Embracing OpenID
I first heard about OpenID in 2005 and have kept hearing about it more and more since then. I never actually jumped on the bandwagon and started using it though - until now. I won’t go into the details of OpenID because you’ve probably heard about it just as much as I have. The goal of the OpenID is to reduce the number of accounts and identities web users must manage on various websites and instead just maintain a single online identity.
If OpenID is so useful, why has it taken me this long to begin embracing it? At first it was a bit of skepticism. Why would I delegate my identity to an OpenID provider? I was always taught not to put all of my eggs in one basket. It just seemed like trusting my entire online identity to one provider/service was a bad idea.
I never actually took the time to read up on how exactly OpenID worked and just didn’t feel comfortable changing my workflow to support something that had yet to tout large adoption rates. After a while it all started to make sense. Why have my identity with one site and another similar identity with another site and so on? DataPortability comes to mind. Users should have the ability to easily control their identity and personal data for any site or online community to which they belong.
For the average web user, one that doesn’t own a domain, OpenID probably won’t make sense for some time. Tony Haile pinned down some of those reasons in a recent post about OpenID. Maintaining an online identity is all about merging a personal brand and communication identifiers to authentication. Logging in with a generic OpenID URL does little to create a fluid user experience and tie those three identity elements together. I didn’t like using an OpenID service whose authentication URL wasn’t under my “control”. Logging in with my domain feels better, even if I do end up delegating that to an OpenID provider.
<link rel=”openid.delegate” href=”http://clickpass.com/public/pauls”/>
Fortunately that issue is waning away as OpenID providers like Yahoo! allow people to use more personally-meaningful URLs, such as their Flickr photos URL, for OpenID. Ideally, OpenID URLs should be tied to a real profile of that person and be more than just a URL, an identity.
Naturally, OpenID is pretty useless if the sites you use regularly don’t support it so that was a big reason why I didn’t feel the need to use OpenID.
Clickpass did it for me
Clickpass made me rethink OpenID. A mixture of their seductive site design, pleasant and clear UX and clicking to login to (supported) sites made it easy to use. Clickpass still faces the initial OpenID problem - adoption. There aren’t many sites that support Clickpass, yet. Regardless, Clickpass makes for a stellar OpenID provider.
With that being said, I’d like to announce that Skribit now supports OpenID and Clickpass. It’s one more site you can give your new Clickpass account a test drive on.
Your Turn
Do you embrace OpenID and Identity 2.0? What sites do you use your OpenID on? Who is your OpenID provider? Is OpenID here to stay? I’ll go first: (1) Yes, (2) Basecamp, Skribit, Hacker News, Jyte (among others), (3) Clickpass and (4) OpenID has the support of large corporations as providers but those corporations have yet to actually use OpenID themselves (the canonical example being Flickr not supporting OpenID login even though Yahoo! is a provider). Give it some time, OpenID here to stay.
Related
If this stuff is interesting to you, you might like this as well:
- Chi.mp - Content Hub and Identify Management Platform and their identity blog
- demand.openid.net
- Vidoop - OpenID provider with a twist: no password, at all.
- Misc writings by Chris Messina
- 37signals Why OpenID page
- Why Should I Use OpenID? at Hacker News
Interesting. I did consider trying out this whole OpenID thing a few years ago, but I never really got to it. I see it around a handful of websites, but not nearly in as much places as it could be. Yea, it’d be cool if more places adopted this. Then it’d be easier for everyone else to get OpenID’s. Also, I definitely know that a lot of people look at OpenID just like you did, Paul. The whole idea of keeping all your eggs in one basket being a bad idea applies to a lot of people.
Actually, the cool part is you can basically supplement your authentication using any method you’d like. For instance, you can get a PayPal/Verisign Security Key for $5 and then link it to a Verisign PIP account (their OpenID service). So, you can get something *way* more secure than a password and inject that kind of security into any site supporting OpenID.
