OpenID, a distributed single sign on solution that allows people to sign into different services with the same login credentials, gained significant momentum over the last year as Google, Microsoft, Yahoo and AOL all pledged their support for the initiative.
There are two ways companies/websites can participate in the OpenID framework – as “issuing parties” or as “relying parties.” Issuing parties make their user accounts OpenID compatible. Relying parties are websites that allow users to sign into their sites with credentials from Issuing parties. Of course, sites can also be both. In fact, if they aren’t both it can be confusing and isn’t a good user experience.
The problem, though, is that the Big Four Internet companies that I mentioned above have made big press announcements about their support for OpenID, but haven’t done enough to actually implement it. Microsoft has done absolutely nothing, even though Bill Gates announced their support over a year ago. Google has limited its support to Blogger, where it is both an Issuing and Relying party. Yahoo and AOL are Issuing parties only.
This isn’t just toe dipping in the OpenID pool to see how things go before jumping in. Putting my conspiracy theory hat on, it looks to me like these companies want all the positive press that comes from adopting this open standard, but none of the downside. By becoming Issuing parties, AOL and Yahoo hope to see their users logging in all over the Internet with those credentials. But they don’t accept IDs from anywhere else, so anyone that uses their services has to create new credentials with them. It’s all gain, no pain.
I spoke to Bill Washburn (the Executive Director of OpenID and only paid employee) and David Recordon (Vice Chair of OpenID) today about the hesitation of the big guys to fully implement OpenID. Both were careful not to criticize, noting that the support of these companies has been an important driver of OpenID awareness. But both also said that they would really like to see full implementation happen sooner rather than later.
Recordan says that at least 11,000 sites now take OpenID credentials for sign on (see image to right). Among them are some large services like 37Signals and LiveJournal. And the open source community has been great about building OpenID support into their software, Recordan says, so that others building on that software can launch Relying party services. Among the projects that support it are Drupal, Movable Type, Wordpress.org, Ruby on Rails and MediaWiki. But all of those services put together have nowhere near the user footprint of any of the Big Four.
I’ll say what the OpenID Foundation cannot, for political reasons – It’s time for these companies to do what’s right for the users and fully adopt OpenID as relying parties. That doesn’t fit in with their strategy of owning the identity of as many Internet users as possible, but it certainly fits in with the Internet’s very serious need for an open, distributed and secure single log in system (OpenID is all three).
If and when the Big Four become relying parties, the floodgates will truly open and there will be no looking back. And until they do that, I’m not buying that they really support what OpenID is trying to accomplish.
By the way, Chris Messina has done an excellent job of monitoring these and other companies that have promised OpenID support but are yet to implement it. Keep pressuring them, Chris.
It’s just a matter of time before a single sign on solution for the internet will exist. We always converge to what is right for the internet, in my opinion.
Exploited for users or for page views by issuing parties? It could be that its just not a high priority.
It’s a joke that some of these big firms are merely paying lip service to OpenID. I joined a social-networking/open-messaging start-up recently, and within a couple of days of being there I managed to implement OpenID (as a relying party only) into the site. It’s not complex to implement this technology into existing sites.
Now I know it’s not fair to compare the execution speed of start-ups to large enterprises, but as you mentioned in the article, some of these companies announced support for it over a year ago, and they still haven’t got round to doing anything about it. Companies in this industry speed with that sort of reaction speed to implementing new technologies are the ones that can expect to fall behind.
certainly it is being exploited.
I couldn’t agree with you more on this and I’m glad that you spoke up and really raised the issue.
There shouldn’t be any option for adopters to be just “Issuing” or “Relying.” You are right on that the big guys to date (though Blogger is the exception) are doing only what benefits them so far.
My thought is that any service that wants to adopt OpenID needs to be both “Issuing” and “Relying.”
Big companies will NEVER become relying parties for exactly the reason stated in the article…control over identity. There is to much money to be made in owning those identities and to much risk (technical and cost) to bear by trusting another service. In the end the consumer looses when it comes to the “big 4″.
On the other hand if there are a small number (<10) of issuing parties to satisfy the 100’s of millions of users, then that’s probably ok. One entity cannot handle all that traffic and it gives the end user a certain amount of choice.
A single sign on solution will exist, although I bet it won’t be OpenID but GoogleID…
to Chris R: you’re right, of course, a single sign-on model will prevail.
