A couple related posts caught my attention recently about OpenID. As I’m now a board member of the OpenID Foundation, I feel some responsibility for helping to inform folks about OpenID: what it is, how it’s used, why I believe that it has so much potential — and at same time, address what it isn’t, won’t or can’t be, and what the scope of the OpenID solution stack is.
The first is a post by Nick O’Neill from the Social Times blog: “OpenID Organizes the Organizers While Facebook and Google Start Letting Users Login“. It was posted on December 29th.
He begins his criticism with a slight error:
Over the weekend the OpenID Foundation announced that they are having its first election of community board members.
In fact, over that particular weekend, the OIDF announced the results of its election, not the kick off.
But his broader sentiment deserves a response:
[…while] Facebook and Google have launched their own identity services that enable users to instantly log in to any site with third-party accounts[, … the] group seems to still be in the process of organizing though. … I think the group is over planning and under executing.
Josh Catone from SitePoint picked up his point, suggesting that “OpenID Needs to Start Getting Real“. He writes:
What the OpenID Foundation needs to do is start “getting real.” Getting real is a business philosophy from 37signals, a successful web application software company based in Chicago. Though there’s a lot more to their idea, one of the main themes essentially boils down to this: stop screwing around with all the stuff that doesn’t matter and just wastes time (like politics and meetings), and start doing the stuff that needs to get done (like building your app). Don’t worry about the details until people are already using what you’re selling.
I agree with O’Neill that so far the OpenID Foundation seems to be spending too much time on organizational stuff, and not enough time on actually doing what needs to get done. In a chapter of their book “Getting Real,” 37signals talks about how meetings can kill productivity. “Every minute you avoid spending in a meeting is a minute you can get real work done instead,” they write. From my admittedly outsider’s vantage point, it appears that the people behind OpenID are getting too caught up in the organizational stuff, getting too lost in the details, and not spending enough time on execution.
My perspective, of course, is that of an outsider. I’m not privy to what’s going on behind closed doors, so to speak. So my perception of what’s really going on could be off. But at this point in the game, public perception is what it’s all about.
And therein lies the heart of the problem. Perception is reality in the land of OpenID and will shape the thinking of developers, users and those who make up the OpenID and user-centered identity communities unless we initiate a campaign to earnestly counter those perceptions.
Nevermind that for OpenID to succeed, it must be developed with the involvement of many different groups, each with slightly different ideas, objectives and release cycles. Unlike Facebook Connect, OpenID is essentially consensus technology. To advance, it must secure and maintain the buy-in and adoption of many parties on every forward step. But let’s ignore that for a moment, because that’s an issue for us to overcome.
Jim Louderback (veteran of PC Mag) recounted his miserable experience trying to sign in to Disqus with his OpenID in a post titled “I can haz OpenID?“. Apparently, he can not, since he abandoned his comment and resorted to posting it to Twitter instead. The problem apparently had to do with Clickpass, but that’s besides the point, as the experience left a serious impression (emphasis mine):
And that gets me back to OpenID. I love the idea of having one set of identification credentials that I can use around the web. If it all works right, it’ll be awesome, birds will sing and the swallows will return to wherever they’ve disappeared from. But it won’t all work right, not all the time. We’re talking software here, and the internet, and the egos of childish web developers. Occasional (or more often) fail is guaranteed.
It’s even worse than I feared. A few days after my Disqus debacle I was talking with a developer friend of mine who was bemoaning the sorry state of OpenID implementations. It seems that all the big sites have their own flavors, and the OpenID foundation just doesn’t have enough clout to force a single standard across the web.
That’s a bad state of affairs. It guarantees more fail – and also guarantees epic finger-pointing. Who will lose? The users, first, who won’t be nearly as patient nor accommodating as I am. But in the end the whole glorious promise of OpenID will be left in tatters, and we’ll be back to our walled-gardens of identification. And that’s just too bad – because an open, interoperable identity system is actually one of the best ideas I’ve heard in a long time. Too bad no one can get their act together to actually build it right.
And these are the stories that will be told and retold because it’s not the successes that are heralded — it’s the epic failures. As much as I like to rag on Twitter about OAuth, their service is a million times better than it was six months ago during the Summer of the Fail. Twitter ops deserve a lot of credit for making hard decisions about which features should be cut in order to scale the service.
But when it works, people don’t shower Twitter with praise. It’s expected. It’s only when there are problems that people raise their voices — and it’s no different with OpenID. Unfortunately it’s this cacophony of complaints that ends up shaping the negative perceptions of OpenID.
