OpenID, a way to sign on to multiple web sites with a single set of credentials, has incredible promise. Large companies have signed up. Thousands of website take OpenID sign-ins. All is good, right?
Well, not exactly. First, those big companies only issue IDs, they don’t accept them yet. And the user experience with OpenID is just plain bad. Users have to remember their OpenID URL, and are redirected to a sign in page. And it’s worse for people who already have an account at a website but want to start using their OpenID instead. Linking those two accounts isn’t easy.
That’s where new startup Clickpass comes in, which launches today. We first heard of them last year at a Y Combinator demo day, but the founders, Peter Nixey and Immad Akhund weren’t saying much at the time.
They are an OpenID issuer first. But they are also trying to make using OpenID much simpler for the user. First, they are partnering with sites like Plaxo, GetSatisfaction, Pownce and many of the Y Combinator startups. Those sites will show the ClickPass button, and users can sign in via OpenID with a single click (and they don’t need to remember their OpenID URL). If it’s your first time with OpenID, Clickpass will ask you if you have an existing account at the service you are trying to log into, and pass that information back to the site to join the accounts.
As you add sites to your ClickPass OpenID, you’ll see them listed on the Clickpass site. You are given a distinct OpenID URL for each site that you can use to manage multiple identities, all tied together on ClickPass. And if you choose to fill out profile information on ClickPass, they’ll autofill that information on new sites you join. Clickpass also ensures privacy controls by letting you choose what kind of information you want to share with the site. Conceivably the service could serve as a node for your personal data, connecting it between different website accounts.
In short, ClickPass takes the technical transparency and openness of OpenID and adds a layer of simplicity and familiarity.
Vidoop is approaching OpenID in a similar way, and PassPack is a non-OpenID solution. For launch they’ll be active on hacker news, Plaxo, Disqus, and through a Wordpress plugin.
The user experience is clean. After you sign in to Clickpass, you can sign in to any OpenID-enabled site with a single click of their button.
If you don’t want to use Clickpass as your ID provider, you can link it to any other OpenID provider, but it would really defeat the purpose. If the site has OpenID but not Clickpass you can still sign in using their Firefox plugin or OpenID url from Clickpass.
Naturally some concerns arise with any centralized login system. Doesn’t this mean a thief only has to steal one password, your Clickpass password? Co-founder Peter Nixey says we already have this problem, though. Most services will forward forgotten passwords to your email account making Yahoo, Hotmail, or Gmail (especially now) the Achilles heel.
As for the more probable phishing attacks, Clickpass plans to implement unique visual or textual cues (photos or quotes) to let you know if you’ve been had. But overall, Clickpass doesn’t aim to start protecting your bank account, rather that plethora of useful services the provide a great deal of personal utility, but little value to hackers (logging in to my news.yc account can’t do much damage).
It’s clear that OpenID really needs a system like this to gain widespread adoption. That’s probably one of the reasons OpenID’s chair, Scott Kveton, joined Clickpass’ board. It’s also clear that the web needs something like Clickpass too.
See all
Post
Great offerings; users do need to keep track of their multiple openids for easy sso.
Any comment from the OpenID people?
Never mind, didn’t read that last sentence.
A correction:
Google has been accepting OpenID at blogger for a while now, and DOESN’T issue them. I’m not sure if Google counts as a big company, though… last I heard they were building data centers in the middle-of-nowhere Oklahoma.
Way to go Peter, clickpass is doing awesome things with the usability of OpenID. It’s exactly the kind of thing OpenID needs to gain mass adoption with users.
And if your open Id is hacked you are Jasoned.
http://tekno-world.blogspot.com
I’ve had an OpenID account for a couple of months, but I rarely get a chance to use it. When I do, the interface is a bit of an obstacle. I think clickpass is definitely a step in the right direction.
What’s also needed by the web is an effective and efficient way to let openid consumers (ie., sites) to deny access to a banned/blacklisted openid to their site.
Yahoo’s a provider of OpenID as well. Good luck to these guys, they’re gonna need it.
Also, OpenID has a ton of security issues. I wouldn’t trust it for anything important (email, facebook etc). For throwaway accounts, it’s perfect. But even then, you’re being tracked by these guys and they’re collecting your usage.
Consumers should beware of any centralized solution that they do not fully control themselves.
It would be great to see TechCrunch support ClickPass OpenID authentication — while the pseudonymous commenting can occasionally be amusing, when you can tie verified URLs back to an identity, you can build up a better ambient sense of reputability over time.
