OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.
A nerd will wrinkle up his nose at these [non-OpenID] solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways.
Let's think about that one for a second. I find this rather typical of Facebook's attitude in general—a monomaniacal focus on increasing engagement or whatever metrics, a complete disregard for externalities and an arrogant rejection of any sort of social responsibility. This is what makes them so successful as well as so dangerous to the rest of the ecosystem.
He talks about a problem that most people don't have, and then goes on to state nerds turn a nose up at "security vulnerabilities".
At the core, it's a problem that most people do in fact have, it just is not presented to them in a fashion that is easy to digest, or even tasty enough to consider ordering from a menu. The typical computer user doesn't think about what happens to their password in transit, they enter it, hit enter and say a short prayer that they didn't typo so they can get where they want to go, and get on with life.
If the openID marketing initiative focused MORE on the "stop remembering passwords" a little harder than they had, maybe it'd still be relevant outside of tech circles.
And furthermore, building on the "solution [...] to a problem that most people don't really have"
Didn't Facebook essentially go about solving that "problem" themselves, albeit packaged up in a nice wrapper with your friends and social profile as the adhesive tape?
OpenID was failed from the start, and that's ignoring all the problems that happened around the project (e.g. at SXIP).
For one, it was too limited in scope: it assumed it would operate only within a traditional browser, that cookies are the only place you ever need to store information and that the user is always there to authorize every single action. You can't use OpenID to delegate or automate anything and OpenID just doesn't work well e.g. in desktop apps or on mobile devices. It's locked to one particular interaction flow, and it's not even a good one.
For another, the whole thing was designed by and for people who run websites. 99.99% of the world does not have their own personal domain and the idea of using a URL as their identity was just confusing and weird. Features like delegating your identity using HTML Meta tags on your site are misguided toys for tech nerds with no real world relevance.
Finally, the parts of OpenID that would actually be interesting, i.e. the selective, automatic sharing of information between sites to avoid long signups, never went anywhere, ensuring there would be no actual benefit for the end user for using OpenID.
Facebook didn't just bring a solution that solved all of this, with Facebook Connect and OpenGraph, but they also delivered the user-base to go with it. Think of all the bad privacy PR that Facebook has gotten... has it dented their image? Nope. Because FB connect is too valuable in keeping the barrier of entry low. When given the option, people prefer FB connect.
The point about security isn't that it doesn't matter, but that OpenID is a completely secure solution that nobody really wants to use. Anyone who knows crypto can design a secure handshake, but it takes a lot more to design something that people actually want to use.
Facebook didn't just bring a solution that solved all of this, with Facebook Connect and OpenGraph, but they also delivered the user-base to go with it. Think of all the bad privacy PR that Facebook has gotten... has it dented their image? Nope. Because FB connect is too valuable in keeping the barrier of entry low. When given the option, people prefer FB connect.
EXCELLENT rebuttal, I hadn't thought to look at FB Connect like this with my original comment.
A rejection that's also just flat wrong in some places. Sure, the first OpenID-enabled site you visit asks you to set up an account on a 3rd-party service. Once you've done that, all subsequent OpenID sites require no new accounts. So it's a one-time cost.
Some quotes:
OpenID is the worst possible "solution" I have ever seen in my entire life to a problem that most people don't really have.
A nerd will wrinkle up his nose at these [non-OpenID] solutions and grumble about the "security vulnerabilities" (and they'll be right, technically) but the truth is that these solutions get people into the site and doing what they want and no one really cares about security anyways.
Let's think about that one for a second. I find this rather typical of Facebook's attitude in general—a monomaniacal focus on increasing engagement or whatever metrics, a complete disregard for externalities and an arrogant rejection of any sort of social responsibility. This is what makes them so successful as well as so dangerous to the rest of the ecosystem.