Helping Explain OpenID

Blog Article

03.14.07

A little while ago my friend Justin Thorp made a post basically asking: What is OpenID and why should I care? I was wondering the same thing, and with all the recent chatter in the blogosphere about it, I decided to do a little bit of research. Hopefully I can help explain it to everyone else who was in the same position I was just a few days ago.

What Exactly Is OpenID?

Wikipedia defines OpenID as "a decentralized system to verify one's online identity." It is an attempt to solve the issue of the myriad of usernames and passwords we have all accumulated from this web2.0 non-sense. The idea is that instead of creating a new account for each and every new service you come across, you can use a pre-existing OpenID account(s) to take care of it. You use a URI (i.e. zack.weareseencreative.com) to login to a website, instead of using a username and password.

Why Should You Use OpenID?

Convenience? Peace of mind? Not having to remember a gazillion username/password combinations. In this web2.0 world, who knows just how many username/password variations I've created in the last year or so. And with all the sites that have slightly different password requirements, logging in can easily become reminiscent of playing a game of Memory as a kid. Now, with OpenID, you just have to remember one. Yes, I know Firefox can help remember those passwords for you, but Firefox can't remember those passwords for you in other browsers or on different computers. I have 3 computers (+ 2 versions of Windows with Bootcamp and Parallels). OpenID helps relieve my password remembering anxiety, thus helping me on my way to Getting Things Done.

If OpenID's so great, Why Aren't More People Using It?

I think it's probably because most people don't know about it. Or if they've heard about it, they don't understand exactly what it is or how it works. That was my reason. I was extremely cynical about OpenID at first. I had even written a huge blog post earlier with a whole bunch of concerns I had. Then I decided to do a little more research (most helpful being Simon Willison's presentation at the Future of Web Apps in London) and most of my questions were answered and concerns squandered. I actually think that this could become an amazing tool for the web community.

Too Bad There Aren't More Sites Supporting OpenID.

Yeah. That does suck. If more sites and applications implemented OpenID (and not just become providers, but consumers), I might be able to save minutes in my day from having to fill out login/signup forms. Luckily, there are a bunch of big companies/sites that are beginning to jump on the bandwagon. AOL, Digg, Microsoft, SixApart, etc. This is the first step in bringing OpenID into the mainstream. Especially being that a lot more sites are actually becoming OpenID providers, meaning that anyone with an account on their site will automatically have an OpenID. The more people that have OpenID accounts, the more pressure on other sites to support OpenID.

The Persistent Concerns.

Before you get all, "Oh, great. Zack's gone and drunk the OpenID koolaid." It's not all a bed of roses. I'm still a little concerned about the fact that OpenID interrupts the login/signup process. The first time you log into a new website, you not only have to be logged into your OpenID account, but you must also approve the website before you can actually be logged in. Luckily you only have to approve the site once (if you choose that button), otherwise, it would become extremely annoying. Realistically, this is only a big concern for non-tech savvy people. While I'm sure all the early adopters are more than capable of handling this interruption, it is my Mom and Grandma that might become hesitant when all of a sudden they are on a different site. But the consensus is that we aren't quite at that mainstream yet. OpenID is still in its early phases and will most likely become better, and more Mom friendly as we move forward.

So What Does This Mean For Seen Creative?

While we are still considering all the facts and discussing all the options, Nick and I are pretty excited about what this can mean for the web community and for our applications and users. We are currently working on the next version of billQ, and there is a very good chance that OpenID will be supported. We have also been considering other login APIs like Google, Yahoo and Facebook. It will all come down to the best experience for our users. And while we'll be sure to keep you in the loop, we'd love to hear your thoughts on all this. Is it something you'd like to see? What are you concerns and fears? Let us know.

This article was posted on Mar. 14th, 2007.
It is categorized under: Technology
Follow the comments for this article with this RSS Feed.

Comments for "Helping Explain OpenID"

Lail

commented on Mar. 21st, 2007 at 8:08 am

Looks good on paper, but I'm still concerned about the "Mom and Grandma" (and Dad and Grandpa and Uncle Bob, and most people in my family over 45) not really "getting it". The signing in with a URI seems like a realy new approach, and not in a good intuative way. Same for the approving new web sites.
I only hope that you're right about it streamlining if it catches on.
Nick

commented on Mar. 21st, 2007 at 11:11 am

Hey Lail,
You are definitely echoing our concerns. The whole, jump to another site to login to approve the site you were previously attempting to signup for user process is a little rough. It definitely is not a mom-proof solution.
But for now, I think what it comes down to is this: There is no harm in offering the option. People who understand OpenID will understand the process. All other will use the traditional method. And I think that is the route that we will go. Providing the option to people who understand it is not really a hard to do, so why not.
Lail

commented on Mar. 22nd, 2007 at 4:36 pm

Yep, I think that's the smart approach. In interesting related news, 37signals is talking about the early stats coming in for their new Highrise product that they launched this week. They are claiming the 9% of their users are using OpenID. Certainly, their week one sign-ups are made up of the early adopter crowd, but any way you look at it, that's a pretty impressive statistic.
microdesign

commented on May. 4th, 2007 at 2:20 pm

Thanks for this explaination.. its realy a bit the same like gravater isent it?
Zack

commented on May. 4th, 2007 at 5:24 pm

microdesign,
From what I understand, they are very similar in the idea, but different in execution. A gravatar is completely controlled by one company, where OpenID is a completely open system that is not reliant upon one company. Plus, as of right now I believe gravatars are merely about a universal avatar for users. OpenID is about a simplified online identity that can store your information without having to fill out tons of forms and acquire tons of usernames and passwords.
Brant

commented on Dec. 20th, 2007 at 4:20 pm

I've been thinking about this. Why don't we use the same method we do hidden communications, through web services or API.
We should be able to handle the most calls through SOAP and/or REST method. The only requirements would be that the requesting site display that user's approval dialog and send the response back to the OpenID provider.
Just a thought.
Zack

commented on Dec. 20th, 2007 at 6:15 pm

That's interesting. It would take just as much setup on the requesting site's end to display said dialog, and the OpenID community could easily provide standard tools/library to help with it anyways. I'm not sure why those methods aren't used. I feel like that might be something to ask Chris Messina.
Great point though. I like your thinking.
Nick Adams

commented on Dec. 20th, 2007 at 6:15 pm

I think the reason why that isn't possible (or at least why it wasn't built in to the process) is because of phishing/security issues. It would be way too easy to fake the authentication if the user never had to be sent back to the originating OpenID provider.
Even as it stands now, phishing is an issue. If someone was malicious and creative enough, they could spoof the OpenID provider itself.
Jurgen Jessurun

commented on May. 20th, 2008 at 3:05 pm

"If someone was malicious and creative enough, they could spoof the OpenID provider itself."
Does the server need special attention?

Blog Article