You can do this for other types of authentication methods. Fingerprint scanners. Facial recognition. You name it. If you can code it to speak OpenID, you can be way more secure than a simple username/password combo. And more importantly, it’s a lot easier to be that kind of secure.
I know Invision Power Board is supporting it in their next version. I’m sure vBulletin will follow. That means most forums out there will end up supporting it. That’s going to do wonders for adoption.
Site note: Going to enable OpenID on your blog here? ;)
I love this whole idea but what if I already have accounts on those services!
I’ve hit a snag on the user side: I know I have an OpenID somewhere, but I forget where. Since multiple sites offer to be my credentials, that’s just more confusing. Especially when many of these sites also allow local usernames, that I already have.
@rmaspero - you can easily merge accounts
@markzero - i guess you can say that’s the downside of decentralized identity management.. but the only one really. just gotta remember who your provider is. :-)
While there are reasons to believe that OpenID is going to be the target of a new breed of spammers, I did embrace it, only after I found the option to link it to my own domain: MyOpenID gives you the option to set up your own OpenID (sub)domain.
Must say that it does take away the extra trouble and it still gives the feel of a personal touch, rather than yet another connection to flickr, wordpress or whatsoever.
I use myOpenID, but after you talked about Clickpass and posted those screenshots, Imma try it out right now! :-)
@Tim Dorr - try it now. :-)
Guys, here’s the link to the OpenID plugin if you want your blogs to be OpenID enabled: http://wordpress.org/extend/plugins/openid/
“Clickpass made me rethink OpenID. A mixture of their seductive site design, pleasant and clear UX and clicking to login to (supported) sites made it easy to use.”
Is “UX” supposed to be “UI”? If not, what is UX?
@Mike Skalnik - User Experience. It all flows together really well.
Yey, just trying out the OpenID form. Seems to work pleasantly. :)
Just trying out the new OpenID form. Seems to work pleasantly. :)
Doesn’t seem to work with my wordpressblog delegating to clickpass…
Works swimmingly, provided you see this post ^_^
I think the only two sites that I use w/ OpenID, on a consistent basis, are Backpack & Ma.gnolia. There are more I probably could use but, at the moment, those are as far as I’ve gotten. When we used Basecamp internally at the office, being able to switch between that and my personal Backpack pretty quickly was a nice perk.
claimID is my provider and I use their service as aggregation for all my social media profiles, mentions, etc. Kills two birds with one stone. Certainly going to checkout clickpass though, looks pretty slick.
I abandoned browser bookmarks once and for all last week, and decided to sign up for del.icio.us or ma.gnolia for the tag-goodness. Surprise, ma.gnolia requires OpenID authentication and that was a real turnoff for me. I wanted to try the service out, but didn’t want to spend the time researching delegation. They lost me to del.icio.us without a fight (and I’m loving it). Basing an entire service’s access on OpenID is a downgrade for me, but I like the possibilities.
Hi Paul,
Thanks for the great review. It’s great to see both that you’ve had such a good experience with Clickpass and of course that you’ve added it to Skribit. Good to have you on board.
Your questions:
1) yes
2) Ma.gnolia, Plaxo, Venteria
3) usually myOpenID.com but I switch providers sometimes
4) Only if at least one of the big companies (Google, Yahoo!, Microsoft,…) will become a relying party (=allowing OpenID logins on all or at least most consumer properties), preferably this year.
Hi Paul- I’ll echo most of the posts here by saying, yes- I’ve tried OpenID before. I also went ahead and hit clickpass today… and yes, it looks nice. I’m not sure about how much actual use I’ll get from it though.
Could you elaborate on your code snippet ‘link rel=’ etc? I’m STILL not sure how the whole OpenID thing works when you want to use your own domain… and that’s something that is certainly lacking (feature- and documentation- wise) on the clickpass site- I just didn’t get enough from the FAQ question about delegation.
