What is the benefit of using ONLY OpenID authentication on a site?
- by Peter
From my experience with OpenID, I see a number of significant downsides:
Adds a Single Point of Failure to the site
It is not a failure that can be fixed by the site even if detected. If the OpenID provider is down for three days, what recourse does the site have to allow its users to login and access the information they own?
Takes a user to another sites content and every time they logon to your site
Even if the OpenID provider does not have an error, the user is re-directed to their site to login. The login page has content and links. So there is a chance a user will actually be drawn away from the site to go down the Internet rabbit hole.
Why would I want to send my users to another company's website?
[ Note: my provider no longer does this and seems to have fixed this problem (for now).]
Adds a non-trivial amount of time to the signup
To sign up with the site a new user is forced to read a new standard, chose a provider, and signup. Standards are something that the technical people should agree to in order to make a user experience frictionless. They are not something that should be thrust on the users.
It is a Phisher's Dream
OpenID is incredibly insecure and stealing the person's ID as they log in is trivially easy. [ taken from David Arno's Answer below ]
For all of the downside, the one upside is to allow users to have fewer logins on the Internet. If a site has opt-in for OpenID then users who want that feature can use it.
What I would like to understand is:
What benefit does a site get for making OpenID mandatory?