The problem today, though, is that each of Mike’s big four are plotting ways to become the de-facto issuing party provider at the expense of the other three, while refusing to play relying partner with anyone else.
They certainly get the “ID” part. The “Open” part? Not so much…
The big companies will have the more impact by issuing OpenIDs then they will by accepting them. Yes it would by nice if they were relying parties as well, but they already have a user base of millions of members and the more someone like Yahoo! pushes their OpenID service, the more smaller companies will support OpenID as relying parties.
I don’t really think they’re exploiting it. OpenID is something too geeky to bring them significant traffic from the press unless they finally have implemented it.
Their PR teams can manufacture way more exciting things to bring them traffic. If anything OpenID has been benefited when they pledged to do so.
Also, if its hard for a smaller company to prioritize adding OpenID support and eventually replacing their login system, imagine doing so for companies with millions and millions of user data across many servers.
This will certainly be good for everyone, maybe they got a little press, but nothing significant.
They should certainly become Open ID issuers, this is what will bring it all the way in.
Basically I agree with you, Mike.
AOL didn’t really made much fuss about being an OpenID provider. It is not promoted in any way actually. Though AOL is actually whitelisting providers (dev.aol.com/node/578), so logins from other providers are allowed. This is a good step in the right direction, if AOL just promoted it.
Microsoft’s emphasis seems to be on linking its own CardSpace with OpenID. I coud be wrong, though.
I am not sure about Yahoo! and Google. Though I am positive that at least Yahoo! will become a relying party as well. I can’t prove that, though. Just guesswork.
Michael,
If you had gone to SXSW and sat in on the OpenID talk, you would know that OpenID isn’t so much about providing a single sign-on as it is providing frameworks for single sign-on within networks. In fact, a universal single-sign-on could be an incredibly bad idea.
Yahoo! uses OpenID within their cloud of sites. Google probably has far too many systems to make it scale properly and they are most likely incompatible with OpenID’s architecture. AOL? Except for AIM, who cares?
I’m not sure what you’re doing except stirring the pot for no reason. Single sign on for its’ own sake is nothing but trouble. If there is a compelling reason for cross-company OpenID, they will build it out and it’ll get used. Otherwise, Yahoo! uses it to keep their own properties under control, Google does whatever it does and seems to work OK, etc.
Personally, I’m happy with separate identities. It’s alot more important to keep some identities safe than others, and to be honest single-sign-on just scares the hell out of me. Unless we go like Estonia and link it to a physical token, it’s just useless.
You’re right. It’s just a conspiracy theory. A for Effort though.
Why don’t we talk about Facebook’s disappearing contact export feature and how they deny it ever existed?
I expected this, and have maintained heavy skepticism from the start. Inherently OpenID ( and its nerdy cousins OAuth and Chris Saad’s whole portable data movement ) signals the end of the “big four” in that they all rely on making us consumers dependent on them by locking our data in their respective proprietary formats never EVER to be returned. For all the talk about “openess” given the opportunity they all balk and revert back to Web 1.0.
They can slow open portable user data, they can go to court and sue Chris Saad into the stone age, but there is no stopping it.
Michael Arrington:
Did you contact any of the Big Four Internet Companies for comment before publishing this story?
Remind me again, why the *Crunch empire *still* doesn’t accept OpenId login for comments?
And that’s after countless articles discussing how it’s catching on or not…
Shame on you!
Yes, indeed, one big group hug, very similar to the facebook support of opensocial, which is likely all touch and no feel, at least until some serious pressure arises.
Oh, and to number 15, you see, TC does not require login to post comments, good move actually, that’s why some of there posts of 100+ comments. So implementing an openid way to login when you don’t have to login, well, is just stupid? Now, when/if TC does require logins, then by all means I hope they support OpenID.
single sign on, not only for web sites and the internet, but for your taxes, driver’s license, banking, spending, passport, real id, everything… just wave your hand in front of the scanner
sooner or later
What benefit does OpenID offer to companies other than it’s apparent PR value? I understand it makes things easier for the end user, but is there any other benefit to sites who adpot it? Are there drawbacks?
These Big Boys are just Bad Boys.. They don’t really like openID. They want all internet users for themselves..