So, when the Japanese chapter of the OpenID Foundation releases figures that show significant and gaining consumer awareness of OpenID in Japan that contradict the outdated and statistically insignificant findings (PDF) that Yahoo presented last year (on which so much criticism was heaped), few seem to notice.
Progress in Japan alone isn’t enough of course. But it does suggest that there is more to the story of OpenID’s overall progress and success in the marketplace. It also suggests that OpenID has yet to succumb to Facebook Connect or that it ever will (or that that’s even the right question).
Still, what all this says to me is that the OpenID Foundation and the community at large have its work cut out for itself.
As more people begin to believe in the promise of OpenID, more people will commit themselves to the success of OpenID, taking ownership of the idea, and promoting it their friends and family (as they did with Firefox). Our opportunity is to make good on the hope that people have for OpenID and effectively channel it to challenge the bruised perception that defines OpenID today. If we succeed, changing perceptions truly will change reality.
Factory Joe 
You seem to be pointing at these examples of FUD and leaving them with little rebuttle. Are you expecting that readers of your blog know OpenID, and know that these analysis you have listed are patently untrue?
Different implementations? Untrue: there is but one standard and any of the libraries will work with any of the OP/RP implementations out there.
Things done behind closed doors? There may be a lot of that in supposedly “open” communities, but I don’t think OpenID is one of them. There’s whatever happens at the foundation, but the OpenID Foundation is a legal freckle, not a core component, of the OpenID process.
Google has launched their own identity service, which seems odd, but they have *also* launched OpenID support.
Whenever people ask me why I support the (in their opinion losing) OpenID technology, I tell them that OpenID *has already won*, from my point of view, because it *works* it’s *easy to implement* and over 80% (probably more) of the internet has one.
Just few comments…
I don’t want, and nobody should, getting any identity system being dominated by one of the major Big Web Company. The examples of issues we can have in terms of phishing, privacy, and so on could not be managed from any Google, neither Facebook.
Definitely an independent corporation like OpenID is the answer, but it’s true to mention that there’s a lot of work to do in terms of interface or simplicity. It’s really not easy to use an OpenID account, on a very simple user position. I experienced that… So let’s go guys and now focus and product and its growth!
I think the perception is that OpenID is just siloed data yet again. If I am starting a new website that needs membership services, exactly how does OpenID help me? What data do I store? What data does OpenID store? How is it easier to THE DEVELOPER not the user? Truth is, many developers will choose to create their own membership systems again and again as they retain control of the membership data.
On a related point, can someone point me to somewhere that best explains how to include OpenID in a new site, and how that ties in with site specific data…ie stuff that is not stored with an openid
@moopy: I’m a little confused by your point, and not sure how you’re going to receive follow-ups since you didn’t leave a valid email address, but that’s your bidness.
The reason why a developer would choose to support OpenID is because, in theory at least, it lowers the incline of the on-ramp for new users, since they can use existing accounts to sign up for your service. The research has shown that putting *any* barrier in front of users will cause them to balk at signing up for a new service, and that most shopping carts (for a commerce-based example) are actually abandoned before a transaction is completed. The easier you can make the process of signing in — or of checking out — the more transactions or account signups you’ll have.
Suggesting that OpenID somehow takes away control from the developer is like suggesting that you should force people to sign up for your email service to get an account. If someone has an OpenID — why not let them use it? How you message to them or collect data about them is orthogonal to OpenID — even though mechanisms like Simple Registration (SREG) and Attribute Exchange (AX) actually enable you to request certain aspects of someone’s profile.
OpenID doesn’t cause you forfeit any of the mechanisms that you currently use to collect user data — heck, make it as onerous as you like! The point, however, should be to make it more convenient and easy for someone to come back to your site later and not need to remember whatever password they used when they signed up.
That means it’s better for your customers, AND it lowers your support costs since people aren’t constantly emailing you about their forgotten or lost credentials.
Etc. Check out Joseph Smarr’s recipe for how to implement OpenID.
I find it amusing that the razor of Getting Real would be directed at OpenID.
For starters, implementing the core nugget of OpenID was executed long ago and is out in the wild being used. OpenID is *not* feature-bloated vaporware.
Additionally the notion of iteration that is so key to agile development, see Getting Real, is the process that OIDF has been pursuing as evidenced by the various attempts to improve the login process.
Then there is the simple fact that the originators of the “Getting Real” philosophy, the gentlemen at 37signals, implemented OpenID across there product offerings quite a long time ago. And their customers use and love it. And as developers they seem to love it too.
Unfortunately, I think in this case the “Getting Real” meme may have been picked up and misapplied.