For example, if you were using the wp-openid plugin for WordPress right now, no one else could use factoryjoe.com as their URL because it is my OpenID, and you’d have to be able to prove that you can login against it to leave a comment with that URL. Since I am the only person who *can* login against factoryjoe.com, you could be pretty sure that I am who I claim to be, or at least come from where I say I do.
In terms of ClickPass, they’re simplifying what to date has been a pretty geeky experience. People still tend to think of themselves as email addresses or MySpace accounts, not as URLs (that is, if people do identify themselves in some way digitally). ClickPass is concealing some of that complexity in a pretty innovative and usable way, and I think this really raises the bar (finally) for what a good distributed single sign-on system flow should look like.
I would like to clarify one thing you said: “Naturally some concerns arise with any centralized login system.” I think in this context you mean centralized to the person, not centralized as a system, like Passport was before. The difference is as Peter describes: today people use email addresses to activate accounts, to receive password reset messages and so on… but you can have an email address anywhere — you don’t have to get one from a single provider. The same is true with OpenID: you can use any identity provider you like and don’t have to go to *only* Microsoft to get a Passport (or what they’re now calling Windows Live ID).
This situation, again as Peter describes, is no worse than what’s done today, and in fact at the protocol level is more secure, since all authentication transactions happen over HTTPS, whereas in email, plenty of traffic travels over HTTP and SMTP.
In any case, OpenID has a long way to go, but this is a great step in the right direction.
@4
Google presumably has been an openid provider since January — see this.
go clickpass. no more getting locked out of sites raaah!
Regarding the “Doesn’t this mean a thief only has to steal one password?” question, there was an announcement a couple of weeks ago from a company named TrustBearer. They are linking strong authentication devices like smart cards and biometric readers to OpenID to provide an additional layer of security. Theoretically, if you don’t have the card (or finger, etc.) you can’t get in. I understand that there are some folks already using TrustBearer with cell phones (tied to the SIM card).
http://openid.trustbearer.com
The way to go!
yeah i found out about these guys on younoodle a while back.
not sure there’s an opportunity in this space as it’s so hard to crack, but i’m glad someone’s trying to do a better job than OpenID.
This is awesome. It’s going to save me so much time and hassle. I’m sick of having to keep track off all my different web accounts.
If Microsoft’s CardSpace supported an OpenID URI then we would be in a much better position. Oh, and those Cardspaces could be backed up somewhere.
“What’s also needed by the web is an effective and efficient way to let openid consumers (ie., sites) to deny access to a banned/blacklisted openid to their site.”
Blacklists are useless, because a spammer can easily create millions of valid OpenIDs. Much more useful is whitelisting - permitting known, trusted OpenIDs to avoid comment moderation for example (and then sharing that whitelist with other sites).
And Plaxo has just gone live with our support of Clickpass. Here’s Joseph Smarr’s blogpost announcing it: http://blog.plaxo.com/archives.....suppo.html
Great to see the building blocks for the open Social Web coming together so quickly!
Even as a developer, I have always find openid confusing and rarely uses it. Somehow I ended up creating multiple openids because I couldn’t get a previously working id to work 6 months later, totally defeats the purpose of openid. Plus the concept of having 1 id instead of 1 id per site makes a lot of sense conceptually, the implementation of openid has failed miserably. I tried clickpass and while it seems to be more user-friendly, it is still a struggle for me (as a user) to piece it all together. I think this is going to be a huge stumbling block for your average user to adopt en masse.
Hum. Those masses are those connected masses, right? Staying connected to the world outside Africa will remain key for the development of Africa. But it is not as easy as we expect. Yes, mobile phones are growing at a rate that shows that Africa uses technology in new and innovative ways – just give us a chance and we’ll show you the business opportunity. But why are we still so disconnected on the broader ICT wave swamping the world? We will only fall further behind if we don’t address this sooner rather than later. No more time to waste. More on this in my blog at http://angryafrican.wordpress......in-africa/
I’m eager to try out clickpass - I anticipate it impacting my web based life/interactions significantly. It’ll be great to have it all there at one click.
I haven’t tried ClickPass yet, so my opinion might change, but out of the gate, generating a different ID for every site defeats one of the main advantages of OpenID, IMO. Many web applications could save users tons of time re-finding their “friends” or contacts if users use the same OpenID on different sites. It’s like having to have a different credit card for each store you go in. Yes, it’s good to have two or three cards in case one is compromised or lost, but the whole point of OpenID is to have a small number that you re-use.