Also- a list of all sites that clickpass supports would be killer (or a bigger list- or is “new sites” all of them? hmm)- I’m sure there are lots of sites I’d love to try out that I just don’t know about.
great site, btw!
There’s a lot of power that goes behind using a URL as a form of identity. I also think that it won’t be logically difficult for users to adopt, if the URLs are easy to remember. This is up to the service providers. For example, if johndoe@yahoo.com can be remembered easily, surely johndoe.yahoo.com can be. More thoughts here:
http://socialgraphtheory.com/2008/graph-concepts-you-are-your-url
http://github.com/alx/openid-server/tree/master
I’ve made this openid php server to be put on your webhost if you want to host your own openid server (and not depend on external website).
Configuration is pretty simple, and you can fork the project to add your own code :)
Have fun
OpenID is just passport 2.0. This is exactly what Microsoft was trying to create all those years ago. The only difference is that it is now open. There are however still massive problems. Such as all a spammer needs to do is create their own openID server(s) and they are logged in.
Also, if you run your own OpenID server you will find out how easy it is to spoof being someone else.
@rick: The code snippet Paul posted has to be put in the head section of your website or blog. The first line tells the relying party (=a website that accepts OpenIDs for login) who is your OpenID provider (in this example it’s Clickpass), the second line includes Paul’s username at Clickpass. So Clickpass knows who it should authenticate.
This is called delegation and let’s Paul use paulstamatiou.com as his OpenID; he doesn’t have to use the Clickpass URL. If Paul decides to switch the OpenID provider he just has to change those lines of code and is still able to use paulstamatiou as his OpenID.
What are the benefits of using Clickpass rather than MyOpenID besides the nice button? I don’t really get it, sorry.
Very cool that you support openID on Skribit. How hard/easy was it to integrate that service into the Skribit system?
I ripped accounting out of my hobby app in development and went all OpenID thanks to Clickpass. Although the documentation/tutorial flow is a bit odd at times, I thought their approach and diagrams did a better job of explaining OpenID than I’ve seen before.
http://poetry.heroku.com
I think OpenID will catch on if it gets a widely-used killer app that pushes using that rather than standard redundant accounts. However, this makes me nervous because big companies that make widely used apps have an incentive to become a provider but *not a consumer.* Someone needs to figure out how to turn that around. I don’t see the individual accounts being a big enough problem for the average user to go grass roots any time soon.
I use Clickpass as my provider, primarily. I have at times also used my Yahoo!, LiveJournal and Blogger accounts, but mostly for testing.
Yes, I use it. Mine is through MyOpenID, though, so I was on before this Clickpass thing took off and haven’t really bothered to check it out because I am lazy. ;) I use it for any and all sites that accept it with the exception of anything that uses financial or other personal information. Those I have a separate sign-in for. It definitely reduces the number of passwords I have to save, but I’m still at about 140 new accounts over the past year.
I do use it, but pretty much only because basecamp lets you link accounts that way. :)
I first learned about OpenID from Security Now #95 and have been a fan ever since.
It is fairly easy to implement and I recently implemented it on a personal project I am working on.
Security Now episode: http://www.grc.com/securitynow.htm#95
Thanks for the heads up, Paul. I learned about OpenID a little while ago, and like you and a lot of commenters here, didn’t really see the benefits because of the low adoption on many sites. But I’ve just started using Clickpass as my provider, and it’s making life easier already. Hopefully we’ll see an explosion with OpenID soon, with more sites adopting it.
Hey, I finally signed up for an OpenID and I think I like the idea. I wonder if I can add my blog url, so that other readers have better contact options other than email.
My first comment with OpenID using Clickpass.com
Hey, this is actually awesome. I just added the lines you added to this post to my blog header file (Wordpress blog) and now my URL equals my OpenID thing. Yay!
