The Single Sign-On War Will Ruin OpenID

Josh Catone

Just two days after Microsoft announced plans to make over 420 million Windows Live ID accounts OpenID compatible, Google got in on the action as well. Google announced that starting today, Gmail accounts can now be used as OpenIDs. With Google’s announcement that means the world’s top web properties — Google, Yahoo!, Microsoft, AOL, MySpace — are all now OpenID providers or will be soon. That should be a huge win for OpenID, but unfortunately, while the companies pay lip service to the idea of single sign-on, they’re still not truly getting behind the idea of OpenID.

The OpenID website describes the idea like this: “OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience. You get to choose the OpenID Provider that best meets your needs and most importantly that you trust.”

OpenID is supposed to be a completely open system that allows anyone to become a provider of URIs. OpenID is supposed to be above branded identity systems, because no matter who your provider, your credentials are supposed to work anywhere OpenID is accepted. Unfortunately, that’s not the vision that big sites are subscribing to.

Instead, Yahoo! and Google — and probably soon Microsoft — are locked in a battle to become the de facto OpenID provider. By refusing to become relying parties (i.e., refusing to authenticate OpenIDs from other providers on their own properties), the single sign-on utility is completely lost for users. As it stands, I still need a separate set of credentials to log into Gmail, MyYahoo!, and Windows Live Messenger (all services I use).

As Chris Messina writes: “While I’m sympathetic to [the] argument that more OPs is frankly better for the web, I’m not convinced that a Visa card is all that useful if none of the major department stores will accept it.”

Yahoo! and Google further belie their true goals in their attempts to obfuscate the OpenID brand by encouraging developers to add “Sign in with Yahoo!/Google” buttons and putting their own unique “spin” on OpenID (as some developers have begun to note, what Google announced today isn’t a pure OpenID implementation). Neither provide users with unique, claimed OpenID URIs. Rather, they use generic URLs as an API starting point that direct users to sign in with a more traditional username and password schema. That in and of itself may not be such a bad idea.

Edit: Technically, Yahoo! does provide users with a unique URI, but they’re not very user friendly, and it is not made readily clear to users where to find them — probably because Yahoo! would prefer that developers implement a “Sign in with Yahoo!” button.

The two field “username” and “password” approach is so ingrained in the minds of users, that a lot of people are confused when presented with an OpenID login form and don’t know how to proceed. Users in a recent Yahoo! usability test confirmed this, and many reported being confused when they weren’t presented with the password box they’re used to. Using email addresses in place of URIs for OpenID is something Chris Saad talked about in August.

However, Google and Yahoo! (and likely Microsoft to follow) are ultimately competing with one another to become the branded single sign-on solution for the web. The good news for users is that by using the same underlying technology, most relying parties will able to turn on support for any new OpenID provider fairly easily. The bad news for users is that since none of the major providers are also relying parties, using services at each of these site still requires multiple accounts. Further, a sign in box with 100 different logos for 100 different providers isn’t a great user experience.