know where yours is, it's probably sitting next to your birth certificate in a drawer.
There's enough circumstances where you can be forced to surrender passports though, and certainly historically they weren't automatically available. I understand British passports were, in the late 19th Century, only available to people who the foreign secretary personally knew or was linked very closely to, with the net effect that many British instead obtained French passports because they didn't require you to be a French national, were easier to get hold of and worked equally well.
Apparently rail travel made the whole process of issuing and checking passports a bit of a pain so most countries just gave up - they didn't become common again until 1914.
You can't go to Mexico without a passport either. You can't come back without one, anyway.
The US Gov does now issue passport cards which are a form of national ID card that allows citizens back in at international LAND borders. You should ask for one when you apply for your passport; they're nice to carry in your pocket when you're abroad and the full passport is safely locked away.
The US is is geographically larger than Europe, has a comparable number of people, and is arguably as diverse.
Yes, it looks like we speak the same language, but the diversity in "American" is at least as broad as the difference between the middle of "American" and "received English". (Yes, I'm aware that there's a lot of diversity in UK English.)
Yes, Americans mostly watch the same TV, but our exports and castoffs are not unknown in Europe.
America is not as lingusitically diverse as Europe. The difference between 2 American english accents might be similar to the difference between 2 English accents, but there are dozens of languages in europe. You're comparing the whole of the US to one part of EU.
I think the point is that few people carry their passport around with them on a day to day basis even in countries where they are very common.
I've lived in the UK and Oz and in both countries my drivers license stays in my wallet ready for when an over eager bouncer to ask me to prove my age or for when I sign up to a new video store on a whim. My passport pretty much stays at home unless I'm going to the airport.
I agree he's not selling it properly, but I would also say it's not actually that different to everything coming back to my email inbox and being remembered by my browser either. For me it's not a problem, perhaps for admins it is, which reminds me of the incessant caterwauling we used to have about "the spam problem" (which was often a mask for the micropayments movement). And people should reach for their gun when they hear people blabbering about ID centralisation, that's a good reaction. And considering there is a happy-go-lucky Belgian linking it to the government in the comments, I'd say they are right in some sense, it will embolden those who want the government to control everything on the Internet.
FTA: Now, I don't literally mean a driver's license. I'm using this term figuratively to mean online credentials that I can re-use in more than one place on the internet.
> It always pained me greatly that every rinky-dink website on the entire internet demanded that I create a special username and password just for them. ... For the vast, silent majority of normals, who know nothing of security but desire convenience above all, this means one thing: using the same username and password over and over. And it's probably a simple password, too.
> This is the status quo of identity on the internet. It is deeply and fundamentally broken.
What I do is, I have a couple of hard passwords that I use for email and Dropbox and important services like that, and then I have a couple of stupid usernames and passwords that I use and re-use and re-use for services whose security I don't care about. (I've arrived at this strategy after years of using the internet.)
A couple of times, I have actually tried to register an account with my usual username, found that the name was taken, wondered "Hmm, did I already create that account?", tried logging in with the usual password, and found that the login worked. "Oh, yeah, now I remember making that account..." I took this as a good sign, that I wasn't wasting brainspace on that login.
I think my strategy works fine for dealing with "a dozen websites who all want a username and password", given that only one or two of them are critical. And therefore I'd question the need to change, as opposed to people figuring out a strategy like mine and passing on the idea. Also, currently, anonymous throwaway accounts are easy to create; would it be that way if sites required something like OpenID? (I guess if the idea is just to reduce password complexity for customers, then sites could just add OpenID as a secondary means of logging in--rather than having it be the sole means--and you could still make throwaway accounts. Note that I don't know anything about OpenID; maybe there is a way to do anonymous throwaways within OpenID.)
I do this too. This system fails pretty badly when you encounter a site that insists on certain formats for their passwords. For example not allowing special characters.
Generally that's a red flag and I just don't use the site, but I don't always have that luxury. The service my company uses for performance evaluations has this limitation. Hmmm, a website I go to at most 3 times a year, requires a significantly complex password due to the site's nature, and yet won't let me use special characters making all my memorized "hard" passwords impossible? Yup, I have to request a new password everytime I visit it. Very annoying.
I use the same technique, but it suffers from usefulness-creep. I'll sign up for a service to play with it (like Reddit) and then it becomes a bigger part of my life -- all the while forgetting that my auto-saved password is "12345".
I miss the point why we really need some sort of "identity providers" when it's we who possess our own identities.