Well, I like the OpenID idea but I don’t see any good for it (yet) when you have a lot of issuers. It seems like nothing but an account to register which site you’ve visited etc.
OpenID just suppose to make login to other website easy without signing up, etc. But with so many issuers and so many websites to go to, OpenID is more like having an email address and register to each site again.
It would be better if OpenID had only one issuer and everyone just login, and authenticate website on it.
But hey, let’s see…
http://www.givemebeats.com
well..
the big companies are looking at the leads by small innovative firms ..
and will follow.. classic case..
they will follow once the threshold has crossed.. they won’t until feel the need to.
so let the small innovative sites of techcrunch kind of clout enthusiastically dip into it.. big chickens shall follow in due time… methinks.
The thing I fear more than these companies not adopting openID is these companies deploying non-standard openID implementations. I already heard some people mention compatibility problems with Yahoo’s IDs and some openID library (PHP was it?). In that case the library maintainers had to make compromises to work with Yahoo’s IDs. If the same happens with other ID providers it will be a pain to maintain and negates the point of open standards.
On my blog, anonymous user’s comments are moderated before publishing. OpenID users are able to comment without moderator’s approval. Just my way of promoting OpenID.
Takes a little longer… but will be better — when they figure out how to ban some particular openids
These companies hope to benefit by taking advantage of their customers. How long does any business last that does that?
It’s factually inaccurate to say that “Microsoft has done absolutely nothing” with OpenID. But I guess since they’re terrible awful Microsoft, nobody cares about getting the story about them straight.
the one thing that makes any sort of single sign-on a challenge for banning individuals, etc, is that anyone can still just create a new ID with a new email address — correct? I wonder at which point it is going to become more necessary to use your real name & real ID to interact on the internet (not just transact).
Now open ID is not open as it meant to be. Big internet players don’t allow IDs from other open ID provider. Finally we end up with multiple open IDs.
Then we need a service with ties all my open IDs. Call it single open ID;)
Hell ya they should b both issuing and relying if they wanna adopt openID..
Thanks for bringing this up….
Michael,
I used to tow the same line you’re pulling here, but having gotten into identity a little deeper, I think it’s an over-simplification. The big four serve the community best by being Identity Providers. We all already have an account with them and they have the infrastructures capable of handling large volumes of authentication requests. What it can do is offload the burden of an authentication infrastructure from a smaller company.
It’s also inaccurate to claim that they benefit greatly from this as well, or more appropriately SHOULD benefit. If architected properly (and we’re working to make sure it will be), the Identity Provider will be ONLY the authenticator. The real value holders are the companies that OWN/STORE my “thicker” personal data, like governments (age, nationality), content providers (my music and film preferences), and specialized claim holders (medical records, financial info).
The real goal will be to ensure that Identity Providers don’t try to become your only Claim Holder. Not only does this aggregate too much power in one company’s hands, it aggregates too much risk of personal exposure in one data center.
I blogged the SXSW OpenID session here in case anyone is interested: http://drstarca...com/archives/24
Good call, Michael. The OpenID implementations that I have tried (Yahoo and fsdaily.com) were frustrating, to say the least. While there are compelling reasons to use OpenID, if the user experience is rough or introduces new headaches, it will never live up to its promise.
As for Microsoft, I can’t help but wonder if the botched Passport project is responsible for some hesitation on its part?
I just fear that it’ll be another dotcom buzzphrase like “wisdom of the crowds” and “cloud computing”. OpenID is powerful if used properly. Hopefully the big boys see that.
Hi Mike,
Having watched this space pretty closely during the development of Clickpass, the announcements of the big four did make a huge difference to the validity of the protocol.
It is, as you say much easier for a large organisation to become a provider than a consumer. In the current climate it’s also easy for them to get an equivalent PR win from something that is little more than lipservice.
Whilst it would of course be much better to see full relying-party support it’s not worth underestimating the impact that even the current announcements have made.
No question about it…Its really turning into another control mechanism (from Matrix
) for big companies to expand their dominion over small players.
Really, all of us need to put more heat on these big openid providers to start becoming relying parties.
It’s not surprising that the big companies are slow to adopt the protocol, but it likely has nothing to do with a conspiracy. At software companies with good processes in place fairly low level people are actually allocating development resources. If you as a product manager for gmail for instance have a finite number of resources at your disposal and 20 new features you want to build, how high do you rank OpenID integration? Its marginal benefit to your product is almost zero since you already have a good authentication system in place. OpenID needs to cross a tipping point, and that is a ways off.