Ok, so I’ve been playing with openid for the last day, because paul really did inspire me to dig more deeply. I did the redirect deal so I could use my site url for login and I also checked out PhpMyID which allows you to set up your own openID server. While both are technically interesting, I’ve got to say- for the average user, and possibly even some more advanced users, OpenID is still pretty much useless.
It’s one more thing to set up (and the myopenid setup isn’t short). It’s one more thing to go down (yes, clickpass even had downtime yesterday). And it’s just not *enough* benefit for a “normal” user to go out and do it. Not to mention, UX at clickpass is good, but at other sites it just plain SUCKS! I opened a buxfer account using openid yesterday- even though my account was created, I got an error message (ugh). Hit refresh and the message is gone, my new account page shows up (so it wasn’t an error?), but my username (which displays on every page) is the hideous “openid_123975″ *yuck*
I mean, I REALLY like the idea of having some site (facebook/flickr/google/etc) automatically giving you an openid you can use anywhere. I think users will certainly start to do that as more sites incorporate the “log in via facebook/flickr/google” option like Buxfer has. I just don’t see anyone other than us dorks and nerds (and geeks) going out and actively getting an openID and jumping through these hoops.
I think OpenId and Clickpass are good ideas. I personally dont have an account in both because i dont feel like I want to, but maybe in the near future and when my list of usernames and passwords becomes too complex maybe I will.
1) Yes, we embrace OpenID and Identity 2.0
2) Use my OpenID on Plaxo, CNN Political Market, 37 Signals, Google Blogger, AOL’s Ficlets & Propeller, and lots of blogging and discussion group sites.
3) My OpenID provider is myOpenID.com. MyOpenID.com supports SREG, Attribute Exchange, Infocard Integration, SSL Certificate integration, Anti-phishing site verification, CallVerifID phone-based multi-factor authentication, multiple personas, and many other features. Other offerings include solutions for organizations to issue OpenIDs to employees, partners, members, and customers.
4) Is OpenID is absolutely here to stay.
The ability to merge my accounts make this sound more appealing
I like OpenID a lot, (though not so much how Blogger sets itself up as your default provider).
Do you embrace OpenID and Identity 2.0? What sites do you use your OpenID on? Who is your OpenID provider? Is OpenID here to stay?
OK, now to answer those questions:
1. OpenID is great — I love the idea, and how it can be as secure as you decide to make it.
2. I use it on your site, the Fedora Project site, as well as other random sites that accept it.
3. Fedora Project account system is my provider.
4. It’s here to stay.
All I know is that I’m growing tired of opening up Apple’s Keychain to jog my memory when it comes to usernames and passwords. Some get stored in Autofill and some do not. Maybe it means I need to cut back.
On the blogging front, I seem to be noticing a lot of peeved bloggers and commenters who really dislike OpenID, especially when visiting Blogger blogs. Adoption in this area is going to really need a kick if OpenID is really here to stay. When forums start implementing OpenID as another poster hinted at, it will definitely gain some traction.
I like the concept of Open Id but its not going to be big unless big company’s like Google and Micorsoft push for it. They have no incentive involved in doing so. Microsoft uses its livespace id and Google uses its own google id as passport for all its associate. Yahoo is the only company which has been pushing for Open Id concept. I, as a user, would not like to use any company other than bg 3, to handle and authentcate all my ids on the web. The examples that you mentioned do not have that brand image in the web world.
Will be writing some more stuff on Open Id on my blog. Watch for it @
http://seeunforeseen.blogspot.com/
Just testing OpenID
OpenID is the way to go. Extremely simple, works great.
As long as we can host our own OpenID’s this is nice. Forget about the centrally stored OpenID services…
1 hack worth a million… yeah you get the point.
Exactly the same thinking as me :
- scepticism at first
- just adopted it for most sites last week (myvidoop.com)
1. OpenID is great
2. If a site accepts it, then I merge my account with my OpenID
3. MyVidoop.com
4. It’s here to stay and in a few months/years all newly born baby will have one by default.