I think Mr. Messina is right that perception is a growing threat to OpenID. Frankly, he has been right for quite awhile. As important as persuading the big players is, persuading the general public is important too. Some work has been done on the public end in terms of usability and more should be done. But there is also a strange group in between Google & Johnny Q Public and that is who we hear the most noise from imho. And for what ever reason this noise group has a big impact on the perception of OpenID.
And just in case I seem to much in Messina’s corner, I’ll through out that if anything could use a little “getting real” it would be DiSo. But that’s only because I’m anxious for a friendly release.
Thanks for your comments, Snowflake Seven.
As for DiSo getting real — I couldn’t agree more — to an extent. 😉 The reality is that it’s hard to shepherd an idea like DiSo forward when it requires so many pieces to be assembled in a way that works with the web that we have today, and with a lot of foreign concepts that seem somewhat unintuitive by today’s standards. We’re making up some of this as we go, too, and responding to market trends as things become more obvious over time.
Still, a demo — or at least a real flow — that gets at what we’re trying to do is something I really would like to produce for Q1 this year. Now that I’m on the OpenID board, I think it’s imperative that I communicate more clearly about where I think this technology can go — and to demonstrate how the DiSo concepts can help frame the discussion as we move forward.
So, I appreciate the bump — it’s well founded.
I agree with Snowflake Seven – seems like “Getting Real” was misapplied.
What you quote Nick O’Neill as saying seems to be the classic difference between democracy and dictatorship.
OpenID seems to be “Getting Real” as much as a democratic standardization organization can – but it’s independent from all the large websites and can’t (and shouldn’t) deploy the standard themselves. That’s a strength of OpenID – not a weakness.
Google and Facebook on the other hand is more similar to “dictatorships” – they own large websites on which they can invent and deploy any standards that they want without asking anyone else. It’s definitely faster but I doubt that it’s better in the long term.
When OpenID first appeared—I’m writing here from a new user point of view—it looked like the answer to everything. Terrific!
And—you want me to be real, here?—the moment I realized I was going to have to futz with multiple providers, deal broken.
There is a multitude of Important, Worthy things begging for attention on the web, and a limited amount of hassle I’m going to volunteer for. Almost none, in fact.
So, simply, there it rests.
@Zo: that’s an interesting perspective.
I guess I’m confused by what you mean by “futz with multiple providers”. One of the tenants of OpenID is that it ensures you choice — that is, if you want to switch your OpenID provider, you can do so, because the protocol is an open standard. That can not be said, for example, of Facebook Connect. If you’ve signed in to lots of sites using your Facebook account, and then decide that you no longer want to use Facebook anymore, you cannot switch your Facebook Connect provider. From your statement, it almost sounds like you prefer that model, but I’m not sure I understand your point.
Certainly it can be confusing to have to pick a provider from the interfaces that offer you a selection of many OpenID providers — especially if you have accounts with more than one of them (which to pick?!). However, over time, the idea is that you would reuse one of those accounts more often than the others — and become familiar with your preferred OpenID provider, just as you do with credit cards (perhaps you have one for business, one for personal expenses, one for airline miles, etc).
Can you elaborate on what you’re saying?
Chris,
I’m glad you are blogging this stuff — I voted for you and am certain you will help move OpenID forward.
In terms of perception, though, I think the big problem is how trust fits into OpenID. Many users believe that OpenID embodies a trusted relationship, but it does not. Or as Marc says in his post, “Most normal people think OpenID is the solution and just by “using it” all their issues will go away. HAH!”
Because of the trust issue, few sites act as RPs because they can’t trust arbitrary IPs.
I know you are big on the user experience, and this fits in well: User’s expect their OpenIDs to be accepted everywhere, but just because you have an OpenID doesn’t mean it will be “good enough” for a site that uses OpenID.
I hope you (and other members of the board) are interested in tackling *this* perception issue.
Robert
I still haven’t bought into the ROI for going with OpenID. There just aren’t enough benefits for the potential risks.
The major risk, and I can’t get over this, is that an OpenID provider somehow screws up and lets bad logins through. Immediately your site is at risk and you have no control over it. Your users are gonna come at you and you aren’t going to be able to point the finger at the provider because I guarantee you most people won’t get it. To me there would need to be a very compelling ROI to overcome the 3rd party risk, and I’m just not seeing that yet.
This is especially true for Google and Facebook. They already have established user bases so enrollment isn’t as big an issue as it could be, plus their products are differentiated enough that people aren’t going to be deciding against them because they have to type in a password. Maybe Google and Facebook aren’t really targets for OpenID consumers, though.
Chris – having followed you and OpenId for a long time, I see two core issues you may wish to consider.
