OpenID Needs to Start Getting Real

By Josh Catone

As we noted in our year-end round up, 2008 was a good year for OpenID on paper, but the emergence of other, corporate backed single sign-on products means icy waters ahead. Specifically, we’ve talked about Facebook Connect and why it might end up the winner because it makes sense to consumers, and comes with social data attached. For developers, Facebook Connect is attractive as well because it comes with a built in marketing channel — user actions on external sites using Connect can be reported back to their friends on Facebook via the news feed.

In order for OpenID to compete on this new playing field, the OpenID Foundation needs to stop dragging their feet and start working on efforts to educate people about what OpenID is. On the technical site, OpenID is more or less a sound protocol — there hasn’t been any foot dragging there, but on the consumer outreach side, they’re getting beat. Badly.

Most people have no clue what OpenID is, even though many of them actually have OpenID-enabled accounts. Everyone who uses Facebook (which is a lot of people), on the other hand, understands what Facebook is and knows what “login with Facebook” means. OpenID needs to work hard to change that in 2009.

Unfortunately, it appears that the people behind OpenID might be asleep at the wheel in some respects. While Facebook is pushing hard to get Connect out there (and Google is doing the same with Friend Connect — which actually includes OpenID), OpenID is, as Nick O’Neill puts it, “organizing the organizers,” referring to the recent OpenID Foundation community board elections that were held last week.

“I used to be a huge advocate of OpenID and I honestly believe that there is still a lot of movement going on. Unfortunately though I think the group is over planning and under executing,” says O’Neill. “While some large organizations (Yahoo! included) are supporting the identity standard, there is still a lack of general consumer education. Without that there is no way OpenID can compete with Facebook Connect and other new standards.”

Fellow blogger Allen Stern shares some of the same concerns about OpenID. “It’s more likely that the average Internet user will understand the Facebook Connect process than the OpenID process. This is why OpenID must focus on marketing and usability more than technical standards at this time,” he writes.

What the OpenID Foundation needs to do is start “getting real.” Getting real is a business philosophy from 37signals, a successful web application software company based in Chicago. Though there’s a lot more to their idea, one of the main themes essentially boils down to this: stop screwing around with all the stuff that doesn’t matter and just wastes time (like politics and meetings), and start doing the stuff that needs to get done (like building your app). Don’t worry about the details until people are already using what you’re selling.

I agree with O’Neill that so far the OpenID Foundation seems to be spending too much time on organizational stuff, and not enough time on actually doing what needs to get done. In a chapter of their book “Getting Real,” 37signals talks about how meetings can kill productivity. “Every minute you avoid spending in a meeting is a minute you can get real work done instead,” they write. From my admittedly outsider’s vantage point, it appears that the people behind OpenID are getting too caught up in the organizational stuff, getting too lost in the details, and not spending enough time on execution.

My perspective, of course, is that of an outsider. I’m not privy to what’s going on behind closed doors, so to speak. So my perception of what’s really going on could be off. But at this point in the game, public perception is what it’s all about.

  • roosevelt

    OpenID needs a new nickname in my opinion. In one of the previous blog posts i mentioned some of my clients don’t have any clue what Opensource is, how centralized login system work, but surprisingly when I told them about facebook connect, it made sense to them.

    We should use names that are appealing to average computer users, not something that sounds technical.

    For instance when you hear or read the word ‘OpenID’, it says nothing to the end user, unless you know more or less about opensource, and login id system.

    But facebook connect, you can guess that it’s a login system powered by facebook userid. Also, facebook is well publicized, so users are more familiar to it.

    I believe OpenID advertised mostly to technical audiences.

    For instance, I read about OpenID in different developer blogs/websites but I don’t recall reading about it in a regular blog where average users hang out (e.g. General Computer Support)… or didn’t see any ads that says something like, Login to your favorite website with just one username and password, today.. etc..)

  • terence

    what they need to do is put a nice branded colourful openID logo above all the Username: fields on the openid sites. problem solved.

  • I’m a user and general fan of Facebook, but mixing social networking and the keys to my login life feels a bit creepy. I’ll be using OpenID as long as they’re around and developers keep supporting it.

    Emphasis on developer support.

  • mathieuf

    The concept of a single login/password for getting access to all my web sites is appealing. Another player in this field is password managing software. I have chosen not to wait for OpenID or any other, and by using password managing software I get most of the benefits of OpenID yet I retain control.

    I feel more secure using a local password safe with my encrypted passwords. If a keylogger steals my OpenID login/password, all of my accounts are open. This is more likely than hacking my password file.

    Using an OpenID type of login for social sites is nice, but I want to use something different for my banking and other sites. A password manager lets me do this.

    The password manager tool I use is Password Safe. It interacts nicely with any browser. (I did not say seamlessly.) If I do get an OpenID or a Facebook Connect ID, I will still store it in my password safe.

  • @mathieuf – Interesting point. I use the password manager 1Password, and the best part about it is the ‘strong password generator’ that allows me to create a great, unique password for each site.

