The Single Sign-On War Will Ruin OpenID

Tweet

Just two days after Microsoft announced plans to make over 420 million Windows Live ID accounts OpenID compatible, Google got in on the action as well. Google announced that starting today, Gmail accounts can now be used as OpenIDs. With Google’s announcement that means the world’s top web properties — Google, Yahoo!, Microsoft, AOL, MySpace — are all now OpenID providers or will be soon. That should be a huge win for OpenID, but unfortunately, while the companies pay lip service to the idea of single sign-on, they’re still not truly getting behind the idea of OpenID.

The OpenID website describes the idea like this: “OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience. You get to choose the OpenID Provider that best meets your needs and most importantly that you trust.”

OpenID is supposed to be a completely open system that allows anyone to become a provider of URIs. OpenID is supposed to be above branded identity systems, because no matter who your provider, your credentials are supposed to work anywhere OpenID is accepted. Unfortunately, that’s not the vision that big sites are subscribing to.

Instead, Yahoo! and Google — and probably soon Microsoft — are locked in a battle to become the de facto OpenID provider. By refusing to become relying parties (i.e., refusing to authenticate OpenIDs from other providers on their own properties), the single sign-on utility is completely lost for users. As it stands, I still need a separate set of credentials to log into Gmail, MyYahoo!, and Windows Live Messenger (all services I use).

As Chris Messina writes: “While I’m sympathetic to [the] argument that more OPs is frankly better for the web, I’m not convinced that a Visa card is all that useful if none of the major department stores will accept it.”

Yahoo! and Google further belie their true goals in their attempts to obfuscate the OpenID brand by encouraging developers to add “Sign in with Yahoo!/Google” buttons and putting their own unique “spin” on OpenID (as some developers have begun to note, what Google announced today isn’t a pure OpenID implementation). Neither provide users with unique, claimed OpenID URIs. Rather, they use generic URLs as an API starting point that direct users to sign in with a more traditional username and password schema. That in and of itself may not be such a bad idea.

Edit: Technically, Yahoo! does provide users with a unique URI, but they’re not very user friendly, and it is not made readily clear to users where to find them — probably because Yahoo! would prefer that developers implement a “Sign in with Yahoo!” button.

The two field “username” and “password” approach is so ingrained in the minds of users, that a lot of people are confused when presented with an OpenID login form and don’t know how to proceed. Users in a recent Yahoo! usability test confirmed this, and many reported being confused when they weren’t presented with the password box they’re used to. Using email addresses in place of URIs for OpenID is something Chris Saad talked about in August.

However, Google and Yahoo! (and likely Microsoft to follow) are ultimately competing with one another to become the branded single sign-on solution for the web. The good news for users is that by using the same underlying technology, most relying parties will able to turn on support for any new OpenID provider fairly easily. The bad news for users is that since none of the major providers are also relying parties, using services at each of these site still requires multiple accounts. Further, a sign in box with 100 different logos for 100 different providers isn’t a great user experience.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.sitepoint.com AlexW

    If they’re not going to play nice, they should leave OpenID alone. I use and love plenty of services from both Google and Yahoo! but frankly I’d prefer to keep my identity management separated from those monoliths.

    Chi.mp is still in beta, but is my pick at the moment.

  • roosevelt

    I guess both parties don’t know the true meaning of OpenID.

    There’s no point of implementing OpenID then, let’s see how it turns out.

  • Wardrop

    It’s just like the browser wars, everyone thinks that their own standards (for whatever reason) are better than the official W3C recommendations. Why is everything in life so frustrating, browsers, OpenID… what next, is someone going to bring out a cereal where you have to pour the cereal over the milk?

  • Twylite

    This is great news! OpenID will be fragmented and eventually die, leaving the market open for a secure standard that also has privacy guarding features.

  • http://www.cemerson.co.uk Stormrider

    The trouble is, if one of them says they will accept sign ins from other places, they won’t get any signups themselves because people could just use other providers instead of theirs.

    They all need to agree to accept others at once. It isn’t going to happen on its own.

  • futbalo.com

    They don’t want to implement fully the concept of OpenID cause they are big fishes who still want to be the center in a decentralized net. However it doesn’t mean the concept of OpenID is screwed, let’s see how things evolve when that technology becomes mainstream.

  • Anonymous

    Otherwise if they are going to have their own then all pre-existing yahoo, or msn accounts should use the MSN or Yahoo provider but new logins should be accepted from anywhere.

  • Deron Meranda

    Just to present the other side. There are some reasonable arguments for why the big players should be cautious in being RPs too.

    It may defeat some of their anti-spammer mechanisms surrounding the prevention of bulk or automated account creation. This can probably be solved with OpenID, but it does require some non-trivial attention.

    Most people only have one account at one of the big players; sure technical people may have multiple accounts at Yahoo!, Google, etc…, but I think that is pretty rare. So for the people who only use one email account, they just won’t see the problem of still having to remember multiple passwords.

    If one of their email accounts gets hacked; they may have some legal liability, or at least bad PR to content with. It’s bad enough when Yahoo! gets a lot of bad press when Palin’s account was cracked; imagine what would happen if a third-party OP was also in the mix. Yahoo! would still get all the bad attention, but the breach wouldn’t even be their fault or under their control.

    Also, the big guys are, hopefully, much more security savy than smaller sites. They have the capacity to correctly and securely manage logins, encrypt passwords, deal with password recovery, protecting against bot accounts, and so on. Also they can tend to be a little more protective over user’s privacy (or at least have more money and layers); sure it’s not perfect, but Google is going to resist pretty hard when some company says it needs the name of the user for an account; without some sort of legal warrant. I’m not sure all the smaller OPs out there are as “secure” or trustworthy, so the big players should be concerned that this could jeopardize it’s user’s privacy when it outsources authentication to another party.

    This is not to say that we shouldn’t pressure them to become RPs as well, but we should appreciate that there are some special circumstances for them that need some careful thought. I think some of that is just a matter of time, allowing OpenID to mature more.

    Also, unless you are one of the few big players (Google, Yahoo!), then you should be an RP. The arguments for being an OP only is not nearly as defensible.

    Deron Meranda

  • Stop Tracking me

    Who cares, you shouldn’t require any authentication for a user to post. I shouldn’t have to provide you with any details in order for me to communicate and point out why your post is:
    * dumb
    * wrong
    * not worth posting
    * a silly idea

    etc. It is up the author to filter their own work, they shouldn’t be filtering their feedback.

  • Will Norris

    I would highly recommend everyone watch the latest episode of TheSocialWeb.tv, in which Eric Sachs of Google talks about their OpenID. Google is not opposed to being a consumer of externally authenticated users (in fact, they already DO with Google Apps)… there are just much more difficult problems when the service provider doesn’t have a way to directly authenticate the user.

    http://www.thesocialweb.tv/blog/2008/10/episode-16-open.html

  • http://www.sitepoint.com AlexW

    It is up the author to filter their own work, they shouldn’t be filtering their feedback.

    Because it’s everyone’s god given right to spam and troll! You’ll get my submit button when you you pry it from my cold dead fingers.

  • Joseph Engo

    I am a big supporter of OpenID, I use it in all of my projects. However, what Google is doing is NOT supporting OpenID. They are taking an open specification and destroying it with their own vision. Sorry, it doesn’t work that way. Either you want to support OpenID or you don’t.

    If Google or MSN want to create their own system, go for it. But claiming its OpenID is bullshit.

    Yahoo is pulling the same crap. Requesting developers put a “sign in with Yahoo” logo is retarded and defeats the point.