OpenID has been around for half a decade now. First developed in 2005 by Brad Fitzpatrick, it has received much attention and massive adoption. At least on paper. But are you using OpenID for anything? Why not?
We recently had the opportunity to analyze the database of a SaaS provider with more than 3,000 active business accounts. The analysis showed that out of those accounts, only 1 percent were using OpenID to log into the application. And when we looked a bit further into those accounts, only one or two users had it configured on their user record.
There may be hundreds of millions of OpenIDs in circulation, but people are not using them, at least not for business use. Here are some reasons why:
- OpenID URLs are hard to remember and must be entered upon logging in to a site
- An extra off-site authentication step is required to grant permission to the site
- Most people are unaware that they even have an OpenID
- OpenIDs are usually personal and not owned by the organization
The big advantage of OpenID is that it takes the password out of the loop, but the user experience is usually not great. We would like to change that. OneLogin is an OpenID provider and all of our users are automatically issued an OpenID like this:
The URL is a little long, but it shouldn’t matter since doesn’t have to be typed in during the login process. Once the OpenID is provisioned in an app, the user can log in by simply selecting the app on the OneLogin dashboard. This is possible because OneLogin handles both providing the OpenID to the app as well as handling the all the back channel communication with the app.
This provides for a great OpenID experience. In summary, OpenID with OneLogin has the following benefits.
- Users do not need to know their OpenID
- Password-less login
- Organization owns the employee’s OpenID identity for its business apps
- Effectively preventing phishing
- Combine with strong authentication
We use OpenID wherever possible now. That was not the case in the past.