*Finally* someone has produced a credible way of implementing OpenID that is simple and straight-forward. This is revolutionary, and I wish them all the very best.
“Doesn’t this mean a thief only has to steal one password?”
Only if you log in with a password. I log in to my OpenID provider with a client-side SSL certificate.
I’ve been using Clickpass for a few weeks now.
One of the things I find most interesting about it is, since you can use a different OpenID for each site you connect, you can keep track of accounts on a bunch of sites, but make your identity opaque to each one. Most OpenID providers are much more transparent about who you are.
>Blacklists are useless, because a spammer can easily create millions of valid OpenIDs.
Whitelists are even more challenging.. but either way, it’s a problem going forward..
This is great - finally only one password to remember! We need more sites to take part. Good luck!
@Chris (#9), Perhaps you missed the MS acquisition of Credentica that occurred last week? The U-Prove technology has certain features I would like to see integrated into OpenID.
Care to comment?
Just in case: http://www.credentica.com/unique_features.html
I am convinced this is the way social networking will go as more and more niche sites develop to meet specific needs; their progress could in fact be hampered without an easy to way to remember and use your login, or without a place to keep details of all the sites you use. I think ClickPass solves both problems and I look forward to putting it to test as a user. We’ll then be keeping a keen eye on it to see if adoption gets such that we need to put it in our own site.
Ian Hendry
WeCanDo.BIZ
http://www.wecando.biz
@10
… just that Google doesn’t accept third-party openid authentification. So it’s kinda useless!
This launch is a big deal for the OpenID movement, as evidenced by the involvement of Scott Kveton. This is the product that is going to finally push OpenID into the mainstream.
The key is that they solve the ‘identity and login’ problem for ordinary non-geeks. Their competition has made some valiant efforts, and good for them, but Clickpass is easy and they aren’t. I couldn’t point most people I know at the Vidoop screencast and say, ‘just do that’.
The Clickpass team are my friends, and I can say they’re the right people to do this. They’ve gotten it right and the web will be better for it.
Like it! In one fall-swoop it transforms OpenID to the slick, easy experience the underlying technology was created to power.
I only hope that more sites see the benefits and sign up. Are they as visionary as Peter?
Part of OpenID is proving you are who you say you are — eg, if TechCrunch’s comments were OpenID enabled, I could prove I own a certain URL (and thus my identity).
Clickpass seems to generate a unique, “private” URL for each site for a user, which is cool and allows users to be a little more opaque registering for sites, but it doesn’t seem to be too useful with the I-Am-Who-I-Say-I-Am bit. Owning a public Clickpass OpenID URL doesn’t prove too much.
But, for easy one-click sign-up / login to a website, it seems very useful.
Why would Scott Kveton, who works for Vidoop, be involved in his company’s competitor? Vidoop aims to make money from OpenID (and who could blame them), and I would assume Clickpass does to. I understand that Vidoop is a big proponent of OpenID in general, but this just seems strange to me.
There was a great panel about this at SXSW, which blogged pretty extensively: http://drstarcat.com
@Joe Cascio (#22): It’s an either-or with ClickPass. You can choose to use a specific URL as the identity URL you’re logging in with, or you use a disassociated URL to obscure your identity. This is what Yahoo is doing; as long as you prove that you control a URL to the same relying party, you’re leveraging identity.
@Stacie: okay, thanks. What does that have to do with?
@Marco (#29): Blogger accepts third-party OpenIDs. Google doesn’t anywhere else, but it’s not true that they don’t across the board.
Awesome to see more cool stuff happening with OpenID and web identity. However, two things occur to me right away:
(1) First step for users: the clickpass.com registration form. I thought the idea was to have *less* logins? If I have to create yet another account, I’d probably just back up and do it for the site I started at.
(2) First step for site owners: install an OpenID library. That’s a pretty big deal, and it quickly gets much more complicated; you also have to alter your user database and add code to distinguish between OpenID and password users.
Of course, this isn’t exactly a disinterested critique: for you site owners out there who want to support OpenID *and* the other IDs folks already have like Facebook and Yahoo, check out http://www.prefpass.com (similar name, great minds think alike and all that…).
PrefPass solves both the above issues:
(1) First step for users: click on a familiar icon like Facebook, Yahoo or AIM. Then sign in at your ID provider (OpenID or not) and bounce back all registered and ready to go. No sidetracking users to prefpass.com!