1. how can I trust the OpenId provider?
2. what can be done to make OpenId understandable to non-geeks.
Congratulations on your election btw.
Colin
I’d have to agree with the general sentiment that OpenID is a good idea and it’s something the web needs. However, I am in the same boat as many of the other developers.
It’s tough to see value in implementing OpenID for most of my sites. With the exception of sites with a largely technical audience, most users are unlikely to know they have an OpenID via existing services. In all honesty, I tried to get my mom using OpenID and she gave up and used the same username/password combo she always does. That leads to my second issue. OpenID doesn’t replace my membership system, it only replaces authentication right?
So now I’m implementing a new tool for some users, but I still have to manage my users’ other data, so I’m really only saving a few fields in a database. I’m also likely to get stuck fielding the “I forgot my openid” issues.
I guess this is the challenge that many developers face and what I think the “getting real” naysayers are pointing to. OpenID is a great idea, but if it creates more work for me and doesn’t provide a percieved benefit for my users, it’s a tough sell.
For OpenID to be a success, the current state of things needs to improve a bit. The benefit needs to be clearer for developers and the non-tech crowd. You’re right that perception is key, but even when searching I dont’ see many OpenID success stories. It’s easy to find negative posts, but there aren’t a lot of postive experiences. Even 37Signals OpenID benefits page doesn’t really list any benefits.
We still believe in OpenID at Revision3, and definitely plan on implementing it. BUT, it has to be something that just works, and works right 99.9% of the time.
I’ll keep trying a few times, because I love this stuff. But the average consumer will try it, and if it fails once they may never go back.
I hope everyone in the OpenID space agrees on a standard interoperability.. Because OpenID in theory is awesome.. Let’s not let the details get in the way.
Standards that work, like WiFi, are great. Standards that no one can agree on, like Ultrawideband, aren’t.
jim
@chris: Your explanation was more than I ever picked up from whomever I signed up with … and I suppose it’s the multiple providers that was, however ironically, why I lost interest. Pretend I’m a simple surfer, clinging to my (ugh) PC box, careening around the web. These people *will* not go through the hassle. Why multiple providers? Or was this way beta, the whole concept. Users tire of that, too. At least I did, and have been in waiting mode, figuring when OpenID firmed up and came together, I’d hear about it.
Best wishes in this new endeavor.
As a web site developer, I can’t take OpenID seriously.
It’s hard to get users to register for web sites. (That’s one reason why this blog lets people post comments without registering.)
Any credible solution for federated authentication has to make things easier, not harder. OpenID makes it harder… I mean, what do I tell people? Go read this (confusing) web site about OpenID. Choose one of 20,000 providers. Well, if you choose one of them, you’re a sell-out. You should register a domain name and start your own web site and have your own OpenID provider if you want people to take you seriously…
Most users will have lost me about 1/10 of the way through that discussion.
Facebook Connect is an entirely different experience. I can tell users what to do, they do it, and then they are registered and logged into my site.
There’s a narrow window of time that other competitors might be able to get in a credible position before Facebook Connect takes over. OpenID has been a dangerous distraction that is slowing down the response of potential FB Connect competitors.
Identity management is a key factor in the evolution of the web in the next few years, and – as usual – the balance between “user frendliness” and “user laziness” is a danger for truly open solutions, in favor of proprietary (but more attractive – in the short period) ones.
I guess it would be a really bad idea to ask, but… How _does_ one recover one’s forgotten OpenID? OpenID.net has no instructions, I’ve never seen a “forgot your OpenID?” link on any Web site using it (even the annoying Discus offers that much!)… and no one discussing OpenID on his/her blog seems interested in unlocking the mystery. Or _is_ a forgotten OpenID recoverable? I know, this might sound absolutely asinine to you all reading this, but this is why folks end up throwing their hands in the air and abandoning OpenID altogether. It’s a nice idea, but most of us who try to use it don’t have the time or the interest to care about anything on the back end. I just want a reminder of my forgotten OpenID — which, frankly, is forgotten because I never use it unless absolutely forced to — because I don’t use it, because I can’t remember it, because… See what I mean? So, uh, how _does_ one recover a forgotten OpenID?
@JR: If you forget an OpenID then for all sites which that was the single login option you would have to reset the account through a “Forgot your password?” kind of function.
There is no generic way of restoring a forgotten OpenID in itself – it’s up to every site who wants to use OpenID as a login option to create such a solution.
If you on the other hand has forgotten how to log in to your OpenID – then it’s up to your OpenID provider to decide how to handle that.
So really – there is no standard way that a forgotten OpenID can be restored – it’s up to each individual site to provide that possibility.