December 22, 2006

Is OpenID a solution in search of a problem?

Practically everyone on the web has, at some point in our browsing career, lost a login name or it’s password, requiring us to put ourselves through the terrifying automated reset-or-retrieval process. Usually this is about as difficult as clicking a link, waiting four seconds, and checking our inbox. We bang our heads against our keyboards as we cry out

Why do I need a separate identity for every, single, site?!!OpenID

[OpenID enters dramatically from stage left]

On Wednesday, Brady Forrest wrote:

“OpenID is an identity system that allows you to have one username and one password for multiple sites. Your username is an URL. The password is whatever you choose (and like all passwords you should keep it secret).”

“Identity is one of the last pieces of the Web 2.0 puzzle to become decentralized and fully owned by the user. Up till now we’ve had to rely on sites to control our identity; now with personal sites (mostly blogs) becoming common there is finally a mechanism for us to take our identities into our own hands.”

Hasn’t our online identity been in our own hands since we started using email? Some sites are trusting enough to believe us when we say we’re $celebrityOfWeek, while others send a verification email just to be sure. I don’t understand why we need another layer of identity at all. What happens when I forget my OpenID password? Does the service provider email it to me?

“Lately there have been a plethora of OpenID services launching. All users of SixApart’s Vox and LiveJournal users automatically have OpenIDs. If you want to use a hosted service JanRain’s MyOpenID just launched”

I thought OpenID was conceived to solve the “too many identities” problem. It seems to me this is just making a mess of a mess. Let’s suppose I’m writing a comment on your OpenID-enabled blog. Do I sign in with my Vox account, my Livejournal, or another? Half of your users may be internet geeks with this problem, while the other half has no idea what an OpenID is or where to get one.

This week I’m faced with deciding upon identity systems for several forthcoming web applications. I’d be thrilled if some enlightened commenter could show me that I’m making a mistake, but it looks like I’ll be sticking with my old friend, email, for now.

The idea is that you would have just one identity that you use all over the Internet. Yes, email could be used as a unique identifier but there isn’t an agreed way of using it today. How would you use the email address? Expose it to all of the users of the site or use a nickname? If you use a nickname, how can you guarantee user ‘john’ on one site is the same ‘john’ on another site?

Using URL’s as your OpenID not only give you a unique identifier across sites (that doesn’t require you to expose an email address) it also gives an end point (in my case http://scott.kveton.com) to learn more about a user. That’s difficult to do with email today.

Finally, with OpenID you have one username and one password for all of the sites you go to. Try signing up for one at one of the sites here and then head over to Ma.gnolia or Zooomr and you’ll see what I mean. You get to use your one identifier and one password in both places as well as automatically update profile information for both quickly and easily.

If you’re looking at creating new sites with it, OpenID is a great way to lower the barrier to entry on your site. Users don’t have to register; they just login. That means they are more likely to engage and more likely to participate.

Hope this helps.

Comment by Scott Kveton — December 22, 2006 @ 11:22 am

“Do I sign in with my Vox account, my Livejournal, or another?”

You would use logankoester.com. It’s trivial to set that up as an OpenID - you don’t even have to install any software on your server, just add a couple of lines of HTML to the HEAD section of your index page.

http://simonwillison.net/2006/Dec/19/openid/

Comment by Simon Willison — December 22, 2006 @ 6:52 pm

But what’s really so bad about exposing an email address? If it’s to safeguard from spambots, what’s to stop them from following the OpenID url? If John wants to hide his true email from other users, he can use a disposable email address, possibly with redirection to his real email. But there are obvious problems with that approach.

Maybe we could use an MD5 hash of his email as his display name! ( I kid :p )

The single-password point, however, is a very good one. Many thanks to Scott and Simon for your explanation - I did a bit more research and now plan to offer OpenID as an option alongside email.

Comment by Logan — December 22, 2006 @ 7:15 pm

Do you only have one email address? The “multiple” identity problem has already existed in email as well. It’s not a new problem for OpenID.

Comment by J Wynia — January 28, 2007 @ 10:43 pm

Leave a reply

Inspiration

6pli Tumblr Aptana IDE Markus Homm Mint Humanized Rawkus Records // All Things Hip Hop // www.rawkus.com The New York Times WeShouldDoItAll Justinsomnia Deluxe Digital Media Democracy Internet Tv Take More Photos fluxiom - capture, manage, access and deliver content across your enterprise Olivier Danchin Jason Santa Maria Tubetorial Ajaxian Raincity Studios 88 Miles - Simple time tracking Welcome to Zopa (UK) - The first lending and borrowing exchange Inspirational design for a web2.0 homepage