(2) First step for site owners: fill in a few forms and paste some code snippets on your registration and login pages. No libraries and no database or code work.
Even better for site owners, there’s also no worries about security or stale IDs: since PrefPass creates a *normal login* for users behind the scenes, there’s no confusion between accounts, no lock-in, and no problems when user decide they don’t like the ID they used to register.
Oh, and by the way, we also have a WordPress plugin
http://about.prefpass.com/site.....ess-plugin
@Chris (#35), It has to do with the fact that a relying party (or parties) in collusion with the issuing party could compromise one’s privacy and security. The U-Prove technology, as I understand it, allows one to keep reliance on this 3rd party to a minimum.
Currently with OpenID, no matter whom I choose (Google, Yahoo, Verisign, ClaimID, myopenid, etc.) to use as my issuer, they (the issuer) retains knowledge of every site I visit, how often I visit, when I visit etc.
One of my goals is to minimize the information about me that is collected by 3rd parties that do not “need to know”. I was hoping you could tell me how/if that is addressed by OpenID.
As each “big” player jumps in to the OpenID field, they attempt to brand it, each spawning an open id login button. This gives an uneducated user the impression that each of these OpenId providers have their own version of OpenID. In reality of course, OpenID is one login method supported by different providers.
This button spawn business will hurt the adoption of OpenID in the mainstream, as it will become confusing to most. The better adaption method by service provides would be you use one open id login field, with explanatory text highlighting that openids from Yahoo, myopenid, Clickpass, and many more can be used.
@michael a: How’s about rolling out open id support on TechCrunch?
My first reaction to visiting the Clickpass site? Why can’t I register with my OpenID?
Excellent work by the clickpass guyz… I gave it a shot, and was surprised at how much easier it is to use OpenID with clickpass. I will soon use Clickpass developer-kit for one of my openID enabled site that I developed.
I’m impressed by such good publicity. Congratulations to Immad and his associate.
“Nobody should own this. Nobody’s planning on making any money from this. ” –Brad Fitzpatrick (before he’d heard of Clickpass..)
It’s great that Clickpass is simplifying openid for people. However, commercial success will depend on widespread adoption (both by end-users and ‘relying agents’).. and explaining the merits of openid over Microsoft Passport Live! to Joe Bloggs sounds like a tough gig.
It’s especially tough to convince potential relying agents when the basis for access is so sketchy. All I can prove with an openid is that I can provide an URL. There’s also the danger others have mentioned above; that other Clickpass-esque groups will pop up and the openid space will become a confusing mishmash of competing E-Z-Authenticators.
I’m one of the founders of Clickpass and it’s great to hear so much positive feedback - thank you.
@Joe (#41): we put the option to authenticate at Clickpass using a foreign OpenID into early versions but when we were testing the usability of it even Simon Willison got lost (although he does have a particularly complicated OpenID setup). Since our goal was ease-of-use, we decided it just added too much complexity.
@ fernando (#39: we’ve thought about the button-proliferation issue a lot which was why we baked support for the other OpenID providers into Clickpass (the drop-down menu next to our button). It’s hard to know whether they’ll become more confusing but good analytics should help site owners decide the best route
@AW (#33): The first problem we wanted to solve was single-sign-on. We felt that that was the most compelling feature of OpenID. As Chris pointed out though someone can chose to use either a Clickpass anonymous OpenID or their own - it’s entirely up to them
Everything we’ve done has been to try and make things easy. There are always going to be ways we can improve though so please keep the feedback coming over at the site. We’re always trying to make login and sign-up simpler and more secure.
Anyone have info on how well these services play with COPPA? My guess is not at all since none of these services really deal with trust — which is essential to determining real identity. Is there such a thing as a COPPA-friendly SSO?
CG
I dont understand how this will be a successful company… everything is free and open source, how do they make money? There is no advertising on the website, the source is free for other websites, and creating an account is free… this company is gonna fail very quickly without any revenue, making it useless to create an account with.
Clickpass is one of many online password managers. The one I use is http://www.mashedlife.com. This site doesn’t solely focus on OpenID, but instead just lets users create accounts for log ins. This helps their users manage all of their log ins. You can store OpenID accounts along with other accounts on their site, making it a very versatile tool. This allows users to browse all of their websites from a central location, whether they are OpenID or not, does not matter.
Not one consumer (pay) site would use this service. Good luck tying to make a profit with this.