Phone number portability has been a boon to consumers and the mobile industry, so why will OpenID be a total disaster for social networking and social bookmarking if anyone is stupid enough to use it?

This Woke Me Up

We got a LOT of hits on an article via this Russian scuttle-based bookmarking site. So I was poking around to see if there were any smart ideas we could use and I ran across their registration page.

Tell me, and nothing against the folks running this site, because I wouldn't know them from Adam's housecat, but if you thought about it for 10 seconds, would you use your OpenID there?

Controls

When you switch your phone number from Verizon to Sprint there are elaborate checks and balances. Plus you know that the call center person isn't writing down your phone number so they can call the Maldives or something.

And if you use OpenID to move between your MyYahoo and Gmail accounts, that is probably ok. Because those guys have lots of corporate controls in place.

You can read this excellent Wikipedia Article to understand the types of technology controls built into OpenID (geek warning!).

Trust

At the end of the day you can really only use a site if you trust it. On Amazon many of us have our credit cards stored and one-click buying turned on. I use Overstock a lot, but I don't keep a credit card on file there. When I buy stuff from some smaller retailers I go get a one-use credit card number from my bank.

And you can only use OpenID as a single signon across sites if you trust it.

Single Signon Works in Corporations

Yes, we have it in our office too. But that is a trusted environment. How many of the websites that you regularly use are ones you would really trust? I say that because....

Accidents and Theft Will Happen

What happens when one of the issuing authorities has an, er, well, minor problem?

Like losing the tax records for the UK last November:

Britain's Revenue and Customs department is scrambling to find two discs that contained data on 25 million people.

How about if someone in a trusted position just steals it all. Never happen? Let me remind you of a story from a few years ago:

An engineer working for America Online was arrested yesterday and charged with stealing 92 million e-mail addresses of AOL customers and selling them to spammers that were peddling penis enlargement pills and online gambling sites.

Let's all remember that AOL lost all that before you could buy an 8G memory stick for $40 at Office-Stuff-R-Us.

Phishing is Easy

I get those so-called MasterCard or eBay emails all the time. Sometimes, if they look really good, I go visit to see what I can see. I got one from Malaysia the other day and their site had more than 100 pages that looked EXACTLY like the ones at Citibank.

Wow.

They do, and if you google around a bit you'll find excellent articles like Radar's. And I think that the idea of putting lots of pieces of security (a picture you should see every time, etc) is good. It's like airport security - a hundred little barriers and places to make a mistake and get caught.

Some differences:

• You have to, as a user, be paying attention to see and use the security measures.
• The guy caught sneaking onto a plane with box cutters last week was risking physical detention. How you going to catch some guy living in his mom's basement stealing OpenID's via a phony soccer survey site?

What Would Your Momma Do?

Let's say your mom uses OpenId on LOLCats (it is embarassing but true!) and one day she clicks on a banner ad for some site importing French cheese. They ask her to login using her OpenId so she can fill out a "short" five minute survey and earn a free pound of brie. While there they ask her to "update" some of her OpenID details.

Did she notice and use the security features? Or did she just help someone order a dozen Garmin GPS units from Amazon using her one-click account?

Remember what I said above, OpenID's security only works if you're paying attention. And if nobody steals or loses the information at a trusted center.

I am obviously going to give this a "pass" and I think you should too. I don't share passwords across sites so that I'm insulated from just the kind of problems that are bound to occur with a system like OpenID.

I'm just wondering how long until the first big security breach happens.