It's the login-password pairs which are inconvenient (and, a lot of time, insecure) part out there. So, logically, the straight answer seem to be to get rid of this part in favor of something more usable, users can possess to prove their identities. For example, improving browser support for public-key crypto and key storage (think HTML5 <keygen> element). However, world has gone in a completely different direction, created "identity providers", who now actually possess users' identities (so you don't own your identity anymore), and, as a result, introduced more failure points to the auth process.
OpenID is neat and convenient when done right, but it was just a protocol invented to sign comments at other persons' blogs. It was never meant for personal identity management and architecturally lacks a lot of important points for that. XRIs may be considered some sort of solution for that (I-numbers are guaranteed to be persistent), but still feel somehow wrong.
> However, world has gone in a completely different direction, created "identity providers"
That's because the question answered wasn't: "How do we solve the problem of user identity on the web?" The actual question answered was: "How do we solve the problem of user identity on the web using web services?" Once you define the problem that way, OpenID becomes the logical best solution. However, it's hardly the best way to do it in any general sense.
If I went to a party or a meetup where they asked to check my ID at the door I'd probably just walk out and never come back. I don't like parties run by the socially inept. Who asks their friends for an ID card?
I'm willing to show my ID at bars and airports, to cops, and when opening bank accounts, because it's the law. And at least most of these venues have excuses -- banks want to link large amounts of your money to your ID, so they need to make sure they've got it right; cars are deadly weapons; alcohol is a potentially deadly drug. (The airlines? They really love nontransferable tickets with big change fees. And security theater. And, uh, did we mention that it's the law?)
But in general nobody asks for your ID unless they have a good reason. And I just don't see a good reason why my as-yet-nonexistent Stack Overflow karma needs to be linked to any other aspect of my identity.
At least I have a straightforward answer to my question: No, the Stack Overflowers will not give me the simple username and password that I want. It's against their religion. Good to know. I'll ask again five years from now.
No need to log in; it is possible, and always has been possible, to participate as a cookie-based user indefinitely.
We have some users that juggle cookie based accounts for as long as a year. And as of about 6 months ago we can reinstate your cookie on the "forgot my login" form, provided you gave us a valid email address to start with (we don't validate emails).
Driver's License is the wrong metaphor for OpenID. If you had an Internet Driver's License, it would be your email address. You always have that with you at all times.
OpenID is more like a Von's Club card. An inconvenient scrap of plastic that would just take up space in my wallet so it gets left at home. Every time I go into a Vons, I have to ask the cashier for a new one and it pisses me off that little bit, just like every time I go to StackOverflow I need to dig though my email to figure out what OpenID provider I used to sign up for my account there.
Just like the Grocery Store Discount card, where I find myself more driving out of my way to go to a store that doesn't make me use one, I generally don't bother with sites that want me to dig out my OpenID just to use them.
Just curious: why use more than one OpenID account in the first place? I've genuinely never understood why people would do that. Am I missing something?
With all the little icons, I generally forget which one I clicked in the first place. Then I remember that I used Google's, but forget which email address. It's not so much forgetting because I have a bunch of OpenID accounts, it's that I don't use it enough to remember the one that I do use.
Just give me the "Save username and password" option in Firefox and I'm happy.
Have your saved username and passwords sync to the cloud, and you'll be even happier. Jeff is still beating a still-born horse here -- yes, a problem exists, but OpenID is the wrong solution.
I only have the one that I used to sign up for StackOverflow. Thus far nothing else has required it. Or rather, nothing else that requires it has been so compelling in other ways that I'm willing to put up with OpenID in order to use them.
Now that Gmail is a provider, the barrier is lower, but back then you had your pick of a half-dozen fly by night early adopter providers. So anybody who used it back then has at least one worthless OpenID.
Well, yes. You have to prove you're not a robot by passing a CAPTCHA test, many places (including Gmail) "require" you to be over 13, and from Google's TOS:
13.3 Google may at any time, terminate its legal agreement with you if:
So I think the metaphor fits quite nicely, don't you?
> So I think the metaphor fits quite nicely, don't you?
No, I can setup my own MTA, or get a cheap account at a random host which will provide me an MTA, and there are a billion services out there to get email addresses.
If you want to have freedom then you have to accept that a free life is a messy life.
I don't support centralized internet ID systems for the same reasons I don't support a national identity card: it's a central point of control that will inevitably be used by the government against its citizens and corporations for profiling and targeting all of us.
As much as it may appeal to the tech mind to have things in nice little boxes this is a terrible and dangerous idea.
That's why, in theory, I like OpenID. It's decentralized, anyone can be a provider, and I still choose when logging into your site which provider you should use to validate my credentials.
