Microsoft Jumps on OpenID Bandwagon

Now is OpenID finally mainstream? Microsoft announced today that it will be enabling all Windows Live ID accounts — of which there are some 420 million plus users — with the ability to log in to OpenID web sites. Microsoft announced the availability of a Community Technology Preview (their word for beta) of the Windows Live ID OpenID Provider.

Microsft sang high praises for OpenID in a blogged announcement. Said Microsoft’s Jorgen Thelin, “OpenID is an emerging, de facto standard Web protocol for user authentication.”

Microsoft expects to roll out full OpenID support sometime in 2009. Like Yahoo!, who announced support for OpenID last January, Microsoft will be an OpenID provider, but it doesn’t appear that it will be a “relying party” — in other words, it seems likely that you won’t be able to sign in to Microsoft properties using an OpenID obtained elsewhere.

That’s kind of a bummer, because OpenID only works completely if providers that also offer user services become relying parties as well. Everything needs to be two-way.

OpenID is Getting Big, But Still Isn’t Mainstream

With support from Microsoft and Yahoo! there are now likely north of three quarters of a billion OpenID enabled logins out there. There is definitely overlap (I have both a Windows Live ID and a Yahoo! ID, for example, and I am sure that many people do), but even so, Microsoft and Yahoo! are two of the largest online ID providers on the web, so these are big wins for OpenID.

But OpenID still isn’t mainstream. As a Yahoo! user experience study revealed a couple of weeks ago, OpenID just hasn’t been sold well to the public. Adding 420 million new OpenID enabled accounts doesn’t fix the marketing problem.

Take, for example, Microsoft’s instructions to test out the current technology preview of the OpenID Provider program for Live ID:

  1. Go to https://login.live-int.com/ and use the sign-up button to set up a Windows Live ID test account in the INT environment.
  2. Go to https://login.live-int.com/beta/ManageOpenID.srf to set up your OpenID test alias.
  3. At any Web site that supports OpenID 2.0, type openid.live-INT.com in the OpenID login box to sign in to that site by means of your Windows Live ID OpenID alias.

Certainly, turning on OpenID will be easier once Microsoft’s support goes into production sometime next year, but even so, the conventions for using OpenID on the user end are just too alien for many users. Most OpenID login boxes look like the one depicted below:

That’s not the type of sign on form that most people are used to. The two field “username” and “password” approach is so ingrained in the minds of users, that a lot of people are confused when presented with an OpenID login form and don’t know how to proceed. Users in Yahoo!’s test confirmed this, and many reported being confused when they weren’t presented with the password box they’re used to.

“The key takeaway [from Yahoo!'s study] is probably that even if OpenID is ready for the mainstream, the mainstream doesn’t seem to be ready for OpenID,” we wrote earlier this month. “It could definitely benefit from being simplified (in terms of both signing up and signing in), but the main thing that needs to happen for average users to begin to adopt OpenID is that it needs to be pitched in a completely different way.”

David Recordon, who is on the OpenID Foundation board, noted in the comments of our post that OpenID is still in the early adopter phase of the traditional adoption curve. So looking at the pure numbers of OpenID enabled accounts is misleading — the mainstream isn’t yet using OpenID.

As we wrote a couple of weeks ago, OpenID is fundamentally a sound idea, but for many users the implementation has been far from ideal, and the sales pitch has been terrible. Further, without large OpenID providers like Microsoft and Yahoo! also becoming relying parties, the key benefit for users — that you can use your single OpenID to log into all the sites you use — is lost. Yahoo! advised that publishers “promote the utility, not the technology” of OpenID. When the utility is lost, the pitch to the mainstream becomes impossible, however.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • roosevelt

    Awesome, sounds good :). But its bit pointless if we can’t login to microsoft sites with openid obtained elsewhere.

  • http://pelicansareevil.com Bling

    “OpenID is fundamentally a sound idea”. OpenID is good in theory, and that’s where it should end. The whole system is based on trust. As it was clearly pointed out at Web Directions South, OpenID shouldn’t be used by Banking Systems or any high level security system. If they can’t recommend it for banking solutions, it can’t be all that secure then.

    Not to mention anyone can host an OpenID server. Anyone… This means people without any idea of basic security principals.

  • Sojan80

    I’d agree… Isn’t the whole purpose behind OpenId and single one web, one sign-on? I mean so now what, we need two OpenId accounts? It’s a bit like screen oors on submarines if you ask me.

  • http://m2i3.com myrdhrin

    @Bling

    Unless I’m mistaken whichever site accepting an OpenID can choose which source it can accept or not making the point of “anyone can host an OpenID server” moot.

    Authentication is based on trust anyway. The user signin on your website is trusting you won’t do any harm with the information they gave you. The Certification provided by a CA Root is only as valid as the trust you put in that CA.

    OpenID is not different at that level. What I see happening is a list of servers that cannot be trusted and that website should/could ignore.

    Jean-Marc

  • Anthony

    @myrdhrin

    So this is a process of trial and error? An openID host becomes compromised, it get’s blacklisted / never to be ‘trusted’ again?

    I wonder how many innocent peoples lives will be destroyed during the process, what with their bank account, business, etc. logins having been stolen.

  • http://pelicansareevil.com Bling

    You always need some level of trust in a security system. I have to trust (to some level) that when someone logs into my website they are who they say they are. They have to trust that I take their security seriously.

    If you do some research on basic security principals you want to keep the trust to a minimum. To use an analogy think of trust like links in a chain. Not only is the chain as strong as the weakest link, but the more links you have increases your chance of it breaking.

  • Rowland Watkins

    While having yet another provider is an additional tick in the box, there remains fundamental issues regarding OpenID’s susceptibility to third-part phishing attacks and DNS poisoning. Coupled to this is the problem that while there are numerous OpenID providers, few Relying Parties are prepared to accept arbitrary assertions from the ABC Provider – also noted by @Bling. OpenID then becomes less secure and no better than the likes of Shibboleth, which at least is based on SAML and PKI standards (OASIS and IETF).

    @Bling makes some good points about trust. Ultimately, in the real world trust is defined through business relationships and the EULA a user has with a Relying Party. Users need to understand that they have responsibilities based on the identity assertion that has been given to them by the “identity provider” (federated or otherwise).

    OpenID still shows itself to be a community effort, rather than a concerted force to improve a user’s experience of so-called single sign-on – this is clear from its origins. Surely it would be more appropriate to send the specs to OASIS or W3C and bring the larger community in?

  • http://m2i3.com myrdhrin

    Well said Bling…

    Anothony… I don’t want to sound harsh but those “innocent people” have to take responsibility as some point for their online identity. As we have to take responsibility for educating them.

    A cheap lock would not be considered the safe way to lock away your money… why would an account at “cheap” OpenID host be more safe?

  • http://m2i3.com myrdhrin

    Anthony… sorry for the typo in your name