    The downside to this is the difficulty in logging in from a computer other than my own. Thankfully 1Password has an iPhone app that allows me to keep my passwords with me on the road.

  • graphicmist

    commenting for this post i have to register to siteform. Dont u think sitepoint should give the openid facility for logging and it will help in promoting about openid.

  • roosevelt

    Yea I guess, sitepoint surely can help openid become more practical :p, implement it!

  • graphicmist

    one killer app which allow login only through openid and thats all everthing is set then…

  • Brian Kissel

    For anyone who is interested in providing feedback on how to improve the OpenID user experience, there is a mailing list at the OpenID Foundations’ website here.
    UserVoice, Interscope, or Mixx may be good examples of a better user experience. While Facebook has done a great job with Facebook Connect, its proprietary and doesn’t enable a unified registration and login experience across all the possible accounts that site visitors may have when they show up at a given website.

    RPX attempts to leverage the best of OpenID and proprietary authentication offerings into one easy to deploy and use solution. There is more information about RPX; the data it supports; reviews by AOL, Facebook, and MySpace; and some case studies on the benefits of OpenID (including 37 Signals) here. There is also a review by John McCrae of Plaxo here.

  • OpenID describes exactly what it is/does. It doesn’t need a name change. The fact that it’s not tied to any particular brand/product/service is the whole idea!

    I agree with terence – a simple logo should appear wherever it is used. Clicking it should take the user to a simple explanation and links to additional information.

  • Dimitris

    OpenId is fundamentally broken because it requires URLs as usernames. Try to explain to not technical people that their user name should be or worse instead of plain “averagejoe”. It will never work that way.

    A name should be a name and nothing more! Even I can not justify why my name needs to have a networking protocol scheme and a dns name and possibly a tcp port in it.

  • graphicmist

    doesn’t enable a unified registration and login experience across all the possible accounts that site visitors may have when they show up at a given website.

    @brian what do u mean bu unified registration and login experience.??

  • SpacePhoenix

    I personally would never trust any system for allowing login-in to many websites by one login. If for whatever reason a person gets their login compromised then they get their login for multiple sites compromised in one hit, at least with separate logins for each site, only the login for a particular site would get compromised.

  • graphicmist

    If for whatever reason a person gets their login compromised then they get their login for multiple sites compromised in one hit, at least with separate logins for each site, only the login for a particular site would get compromised.

    Does anyone know what are the developers of openid doing for it?? Its really a big issue….

  • roosevelt

    I have to agree with graphicmist on this, it certainly is a big risk.

    It’s one of the reasons why I am not using OpenID myself, even though I acknowledge its benefits.

    What if someone from OpenID itself hacks into my account and gets access to some other membership websites?

    Perhaps, it’s the reasons why OpenID is still taking time testing and figuring out solutions for the worst case scenarios.

  • OpenId is fundamentally broken because it requires URLs as usernames.

    But you don’t have to show people that. Yahoo are doing this really well — if you’re using Yahoo as an OpenID server, you *could* enter an OpenID, but you don’t have to. You can just enter

  • graphicmist

    Yes i agree with raena and yahoo also generates your a random very long open id …i think due to security purpose…

  • Chris Messina

    Just a few points.

    First, I wrote about the “eggs in one basket” argument against OpenID here:

    If you use one email address for signing up for new services, OpenID is no worse for you (in fact, it could be better, since OpenID works over secure connections, whereas email doesn’t always).

    Second, with regards to URLs as usernames — email addresses already play that role, and we’re working to enable email addresses as OpenIDs in OpenID 2.1. I think with MySpace, we’re going to see people finally able to think of identifying themselves by URLs. For now, for a lot of folks, it’s probably awkward, but eventually I think people will be able to tell someone else that they are “factoryjoe” on — and voila, they’re using URLs to identify themselves.

    Third, OpenID won’t just be about logins in the future. It’ll be the way that you point to your data across web services, like people do with their c: drives today. What do you do when you have photos on Flickr, videos on YouTube, friends on MySpace, posts on Tumblr and Twitter and you want to access them on some new service? Do you really want to specify each of those accounts individually? Using a technology called “Discovery” on your OpenID, you can point to all of them — and choose who gets to see what data.

    It’s a little ways off still, but I think if you look out far enough, you can start to see how useful OpenID will become.

  • Huyng

    I agree with what spigot said above… I like the fact that openid service providers such as provide authentication without any implicit linking to your highly personal gmail or facebook accounts.

    This article makes a good point about focusing on marketing. I just wrote a post on how the OpenID movement could explain its concept better

  • RaBu

    As I see it, Facebook connect is just a rework of Becon – where they have put something on top, to take the focus away from the hidden marketing part! The users don’t think of that when the see that they “just are able to login with facebook”.

    People are bragging at Google for too much tracking, saving their cookies for to long and in general being big-brother, I think this scenario is worse… but that’s just my opint of view!

    Oh, and by the way Josh – OpenID is not a “company” it’s community driven and build on a open-source idea, so it’s also your responsibility to take action and contribute in case you think there is something wrong or something could be done better.

Get the latest in Front-end, once a week, for free.