Does OpenID Have an Identity Crisis?

OpenID SplitIf a single theme emerged from the recent OpenID usability summit hosted by Facebook (to which I was not invited), it is that ‘Brands’ are the key to OpenID success. Users, more than anything else, identified themselves with brands such as Yahoo!, Facebook, and MySpace, and when presented with a federated login dialog, found the logos of these providers to be the most intuitive way to login. This is the driving force behind Facebook Connect adoption.

The key to brand-driven login, of course, is Directed Identity. It’s the feature of OpenID in which the user does not enter his OpenID URI, but instead, tells the site who he would like to login with (the provider’s identifier, not the user’s). Yahoo! was the first major supporter of Directed Identity and it is the primary feature of its OpenID service.

See where I am going with this?

If Directed Identity is the technology, and Brand-recognition the philosophy to move OpenID forward, isn’t that equal to declaring bankruptcy to the vision of self-controlled and hosted identity? Microsoft, Google, Yahoo!, and Facebook don’t need a community. They can meet in a room and decide how they want to inter-operate. Technically, they don’t even need to inter-operate because developers can just drop 4 libraries into their sites that will do all the heavy lifting for them (Facebook-style).

Is OpenID becoming noting more than a fig-leaf for big corporations, protecting them from anti-trust, and making their locked-in products look Open?

5 thoughts on “Does OpenID Have an Identity Crisis?

  1. I’m not sure why you’re making a deal out of being “not invited”; over forty people were there in person and two-hundred people on the live video stream. Not a single person who requested to come was turned away.
    One of the most significant and concrete pieces of work coming out of the summit is the proposed OpenID User Interface Working Group (http://openid.pbwiki.com/OpenID-User-Interface-Work-Group-Proposal) which can be implemented by any OpenID Relying Party and Provider, big or small.
    I will agree that more mainstream consumers are finding it easier to interact with OpenID via brands like Google, MySpace or Yahoo!, but not one person at the summit advocated for removing or hiding the ability for someone to use their own OpenID to sign in.
    So no, you’re wrong. :)

  2. The comment about not being invited was a tongue-in-cheek comment. I heard Facebook was doing some sort of a closed event about two weeks earlier and the next time I read about it was on Twitter during the event. No big deal.
    I am very skeptical of a standard organization (which is what OpenID foundation is) trying to do UI work. But I will wait and see what comes out of it.
    I don’t know what came out of the event, but I read the presentation so my view is limited to what went in. I think it is naive to think that just because there is a way to use your own OpenID somewhere, the presence of large brand names will not eventually move OpenID is a different direction.
    Using brands isn’t innovative, it is more of the same.

  3. An OpenID sign in interface needs to show me the appropriate brands depending on who I am and what I’m trying to do. For me that means seeing OpenID big and prominently since I use my own URL, but for my Mom that means emphasizing the Google logo since that is her main account online.

  4. The solution is moving the “connect” button in the browser, and out of the sites.
    Google, Facebook, Yahoo, Twitter and others will be Identity Providers. People trust them.
    Their job will be to protect your personal data and to give web apps access to it. Pressing the Connect button in the browser should tell the ID provider that you accept connecting to the site you’re visiting and give the site a way to talk back to you when you’re offline. (messaging + notifications system)
    If you trust your browser with remembering your passwords you can also trust it won’t randomly connect you to sites you don’t want to visit.

    This solution would be much better for web app providers:
    1. easier to implement
    2. Apps will be able to send personal messages (like email) and notifications trough the ID server.
    3. could be a better alternative for RSS (which is really not that simple)

    Once that happens, a big chunk of trust is handed to the ID servers – they will know what you’re doing online if you authenticate with the sites you’re visiting.
    So online banking and controlling satellites shouldn’t work this way.

    In case you need an anonymous connection you should be able to use the browser as your personal ID provider.

    Of course, the big players (mostly Facebook) will try anything else before that.
    I think Google is already on this path with Chrome and I’ve seen some work on Firefox on this but I’m not sure how deep they want to go with this. I feel that without a way for developers to send messages to the users, the whole openID movement won’t properly take off.

  5. What the article calls directed identity is really identity discovery. Directed identity means that the OP will send back an identifier to be used ONLY with the site you’re trying to log in.

Comments are closed.