I'm not sure he's talking about a separate "Internet ID" that should exist. I think he's talking about websites adopting OpenID and/or OAuth as authentication methods, with a smaller number of trusted entities as authorities (Facebook, Twitter, Google, MyOpenID, Verisign, etc).
I'm not sure where people are getting this idea that he's talking about creating a new concept called an Internet Driver's License. He's just trying to encourage service providers to adopt OpenID/OAuth instead of traditional logins.
FTA: Now, I don't literally mean a driver's license. I'm using this term figuratively to mean online credentials that I can re-use in more than one place on the internet.
I'm flabbergasted that so many people heard "Internet Driver's License" and simply started frothing at the mouth. It's quite crass, in my opinion.
IMO, A big danger of implementing centralized authentication across multiple sites is that will make social engineering schemes aimed at stealing a user's credentials more plausible and effective.
I know that systems such as OpenID and others perform authentication directly between the user and thetrusted provider (google, facebook, twitter, etc), and that the site ends up with a one-time token that confirms the user's identity. The site requesting authentication never gets the actual password to the openID account, which makes this approach viable in a technical security sense.
But here's the thing: general users are getting used to entering their centralized credentials to perform actions on untrusted sites. Technical users understand the design. We can confirm that, yes, TwitScoop does indeed direct us to twitter.com/oauth/... (no HTTPS, but that's another story).
Regular users posting a comment on a blog, though, don't see any difference between giving their credentials to a trusted Google login site and entering their credentials into some form on a blog.
If, for example, logging in with Facebook credentials becomes common, it would be trivial to create a rogue blog which collects login information. Fill it with a few incendiary posts, possibly create an official-looking Facebook login page that doesn't display its URL, and it would be possible to capture quite a few sets of credentials.
Isn't one of the main benefits and best things about the internet is anonymity? Obviously FB and Twitter have information about my real identity, but why would Instapaper, or Reddit? Having a global login takes away that anonymity.
There's nothing stopping you from using an anonymous Twitter account to login if the site supports Twitter authentication.
Alternatively, MyOpenID and some other OpenID providers allow you to choose what pieces of data to present to the requesting site when asking you for permission to authenticate with them.
Facebook is another story, as they want every profile to correspond to a real-life human and only present an allow/deny choice for permissions to the requesting site instead of finer-grained access control.
The ability to be anonymous is an important one and should always remain available, but in general day to day usage anonymity is only used by people who don't want to take responsibility for their own actions (or words).
I see no problem with tying my offline identity to my online one.
Besides, if you wanted to disconnect the identities you just create multiple OpenIds for each identity you want to act out.
FTA: If all I want to do is leave a comment on a blog -- like, say, this one -- then one of the weaker forms of identity will surely do. If I'm starting a new bank account, or setting up a profile on a dating website, then maybe a stronger credential from my virtual wallet is necessary.
tl;dr: Jeff Atwood says websites should offer OpenID or OAuth authentication.
edit: ok, the sarcasm in this comment may justify it being downvoted, but can someone kindly explain what is being said in this article apart from: "having many logins/passwords for each site is not nice, we should all support OpenID/OAuth"? Because I really don't see any other piece of information.
Take this with a pinch of salt, because I didn't downvote your comment, but your comment doesn't add anything to the article. It's just noise and doesn't advance discussion.
Fair enough. I guess the merit of this article is to create the opportunity for this discussion.
Reminds me of someone (can't really find who now) who said a few months ago that HN is like going out for a movie and a dinner. The value of it isn't really the movie and the dinner, but the opportunity of discussions it creates.
I have all my logins saved in Firefox and there's not one site I'm using where Firefox is able to autocomplete OpenID details, it forces me to enter my ID, leave the page, authenticate with OpenID, go back and submit. It needs to either die or get way more convenient than this.
The problem is, a lot of the time I don't want my various internet IDs linked together - I want something more like the coffee club loyalty card for each website I visit. I definitely don't want facebook knowing which sites I use (frankly I don't trust them enough) and I'm not too keen on Google knowing either.
The crucial difference between a drivers license and some kind of centralised internet ID is that anyone can verify a drivers licence with a reasonable degree of accuracy - they don't need to contact the government each time to see if it's genuine.
With an internet ID the provider gets to collect a lot of information about me and what I'm doing (not saying they would, just saying they could), which makes me nervous.
I love the title "Internet Driver's License" - it's an analogy that I'm very fond of, but Open ID won't be the solution for this for the same reason the semantic web has never really gained any serious traction.
It takes private companies w/ consumer interests in mind to achieve that sort of global scale and user adoption. In this case, namely Facebook.
I don't like the idea of having one identifier which can be used to tie together all information about me - because linked data provides an unwarranted amount of power to people who have access to it.
