Why I'm against OpenID Whitelisting

So let’s talk about what OpenID whitelisting really is. It’s essentially a way of saying we don’t trust our users to store their identity securely and we’re not ready to deal with what happens when they loose it. Which really isn’t anything new. Right?

Today we trust users with their passwords, but only because we haven’t figured out how to tattoo it on their forehead in a way that prevents sharing. We also trust users to choose a reliable email provider so that when they forget the password to our site we have a way to help them retrieve it. Again we don’t really like giving the user such great responsibility, we just haven’t come up with a way to trust them less.

We trust users as long as they play within the padded walls we enclose them in. Whitelisting is essentially adding padded rooms to the places we let our users into, when all they really need is a helmet and some knee pads.

If it’s truly a matter of not trusting all of the identity providers out there, then maybe we should be focusing on ways to assert and secure that trust instead of choosing sides and picking partners. Maybe it means certification or accreditation; certainly not my favorite solution, but at least it establishes a level playing field and gives the user some real options that actually reduce their current username/password problems. This way we trust our users to choose as long as we have control and/or reassurance that the choices they have to pick from are good ones. But none of this is necessary provided we actually trust users to manage their own identity in the first place.

If we really want to build a user-centric single-sign-on solution then we have to start taking off the training wheels and give users some control of their identity. I understand it a scary world out there, but lets focus on ways to protect them instead of sheltering them.