Despite wave after wave of phishing attacks, almost every Web site in existence uses insecure username/password for its only form of authentication. Why? Because there aren’t enough users who are familiar with advanced AuthC systems like client-side certs or biometrics to justify building the software to support those techniques. Why don’t users use those systems? Because there aren’t enough sites that require them. It’s a chicken-and-egg problem.

OpenID outsources the authentication process as a Web service. Because of this, the OpenID provider can use whatever AuthC system their customers want. Users can finally take their client-side certs and use them to login to thousands of OpenID-enabled sites — without those sites knowing anything about SSL or encryption.

I’ve started an OpenID provider called https://certifi.ca/ that uses only SSL certs for authentication. There are no passwords, never. The setup for certs a few steps more than setting up a username/password account, but the ease-of-use once you’re registered is considerably better. And that’s only possible through OpenID — if I was going to wait for major sites to implement SSL authentication, I’d be a long time waiting.