The noise and interest around OpenID, a distributed and open lightweight identity system, has been growing for a few years now, but my sense is that it has dramatically accelerated in recent months. So much so that things are starting to feel really, really close. And by that I mean that all it takes now is for one "big player" to jump on the OpenID bandwagon. OpenID will then either take off or fall flat on its face.
Everyone is waiting. Who will it be? I don't know.
That aside, my money is on OpenID succeeding. It may not be a roaring success, but a population of very active web users will adopt it nearly overnight. We all hate having to invent Yet Another Username/Password Pair to try out some new service. Sure, site developers can use something like Google's Account Authentication or Yahoo's BBAuth, but many would prefer to use a vendor neutral standard. Can you blame them?
The odds of OpenID succeeding for real mainstream users, however, depends on it being simple and relatively idiot-proof. I believe that a few simple usability improvements to the OpenID 2.0 spec will greatly improve those odds. Unsurprisingly, they're derived mainly from the last 10 years worth of experience and lessons learned in making web browsers more usable by humans who don't know what "http://" means.
I've been thinking about this off and on for the last few months and will post about those ideas in the coming days. Hopefully some of you will help to sanity check and maybe even improve them.
Related Reading
- OpenID on Wikipedia a short summary of the history and technology behind OpenID
- MyOpenID is a free OpenID server you can use
- OpenID for non-SuperUsers is where Sam Ruby explains how to begin using OpenID on your blog or web site
- How to turn your blog in to an OpenID is where Simon Willison attacks the same problem. I rather like his own implementation, BTW.
- How to use OpenID is screencast that Simon produced that walks thru the basics of OpenID from a user's point of view. Watch it if you haven't.
- OpenID Specifications is where the latest spec documents live. Currently that's 2.0 draft 11.
- Planet OpenID aggregates lots of OpenID related news and blog posts
Posted by jzawodn at January 18, 2007 06:55 AM
I wonder why companies like Yahoo and/or Google are not jumping on this wagon.
I know Microsoft showed some interests in that.
Generally speaking, it should be fairly simple for both Yahoo and Google to support OpenID with little effort while still enabling users to use their Yahoo Mail/Gmail user name and password.
And with the help of delegation users will feel more comfortable using their current account while still retaining the ability to change them and still use the same URI for authentication.
The problem starts with users without URIs and at that point inames should come in. But inames cost money and I doubt most people will even bother getting an iname just for the sake of having it.
OpenID will take off when folks have to use it. Meaning, when some new web service comes along, and OpenID is their authentication mechanism. Not just an alternative, but their ONLY authentication mechanism.
Well, what happens if an OpenID user violates TOS at domain.com -- does the user lose their login privileges only at domain.com or all domains? If the former, domain.com has to implement their own identity management anyway. If the later, better hope that all the adopters are 100% effective with 0 false positives in identifying TOS violators.
Better hope that the openid providers all have equally strong mass account creation prevention techniques too. If one provider is not using all the best practices, all the bad guys will flock there.
"The odds of OpenID succeeding for real mainstream users, however, depends on it being simple and relatively idiot-proof."
I completely agree with that.
One question, wouldn't it make more sense if OpenIDs were assigned/hosted through an organization(s) and not a company such as JanRain/Microsoft/Yahoo/Google/etc. Then again, the idea of being able to choose where to store your identity is neat.
I really look forward to your posts on this!
Cheers,
Greg
The bad guys don't need to flock to the one bad provider, they can flock to their own server. If the two examples in the video (LiveJournal and MyOpenID) are anything to go by, identity theft through fake sites will be a big issue: neither seemed to implement a shared secret technology to obviously confirm to the user that they were really giving their password to the site hosting their ID. So random web sites asking you to log in seem like a big threat until the providers secure themselves against one of the most commonly used attacks today.
Another trust threat to it is if sites start sharing the IDs used to log into them with the marketing and profiling companies, as happens now in some cases with proprietary IDs. That would presumably undermine trust as it becomes primarily used as one huge cross-site user tracking system and people reject it to dodge this. Personally, I want to be able to generate and use a unique identity for every site I log in to that can't be resolved to a unique identifier.
For me at least, it still has some way to go before I'll be interested in using it. At the moment the requirement to share my ID with all sites and facilitate tracking strongly discourages me and I'll actively avoid it.
However, within networks of trusted sites - say across all of the federated sites hosted by the Wikimedia Foundation - it seems like a good and useful idea that can preserve the individual logins while still providing login via a single account: the OpenID account.
You're not alone in your concern about OpenID user experience issues. There's a mailing list that has been created (thanks to Chris Messina for leading the charge on that) as well as discussions going on with Mozilla about how we can work with Firefox 3.0. Phishing is a big deal and always the "gotcha" in the OpenID world ... if we can solve it with some client-side help, it would go a long way towards answering that.
In any case, I look forward to hearing your thoughts in the coming days. Thanks for the post Jeremy.
Why OpenID and not Yahoo's own 'bbauth'?
According to the bbauth page, SSO is a feature offered by bbauth implementation.
http://developer.yahoo.com/auth/
"BBAuth also offers a Single Sign-On (SSO) facility so that existing Yahoo! users can use your services without having to complete yet another registration process."
However, accroding to searches in the mail archive, not many people are having luck with it:
http://tech.groups.yahoo.com/group/ydn-auth/msearch?query=SSO
Jeremy, is YDN considering bagging BBAuth in favor of OpenID support? Or has YDN cleaned up the SSO facility in BBAuth to a point where it's at least as usable as OpenID or TypeKey?
Thanks for your post on this Jeremy -- this does much to alleviate my earlier paranoid delusions. ;)
All the same, I'd love to see some Yahoo! properties take the jump and implement OpenID -- if only to see how it plays in the wild.
I also think that Yahoo as an iDP could have huge ramifications (for the better) -- but I think you're right -- OpenID has a long way to go and a lot of questions to answer before I think you'd feel comfortable making that move.
Even still, I'd love to see you adopt OpenID on your blog as a start. I added BBAuth to my blog (bugs and all) but the pickup has been minimal. It's a thought anyway.
I think OpenId needs that an important enterprise bets for it.
Somo information about OpenID in spanish
As you know, VeriSign is very active both in the drafting/facilitating of the specification as well as hosting a free OpenID server which users can use at:
Thanks.
Does OpenID give you access to your visitors' email addresses and names?
If they don't - that's a big deal. It takes a while to build a community and if you can't have the contact info for your members, then that would be a major disadvantage.
"...to obviously confirm to the user that they were really giving their password to the site hosting their ID."
Every heard of the location bar? You know, that thing that shows the URL of the current page that no browser lets JavaScript change...?
Also VeriSign's PIP (http://pip.verisignlabs.com) is a "free OpenID server you can use". In addition to the standard OpenID support - VeriSign has also added support for Microsoft's Cardspace and integrated their VIP token support for 2 factor authentication (you can use your Paypal token here). Verisign also has developed a Firefox extension called SeatBelt which attempts to minimize phishing attacks and also has a nice form filling feature.