This is just like how companies such as facebook can get good publicity for joining dataportability.org BUT have little intentions of changing their “walled garden” approach.
I too would love to see a more centralized login system for something like OpenID. It’s almost confusing for an average user to be told they can sign up for OpenID from 4-5 different sites, all of which can issue different credentials, then login to a relying site using any of those codes.
I thought the point of OpenID was to create a single, multi-platform, multi-site login capable of verifying who they were, then attaching the data based on the accepted login.
Maybe OpenID should be less of a standard and more of a server farm utilizing an API system that the big companies can check against with integrated signup from OpenID if a user wants it instead of the proprietary login.
Let me say first that unripped.com has been an OpenID consumer from the start. ;p
All OpenID providers should give some sense of customization and *ownership* to the OpenID endpoints; none of the big players do this. Anyone who issues OpenIDs should also accept OpenIDs. Anyone who issues OpenIDs should come up with a method to make those URLs permanent (public trust, non-profit entity, technical tricks, something). And any OpenID provider should support delegation along with the rest of the spec.
When we issue an OpenID (unripped.com/yourusername) we delegate that to our OpenID server at unripped.org; the idea is to turn unripped.org into a community asset that is trusted and permanent. We will soon support allowing delegation from your unripped.com OpenID for the day when Google, Microsoft and Yahoo! deliver trusted OpenID services.
This is experimental software (be warned!) and we need a fresh new OpenID server in place before we even meet all the demands I listed above.
The idea needs to get out there and gain support from the large providers. Let’s see what happens.
Any idea that calls for voluntary sharing of users by the companies who’s valuations are built on this is doomed to fail. It’s much more likely that we see a GoogleID version Microsoft Passport war (after Yahoo is absorbed) – Microsoft was on the right track with this before they overplayed their hand with Hailstorm. The loser will then embrace OpenId, but only after balkanizing the effort (i.e. taking over the governing body), giving it a second wind. And, in response to the first poster, that is how we “converge to what is right for the internet”.
If I was in the big four I’d be playing it the same way, it makes complete sense from that perspective. OpenID issuance should be done from some independent party – not the big four and not any joe bob or jim. Something more like ICANN. It needs to be neutral and not associated with any single provider. As it is there’s too much possibility that some given provider will have the lions share of id’s and thats not good for anyone. Don’t want to be painted into a corner.
OpenID means ‘ownership’ of private information about users. it also means that rechnologies, as well as architectural solutions built on different technologies for internet applications need to be ’somehow integrated’, i.e. crossplatform applications’ support/software need to be developed.
From privacy perspective – I have doubts that companies would like to give up information to third parties (openid owners) from business and legal side.
From Data integration and architecture solutions to integrate applications – I doubt that it will be the well served from performance and accuracy stand point.
From crossplatform side – it is complete buzzz as well as XMLA in 1999…
As a User perspective I won’t have a need to login once to access all parts of my business that is on internet from security and fraud perspective and from the way I am ‘thinking’ to use long or short term or one time deal the certain companies or sides.
I don’t agree with the premise that “large” companies gain by not participating as relying parties. AOL supports 3rd party OpenIDs (albeit there is a lot more AOL could do). For any ad supported site, becoming an OpenID Relying Party increases viewership so is a win for the site, not a loss. More thoughts on why the slow adoption amongst “large” companies on my blog.
http://practica...ing-openid.html
OpenID is just a part of the overall plan. I agree that one of these companies wants to own it and I want them to figure it out soon. I posted about this yesterday and wonder when it will happen, not if.
http://www.mich...ized-marketing/
it will happen for instant messaging long before it happens for openID – people unfortunately just don’t get it – i’m talking about your readers or tech audience folks, i’m talking about the other 99.999 percent of the world…
This is similar to my own observations – I’ve been looking at OpenID for a client, and as I survey the OpenID landscape it’s become apparent very quickly that there’s lots of identity providers, but not a lot of relying parties. Any of the big players seem to be staying out of that space, with the exception of the blog platforms and open source CMS systems. Examples: AOL – only Propeller seems to have OpenID as a login option. Yahoo! – haven’t found an OpenID login yet. All of the focus right now seems to be on getting people to get an OpenID.
