Ma.gnolia moves to OpenID-only sign ups

Twitter / Ma.gnolia: Our days as yet another ide... - sign in OptionsMa.gnolia’s not the first to move to OpenID-only signups, but perhaps one of the first to remove the ability to create new Ma.gnolia-only accounts in favor of the alternative.

If you previously created a Ma.gnolia account you can still sign in with your email address or username and password, but new accounts must be generated using remote credentials from services like Facebook or Yahoo!, or with any OpenID.

This approach offers a couple benefits as well as drawbacks. It’s important to think through these issues from a number of perspectives (users, community, developers and site owners/maintainers) and to think about what this might mean for similarly narrow applications in the future (Ma.gnolia is a social bookmarking site and, like Twitter, does one thing pretty well and sports a number of capable APIs for extending the service).


For existing Ma.gnolia users, not much has changed besides the sign in experience. Once you’ve set your default sign in interface (i.e. OpenID, Yahoo!, Facebook, old skool Ma.gnolia, etc), you shouldn’t need to worry about this choice again, unless you clear your cookies or use a new computer. Once signed in, you use Ma.gnolia as you always would.

The difference comes for new users signing in for the first time. Rather than going through that old dance of providing an email address, waiting for the confirmation, clicking through the confirmation link, filling in your profile, uploading an avatar, blah blah blah, you simply click a button or enter your OpenID URL, confirm your account on your identity provider, return to Ma.gnolia and you’re set. Depending on how you’ve setup your remote account, Ma.gnolia could import your avatar, your name, your email address and other demographic details, which you can customize later, all in one fell swoop.

Now the big question of course is: what happens if someone comes to Ma.gnolia to sign up and doesn’t have a remote account or doesn’t want to use one of their existing accounts?

On the first point, with Yahoo’s adoption of OpenID earlier this year, and AOL,, LiveJournal, and Flickr (among others), we have pretty good coverage for most people. Add Facebook accounts into the mix, and for most of the folks who will be signing up for Ma.gnolia, they’ll probably have another account hosted elsewhere that they can reuse. And, signing up for a new OpenID account elsewhere, at sites like ClickPass, Vidoop or MyOpenID, is barely less convenient than the old process for creating a new Ma.gnolia account (and, the process for obtaining an OpenID will probably get consistently easier over time anyway).

But, what if you don’t want to use an existing account, either because you’re worried about associating your other online activities with your bookmarks, or you prefer to keep facets of your identity separate in different contexts? Well, there are two answers here: 1) too bad because, well, Ma.gnolia doesn’t really “need” new signups (more on this later), and besides, it turns out that most of Ma.gnolia’s OpenID users to date (sure, the early adopters) have shown higher engagement and therefore represent higher value to the overall community; and 2) not too bad if you use ClickPass, Yahoo! or another identity provider that supports directed identity — a feature that essentially assigns a unique OpenID URL for each new service that you signup for, keeping your online activities discreet unless or until you choose to unify them.


The benefit to the community here is somewhat speculative, but I can say that there is increasing value in knowing if user_x on one system is the same user_x on another system, and not just due to an accidental (or intentional) name collision. Since Ma.gnolia will now have a verified identity URL for each of its members, it will be conceivably easier to evaluate whether the factoryjoe you’ve stumbled upon is me or not, since I’m the only person who can sign in against, my OpenID URL.

This has benefits for the existing group functionality and for contact lists in Ma.gnolia, so that, as you begin to grow an external contact list of URLs for people, Ma.gnolia could watch your list and then alert you when new friends show up and start participating on Ma.gnolia, along the lines of the feature that Dopplr just released and that Facebook has begun offering.

Once Ma.gnolia is able to identify its users from external networks, implicit reputation will emerge in the minds of users who can recognize their friends from other networks. Again, if I’ve identified myself to Ma.gnolia as, anyone who uses OpenID on their blog and has seen me leave a comment with my OpenID will have a pretext for interacting with and connecting to me. As it is today, it’s completely hit or miss whether I’ll remember or recognize someone on Ma.gnolia unless they use the same avatar that they use in other social networking contexts — and while that heuristic works most of the time, it’s certainly not trustworthy, given that anyone can upload anyone else’s avatar.

Developers and Site Owners/Maintainers

This last group has somewhat less to do with Ma.gnolia specifically, but, should this trend towards accepting remote credentials exclusively take off, not only will we see increasing value in picking a solid identity provider, but we’ll also see an easier situation for developers and site owners and maintainers who will be able to ostensibly outsource the account management duties of a site. While a drawback is that users may be locked out of their accounts should their identity provider go down (hence the importance of choosing wisely and designing sites defensively!), the major upside is that all the annoying and redundant stuff around building user login pages, error handling, password retrieval and recovery will become the duty of third parties.

To put this in perspective, think of credit cards (my favorite analogy for OpenID): as much as it sucks, when your credit card is declined, it’s not up to the store owner to sort out what went wrong: it’s between you and your bank. The store owner is off the hook. Sure, he can be helpful and forgiving and offer to take another form of credential or point you to an ATM, but ultimately, you’re going to need to resolve the issue on your own. Considering the time that Larry and Todd put in supporting the Ma.gnolia community (two people for over 100,000 members!), they really should be focusing on core issues with the service and improving the basic functionality and performance rather than dealing with trivial account matters that really don’t have much to do with Ma.gnolia’s core offerings.

