This blog can't be viewed on LiveJournal. Instead see

OpenID Providers should allow users multiple identifiers

9th Mar 2007

A murmur of discontent is emerging about the fact that OpenID identifiers could be used to link users' accounts between sites. Obviously many people don't want their personas in certain contexts linked to their personas in other contexts. For example, I keep distinct my persona as an employee of my employer and my persona as an open source contributor.

This situation is already catered for by OpenID, however. There is absolutely no reason why there has to be a one-to-one mapping between identifiers and people. I've already lost count of the amount of identifiers I have at my disposal already. It wouldn't be hard for my employer to give OpenID identifiers to every employee for use at work.

It can't be argued, though, that managing multiple identifiers isn't a pain right now. Most OpenID Providers will only allow you a single identifier per user account, and will only let you be logged in to one account at a time. If I want to be both and I must go through the tedium of repeatedly logging in and out of MyOpenID each time I wish to switch personas. However, this problem is easily remedied: (and all other providers!) should let me add aliases to my account. These would be completely distinct identifiers, but they would be attached to my single user account. I can then decide on a site-by-site basis which identifier to present and MyOpenID will authorize whichever one I choose.

Once OpenID 2.0 is deployed pervasively the new “directed identity” feature has the potential to make this even smoother by letting you enter your provider's own identifier into the OpenID login box rather than choosing one of your own. This allows your provider to remember for you which identifiers you used with which sites, and potentially to instantly generate a one-shot identifier intended only for one specific site that is still connected to your single user account at your provider.

Using OpenID puts the decision in the user's hands as to whether to link personas across sites. I consider the cross-site applicability of OpenID identifiers to be a feature, not a bug.


  • (comment with no subject) has that already.

    The problem with having multiple identities is the need for remembering which identity you use where. If they are catered by a single provider, an identity previously used for the realm should probably get automagically selected...
    By Dmitry Shechtman at 08:20 pm on 9th Mar 2007
    • (comment with no subject)

      That is the purpose of the directed identity feature: you tell the RP the URL of your OP, and then the OP helps you select an appropriate identifier.

      They do all have to be at the same provider, of course. If you've got them across multiple providers, this is less of an issue anyway since you can stay logged in to them all.

      By Martin Atkins at 09:03 pm on 9th Mar 2007
      • (comment with no subject)

        Actually, you don't need the directed whatever thingy. You could simply examine return_to.

        Multiple providers are worse, because you have to remember which provider you used on which RP.

        I say stick to a single good provider (hypothetical for now) and let it do the remembering job.
        By Dmitry Shechtman at 12:30 am on 10th Mar 2007
        • (comment with no subject)

          Of course, for privacy purposes a “good” provider is one that has a sufficiently large userbase that you can't be identified as the same user by correlation.

          By Martin Atkins at 12:47 am on 10th Mar 2007