I've sometimes been of two minds about OpenID. I've always seen it as alluring because of its simplicity and openness. It seemed perfect for simple web applications.
But in my darker moments, I worried about some of the system's usability and security issues. In particular, I was concerned about how easy it would be for an “evil site” to trick users into going to a web site that looks identical to their OpenID provider, convincing them to log in, and then stealing their credentials. If this were to happen, everything that is good about OpenID would turn into something negative.
OpenID has become a key part of the Identity Metasystem
I think many of us involved with the OpenID community came to the same conclusions, but felt that if we kept trying to move adoption forward, we'd be able to figure out how to solve the problems. In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity. Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009. The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers. As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.
Maybe even more important, some of these sites are of the kind that can quickly
change perception and behavior.
Most notable is Facebook, which took a huge step forward when it started accepting OpenIDs for login – blowing away the old saw that “no one wants to be a relying party”.
Now, the US Government has decided to adopt OpenID as one of the identity protocols for citizen interaction – again, as Relying Party, not Identity Provider.
There is a sea-change here. I strongly believe the right thing to do is get behind OpenID as part of the Identity Metasystem, help promote adoption, and work with the community to make it safer and easier to use. What is encouraging is that the community has repeatedly shown its ability to evolve as it deploys, and has been able to rapidly extend the standard from the inside. It has now become widely recognized in the industry that active client software (also called an “Identity Selector”) for OpenID could solve most of its problems, given some minor revisions or additions to the protocol. By remembering the identities you use, this kind of software can address two sets of issues:
- Usability: Lets you bring your identities with you to the site, rather than the site having to guess what identities you have
- Security: Protects you from being sent to a malicious site impersonating a real site that would steal your password
New prototype at IIW
Yesterday at the OpenID Summit hosted by Yahoo, Microsoft's Mike Jones and Ariel Gordon showed some of the work their team has been doing to help figure out how this kind of capability could work. What's cool is that the client they were showing is completely optional – without it, OpenID continues to work as it currently does. But with it, experience improves and the dangers are greatly reduced. I agree with them that demand for a better and safer OpenID user experience will drive selector adoption, which will in turn enable scenarios at higher levels of assurance than are possible with OpenID today.
Ariel Gordon, the main UX designer, told me, “I see it as a starting point for joint work with others in the community – definitely not a finished solution or product.”
It is consistent with the Information Card metaphor:
- Your OpenIDs are shown as visual cards
- You select an OpenID by clicking
- The OpenID last used at the site is the default selection
New OpenIDs can be added on the fly, by picking one from a list suggested by the site, or by typing the provider’s URL.
Mike made a good point about what this means for people who use smaller OpenID providers: “The cool thing is that it remembers the OpenIDs you’ve used and where you used them […] With a web-based Nascar user interface, Arizona Sate University users will never get the same user experience that Google.com users get […]”
Unfortunately I couldn't attend the meeting in person but remained wired to the tweets. Summit host Allen Tom from Yahoo said, “Showing already used OpeniIDs is a great protection against phishing: if a rogue RP tries to send the user to ‘fake yahoo.com’, a regular Yahoo user will click on his Yahoo button in the selector and won’t even see the fake yahoo link.”
He added, “The prototype selector goes in the right direction by offering a better experience when present, while not preventing users to access their favorite sites from any computer.”
Google's Eric Sachs saw value too. “…And a fake yahoo tile would say “never used here” so that’s even more information to help protect the user.”
Bringing our perceptions together from different organizations with different missions and vantage points is what can make all of this succeed. The partnering is the key.
So one of the best things about the prototype, in my view, is that it has already demonstrated collaboration between a whole set of really experienced community members:
- Relying Parties: JanRain, Plaxo, Deutsche Telekom
- OpenID Providers: Yahoo, Google, JanRain
- Identity Selectors: Microsoft, Deutsche Telekom
- Enhancing Specifications: Microsoft, Facebook, Yahoo.
Today, the same prototype was presented to the influential Internet Identity Workshop
. I'll add to my growing lis of IOU's a promise to do a screen capture of how the prototype works so everyone can take a look.