Monday, August 20, 2012

#OpenID for the USERS of #Wikipedia, PLEASE

Again a discussion about the use of OpenID for the Wikimedia projects flared up. From my perspective the one perspective missing is the one of a computer user who is fed up with the failed security that is provided by passwords.

The problem is that systemmanagers only consider security in isolation. It is the solution that is to be adopted for their system or systems. Obviously in a perfect world, a user will have a separate password for each website or program. The world is not perfect and most people use one or a few passwords for everything. The world is not perfect and passwords of many big websites have been uncovered by hackers. Consequently many passwords used by Wikimedia contributors can easily be guessed by the bad guy who are in the know.

The problem with passwords for a user is that they are unmanageable. Too many systems and websites, too many interfaces seriously impact the security wherever passwords are implemented to provide security. It is theatre and the fool is the part you have to play.

OpenID provides a serious alternative. It allows for a single place with a single password that authenticates to any and all websites and services that accept security in this way.  It is a serious alternative as long as any and all accept other OpenID. It will be really welcome when the WMF considers security for its 456 M users. It is obvious that a large percentage also frequent websites like LinkedIn and solidify the argument to implement OpenID.


Ryan Lane said...

The topic came up again and it ended in the same state because no one has solutions to the usability issues surrounding it.

Rather than continuing to complain about the lack of OpenID, how about working on solutions to blockers of an implementation? Provide some mockups, solve the nascar problem, get someone to work on proper integration with central auth (or a central auth replacement) that also takes in mind the idea of the Wikimedia Library.

OpenID simply doesn't buy us much without solving the usability issues. If anything it'll make things worse. It its current implementation you're asking us to purposely make the site harder to use. That's just not going to happen.

Bawolff said...

I was going to write something here, but Ryan already said everything I wanted to but better.

GerardM said...

It would be welcome when the issue raised is acknowledged. My appreciation of the potential issues raised is very much one where the real issue of security theatre is ignored. It is what we all do is the impression given.

I would welcome the WMF security guy to refute the logic of my opinion with arguments that relate to security.

Also please define "us". I am not with you when you include me in your assessment. Your "us" is WMF ops, not WMF users in my opinion.

Ryan Lane said...

It doesn't buy us, the community, much. In fact, it would do the exact opposite if it was deployed without the usability issues solved. It would complicate the process of logging in and creating accounts. That's the exact opposite of what we should be doing.

As I mentioned, put some effort into fixing the usability issues. They are *incredibly difficult*.