But that’s just looking at legitimate users — i.e. “real” people.

The far more troubling trend on Ma.gnolia has been the rise of spammers of various ilk, using the site for misguided SEO scams that burden the overall system. You could argue that fighting spammers alone would be enough to warrant the switch to OpenID-only account provisioning if it weren’t for the additional merits I’ve already mentioned (and according to Larry, it looks like this change has already paid off with a considerable drop in spammer activity on the site).

The beauty of relying on URL-based accounts is that other people with a far greater interest in “owning identity” (that is, big services like Yahoo! and Facebook or individuals operating their own blogs or identity providers) is that other, more capable and focused systems are tasked with weeding out the bad actors. And, depending on how you decide to implement this approach, you can choose to trust certain identity providers more than others, just as border patrol does for passports of different origin today. Sure, there will continue to be value and legitimacy in anonymity or pseudonymity in social networking contexts, but using remote identities doesn’t actually affect that. It just means that you have to find the appropriate host that will offer you directed identity. All the same terms of use apply, as well ss the terms of the remote system (therefore, anyone who signs in to your site using a Yahoo! OpenID will have already agreed to the Yahoo! terms of service barring abuse and illegal activities).

From a developer perspective, it will also get easier to support this approach as libraries to handle remote account provisioning and delegated authorization (using OAuth) will proliferate. Ideally it will lead to more innovation and more experimentation and more qualified signups for services when user sign-in is outsourced, just like server hosting is now handled by S3 and computation is handled by Amazon’s EC2 (etc.).

It’s not that Ma.gnolia’s abandonment of new native accounts is that much of a revelation, but it does offer the chance to reconsider how taken-for-granted account creation and instantiation has become. I know that Leslie Chicoine of Satisfaction has been thinking about latent registration where users are exposed to the value of the site before being forced down the sign up rabbit hole. Migrating to remote accounts is just one more way of lowering the barrier to demonstrating your core value and engaging new users immediately. It’ll be very interesting to watch the response on Ma.gnolia and to see whether, in reducing the number of spammers on the site, it also has the unintended effect of reducing new signups by real people. Somehow I doubt it, especially if it gets easier to incorporate Ma.gnolia as a service in remote applications like Facebook and OpenSocial containers.


  1. at 7am on Mar 31st # |

    Great analysis Chris. This will be a very interesting trend to watch, and I hope Larry and the gang keep us posted on what goes well and not-so-well in their brave new OpenID-only world. :)

  2. at 7pm on Mar 31st # |

    The only problem with this as a SPAM solution is that it’s temporary. OpenID is not a trust system and SPAMmers can just run their own server.

  3. at 8pm on Mar 31st # |

    Certainly, but while this is true, and the arms race will simply move to a new context, in the least, from a single service provider perspective with multiple “surface areas” that use unified account mechanisms, you can start to more effectively filter across your properties, or to share whitelists with related parties, in the way that Akismet leverages countless WordPress blogs to improve its spam fighting heuristics.

    The next step could be increased fraud for OpenIDs, but then that would really be the true mark of success, wouldn’t it? ;)

    At least, unlike email, through which most PayPal exchanges pass, all OpenID connections are passed over SSL!

  4. at 2pm on Apr 2nd # |

    CHRIS!!!! CHECK YOU EMAILZ YO—- SORRY FOR CAPS, BUT IT IS URGENT! lolz, it’s about my wedding… XD christ man, you’re like a double0 agent… can never friggin find you these days! I’m still receiving your auto-mail response and it says check after March 31st… it’s APRIL!!! so you must be back in the states, yeah?? okies, laterz dude lol

  5. at 3pm on Apr 2nd # |

    Good article Chris. The key to the solution is how fast users move towards understanding the potential of single-sign-on and how it actually works for them.

    Seeing Ma.gnolia go this way is a great validation of the scale of the OpenID community and it’s great to see that Larry has done it.

  6. at 4pm on Apr 7th # |

    One problem: still requires an email address AND confirmation, even after signing up with an openid… fail

  7. David said
    at 10am on Nov 5th # |

    Very interesting article. I’m planning to build a community site and can’t decide whether to have both openid-login and email registration or if I should only use openid. After reading the article I think I should go after the latter.

4 Trackbacks

  1. [...] Ma.gnolia moves to OpenID-only sign ups [...]

  2. [...] Ma.gnolia moves to OpenID-only sign ups | FactoryCity [...]

  3. [...] existing bookmarks stored at, say, services like Delicious or Ma.gnolia. Now say that you also encourage new members to sign in with an OpenID identity. From that identity, you may be able to discover an XRDS-Simple profile that points to an existing [...]

  4. [...] Magnolia has an interesting way of getting around some of these problems – you can’t register an account with an email address (as these are quite disposable), you can only register with a select group of services. While this doesn’t directly solve the issue of identity, it was one of the first services that I saw that used a type of Facebook Connect before there was a Facebook Connect. [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *