Although OpenID’s ubiquity is still growing, we already live in a world of “single-sign on,” although in a much smaller scope. Take Google for example: your one Google account authenticates you to your email, RSS feeds, stocks, Adsense, Analytics, and anything else you use. While that makes life easy for you, that one login gives you your life history through all the services you use. Now, if someone else got a hold of your login information, they could change the login password and your alternative email address so that you would be unable to login to or recover your account. Not only that, if your login details were stolen, for example, because you were using Google Talk, it’s not only your Google Talk account that you would have lost: it’s your entire Google account.
However, I think there’s an easy solution to this. Analogous to a well-configured Linux system, you don’t log onto root unless you intend on modifying some important part of the system. By sticking to a lowly, regular user account, you don’t give yourself privileges that you do not need. This model could work just as well for website logins. While you still keep the same login name, services should allow its users to assign alternative passwords that provide different sets of credentials. For example, my 2nd password would only allow me access to my messenger account and nothing more. If that password gets stolen, I can login with my “root” password and remove that compromised login. While all of my contacts may have been deleted or stolen, the attacker never had access to my email account.
I think it’s a novel idea. Now, if only MSN and Google would implement it! That way, I might be able to use one of the only decent IM programs for Pocket PC (they all connect through a company’s proxy).