I think 'an internet drivers license' would basically become an ID card.
Your email address probably already links all of your online accounts.
Unlike an ID card you can have as many OpenID accounts as you wish – they can be freely created just as easily as email addresses. The solution is the same as for email: Give a different account to each site.
Isn't the point of asking you to provide some credentials for a new site usually so they can use that contact info to push products at you in the future? An internet driver's license (and OpenID) defeat those purposes.
You really have to be behind the times to still be advocating OpenID. Technology is made up of alternatives, and one wins. No matter how much you love something, if it's dead, it's dead, now move on.
Every hyped technological product has a a short window in which to dominate, and if it does not, it will remain confined to a nice. That's the case with OpenID. It's over, the battle is lost. Same goes for RSS, DRMed music, Django, etc.
The coding horror guys made a poor technological decision. Instead of just giving up, they are doubling down on it. That's not very clever.
Huh? I'm confused. I still log in to all sorts of places with my Google account, including Hacker News. And... RSS is dead? Django is dead? I'm getting the sinking feeling that I'm being trolled right now, but...
You can be fully in control of your own OpenID if you want. Just host it on your own domain/server.
Or even easier: use delegation. Add some meta tags to the header of your blog (or any HTML page under your control), and sign up for sites using your blog URL as your OpenId.
See an example at my domain (the content is currently blank, but the meta tags are in the source code): http://jmh.id.au
I can sign up anywhere by typing in 'jmh.id.au', and it uses myopenid.com for login. If for some reason I didn't trust myopenid.com I can change providers by editing that page. So I'm not tied to any one provider.
The first is practical: you are not qualified to run OpenID on your server. Really, you're not. I'm not and I have actually implemented both OpenID providers and Relying Parties for clients before, at the old day job. If you run OpenID, you are exposed to every threat your OpenID provider is currently vulnerable to in perpetuity, unless you make it your mission in life to stay up to date on OpenID security. The people who actually do that missed a timing attack which compromised the security of nearly every OpenID-using system on the Internet. You will not do better than they did.
The second reason this is bad advice is because OpenID has a feature which should make it unnecessary: delegation, which lets you nominate any OpenID provider on the Internet as "your" provider. You are theoretically able to change that after having done it, so if you want to move your identity from Google to Yahoo you can. Delegation is a misfeature. It makes the OpenID spec roughly ten times more difficult to understand than it already was. Very few people implement delegation correctly -- of particular notice, very few relying parties implement it correctly, which means that when you come back in a few years with the same OpenID but a different underlying provider they have no recollection of you at all. That is a pretty bad failure mode for a federated authentication system, and many relying parties coded by smart people walk straight into it.
Then we come to the real meat of the matter: for an authentication system to be useful, you have to be able to use it without being able to implement it. OpenID is a user experience nightmare for non-technical users. Just the experience of actually logging in is bad enough. It also teaches your users to fall for phishing attacks against their holiest of holy credential, because every sane person uses OpenID through their email provider and OpenID teaches you that you can go to any random site, the screen is going to flash, and then you should type in your email address and password. This is phishing heaven, and losing one's email account means you lose practically your entire online identity (banks accounts, domain names, Google AdWords accounts, etc etc) even before OpenID explicitly makes your email king of all credentials.
I'm getting some cognitive dissonance here, since the grandparent says [I] use delegation and you say not to run your own server and to use delegation...
Anyway, is delegation going to get better, or should I not bother setting it up and just stick to using the same password for all my non-interesting sites? In particular, is it the site I delegate to, or the site I am authenticating myself to, or both, that can screw it up?
Sorry, that confusion was my fault: I posted the first line of my reply, and then realised I should mention delegation, so I edited it in. He must have loaded the page between the two.
Thanks for the reply patio, I haven't heard of the issues with delegation before.
Phishing attacks could definitely be a big potential problem. I'd be interested in seeing how much of the phishing and usability problems could be solved via good browser support for OpenId.
That is what your mother thinks of when she hears Driver's License. Why on earth would that be the branding you pick for OpenID or federated authentication? You are practically trolling your own idea at that point!
Observe the kinds of things people are going to say about any federated identity scheme which you call a License:
"Jeff Atwood thinks the government should be able to take away your Facebook account! He's fascist!" "I didn't say that!"
"Jeff Atwood thinks your mom shouldn't be allowed on the Internet until she stops calling it 'the Googles'! He's an elitist bastard!" "I didn't say that!"
"Jeff Atwood thinks that if you get kicked off a WoW server you should lose your Gmail account. He's in bed with corporate interests!" "I didn't say that!"