For a few years, OpenID has slowly, but steadily, built up momentum. If you've never heard of it, it's an open, distributed authentication system for websites. In other words, OpenID allows you to get single sign-on at any site that supports it, and it's open to being bridged to many other services that can authenticate your user information. There are privacy concerns about it, but those are not what really bother me that much about it. Rather, the security issues are what I am concerned about.

See, OpenID allows you to enter your credentials into a website's authentication page, and then bounce them off against another site's authentication framework. Using this, you can hit Google, Yahoo, AOL, and many others. These sites, in turn, give feedback to the OpenID framework at the site your are logging into. Now, if you use OpenID at a less-than-honest website, they can grab your credentials and use them to log into OpenID-enabled websites as you. The same problem exists in a more limited form with services like TypeKey.

The Achilles' Heel of OpenID is that it is dependent on the integrity of the sites that people log into using it. Granted, much of the concern about OpenID could taken care of by a two-pronged assault by the OpenID provider. First, expire a user's password every thirty to ninety days; second, make the user's contact information unchangeable  That way, if the user gets hacked in between password changes, they can at least hopefully request a new password to be sent to their hopefully more secure email address or by text message.