From a website owner standpoint, it's so hard to implement, both technically and conceptually (tying into my sites regular registration flow) that it just convolutes the process for the user.

For example, as far as I know since the last time I attempted implementing openID, the only info I am guaranteed to receive from an openID identified user is their identifier. So if my site collects email addresses or any other info, I would have to have them enter that anyways.

In most cases OpenID registration actually takes longer, just so the user can use one account password.

The biggest trouble was when I tried to associate multiple IDs with my StackOverflow.com account -- ended up they had a bug and it was fixed within a day.

My browser keeps my login state and I don't want to figure something out to replace something that works pretty well.

And the "don't delegate to somebody you don't trust" model? Even the most trustworthy of companies can implode and reboot and sell off all sorts of data on their users.

Sure, I can delegate. Not.

I have my own OpenID server. I don't use it.

I do not believe anything more than an email address and service-specific password should be sufficient to authenticate me - like StackOverflow uses with their OpenID setup.

If a site asks me my OpenID URL or identifier or other thing, I don't bother, as it's too much work.

I toyed with the idea of adding OpenID to my various projects, but haven't, and don't intend to, but my apps are targeted towards a different audience than yours.

That is OpenIDs big flaw... How many average web users do you know that remember a url? Most of them head to google to find sites they know well.

This is why facebook connect and the like are more popular; they are easy.

And the provider implementation is my own, running on a server I have physical access to, with a self-signed certificate.

I mean, if I'm registering at a new website, it seems considerably easier to enter one item -- my OpenID identifier -- and then be immediately verified, rather than go through the "enter email address -> get confirmation email -> click on confirmation link -> choose new password -> hope that the site is compatible with Firefox's password manager so I don't have to enter it every time" treadmill for each site.

So, explain to me, what makes you complain so much about using an OpenID?

I think StackOverflow is a good example of how confusing it can be. Their wall of possible ways to login is very confusing. Yes, I actually have accounts with ALL those sites listed... but which one did I setup for StackOverflow? If I pick an OpenID provider that wasn't associated with StackOverflow it starts to create a NEW account for me. Not what I wanted!

In the end, an Email and Password with my browser remembering it works just fine.

I also prefer email because I have a set of spam/anonymous addresses I can use to test sites that I don't trust quite yet with my real information. Having spam/anonymous OpenID accounts would be a real mess to manage.

StackOverflow lets me pick a max of two OpenIDs. But why not instead let me specify an infinite number of verified email addresses to login with instead?

I'm not sure if one of the goals of OpenID is to show that I'm the same user across multiple sites. That's a feature I'm sometimes interested in with certain sites and sometimes absolutely not interested in with others.

  1. finding software (I chose phpMyId, which is relatively easy to install and use)
  2. installing software (in case of phpMyId unpacking a file)
  3. configuring software (in case of phpMyId editing index.php)
  4. (optional) setting up delegation by editing an HTML file

Registering on a site which doesn't have OpenID is three steps, or five when e-mail addresses are involved:

  1. enter username
  2. enter password
  3. (sometimes) enter e-mail address
  4. hit submit
  5. (sometimes) click link in e-mail message

Registering at an OpenID site:

  1. enter OpenID URL
  2. (sometimes) enter e-mail address
  3. hit submit
  (3a. wait for OpenID redirect which is annoying and usually results in being
       distracted)
  4. hit "OK" on browser authentication dialogue (asked for by phpMyId, browser
     saved password)
  5. (sometimes) verify e-mail address

  1. press Opera's "Log in" button, which auto-fills the login form and submits it.

  1. enter OpenID url (auto-completed, but still requires a switch from mouse to
     keyboard)
  (1a. usually wait for redirect etc.)
  2. press "OK" on browser authentication window

Also, were you aware that, for instance, on Facebook, you are automatically logged in whenever you are also logged in to your OpenID provider?

If you give people an opportunity to make a judgement, some will always take it, regardless of whether a judgement makes sense or not.

And that's one of the reasons I don't want to use OpenID.

The internet is full of this braindead social shit. It's only a question of time until somebody comes up with the idea to aggregate all the meaningless karma across many sites. And it's only a question of time until that super karma score is quoted on your resume together with how many "followers", "friends" or other kind of nonsensical internet money you have accumulated ... by hook or crook.

Gaining insight, asking questions, having a debate, making judgements, pushing an agenda, feeling good about judging others without making a case for or against anything. These things all get mixed up relentlessly in these primitive voting schemes.

And not even the smart people who make this website seem to realise what an intellectual mess their Frankenstein game theory is. Or maybe they do but still think it's worth it.

I disagree. The filtering effect of all these voting schemes is next to worthless. It creates more perverse incentives than positive ones. It's getting totally out of control. Millions of people are morphing into one man/woman cynical self marketing machines collecting fake internet money.

I'm waiting for the world's first karma inflation crisis :-)

I'm currently building an app that relies solely on OpenID for user auth. I chose to enable only these sites, so that (a) users are not required to supply/complete a URL, and (b) there isn't the "which OpenID did I use this site?" when a user returns to it after a while.

It's fine if that's what you expose by default, but you really do need to give the user a checkbox or something so they can input their own if they have one. I have an OpenID I use everywhere, if I come to one of your sites and end up using my google ID instead it will cause me nothing but frustration and end up being less secure.

In fact I'd probably not login to your site because of this if I didn't have a compelling reason to do so.

Even for an OpenID-savvy user, why would it be frustrating or less secure to login via Google? If someone got my Gmail password, sites like mine would be the least of my worries..

Google uses a singular URL for all identities that OpenID consumers use to discover the true user identity, which is unique per user per consumer domain.

I have used it and logged on to stackoverflow.com. It does work.

I always use Facebook Connect (via Facebooker plugin) over OpenID authentication. The adoption rate and viral advantages of Facebook are unmatched.

I hope openid becomes mainstream some day, I really like logging in once, and I really like being able to log in to a new site without having to register.

Thanks for voting and commenting, this has given me a really good idea of what direction I should go in when I revamp my application's authentication.