I think any discussion of how to evangelize OpenID to the general public also requires the foundation to clearly articulate the value of being a relying party, otherwise it risks stalled growth when users finally decide to get an OpenID, but have nowhere to use it. JanRain claims 8,000 relying parties (and David Recordan claims 11,000 above), but I’ve seen little justification for that number; OpenIDDirectory.com lists about 530 or so OpenID-related sites, and 60 or so of them are identity providers. Demonstrating value to potential relaying parties also requires showing, in no uncertain terms, just how many people already use it.
To overcome this problem, there has to be real value for a service provider to become an OpenID relying party. These benefits might include (warning: businesspeak ahead):
1) Expedited customer acquisition: OpenID allows user to quickly and easily complete the account creation process by eliminating entry of commonly requested fields (email address, sex, birthdate), thus reducing the friction to adopt a new service. In addition, the continued ability to access this data each time the user logs in offers the additional benefit of maintaining an up-to-date picture on the user.
2) Reduced user account management costs: The primary cost for most IT organizations is resetting forgotten authentication credentials. By reducing the number of credentials, a user is less likely to forget their credentials. By outsourcing the authentication process to a third-party, the relying party can avoid those costs entirely.
3) “Thought leadership”: There is an inherent marketing value for an organization to associate itself activities that promote it as a thought leader. It provides an organization with the means to distinguish itself from its competitors. This is your chance to outpace your competitors.
4) Your competitors are already doing it: Whoops! So you missed out on number 3, so you have to do it, otherwise you’re falling behind the times. Ketchup!
5) Access to user data you don’t already have: The real value for a relying party is not in authentication, but in being able to quickly and easily extract additional information about the user to enable them to better serve the user, right from the very first interaction.
6) Simplified user experience: Logical follow on from 1 & 2. However, it’s at the end of the list because that’s not the business priority. The business priority is the benefit that results from a simplified user experience, not the simplified user experience itself.
The key sticking point, of course, is #5. No identity provider wants to undermine its own business by giving away all the data they’ve carefully gathered on the user. Does beg the interesting question if you’ll see OpenID become a tiered service – one where a relying party can pay the identity provider to access additional data on the user.
Almost a year has passed since I made this claim:
http://jyte.com...relying-parties
It’s still all hype and little progress, which is not surprising, given the incentives inherent in the architecture of OpenID.
Being a Relying Party is not a simple matter, especially for the big 4 for whom a separate ID/username for each user is a cornerstone of their services.
The Yahoo model lets the users associate a Yahoo!ID with several email addresses. However, login must still be done with the Yahoo!ID.
The Google model is quite confusing, by allowing both GoogleID and email addresses to have their own Google accounts. Lately, Google has forced email-address accounts to create their own GoogleIDs, but Google has also allowed GoogleIDs to “manage” email-addresses. However, the problem gets worse when email addresses are managed by Google Apps for Domains. I do not believe that Google has thought this “clash of IDs” problem through yet completely.
The LinkedIn model is perhaps the simplest in that login is OK for different email-addresses. However, the LinkedIn service is much less comprehensive that those of the big 4.
Consequently, the big 4 being Issuing Parties is a good step. Don’t know if they can do much more.
Mike,
Being a lawyer, you should know this.
The legal departments of the big four will have a very hard time signing off on accepting the liabilities that are associated with becoming an OpenID relying party.
What does OpenID provide for a relying party, in terms of assertions that another party’s authentication of a user is “trustworthy” and therefore should be allowed in? If there is no mechanism for Yahoo to trust the fact that Google’s authentication of this user is trustworthy, why would Yahoo want to accept the login authenticated with a Google OpenID? Who is liable in this case?
OpenID has all the technical details worked out in terms of how to exchange authentication information and credential information. But OpenID has no technology that conveys trust. And trust is not something that can be done technically. It’s a business agreement.
I think that’s why most of the relying parties that accept openIDs are web 2.0 ‘toy’ web sites. Try to find a relying party that offers a mission critical application, like online banking.
Until the trust issue is resolved, it will be slow going.
Good point, openid also means you only need to crack one password – and bingo, you get the whole enchilada!
and where do I enter my openID to comment here on TC?
Right now many people use the same email when they sign up for new accounts, and most sites reset passwords and other account info via email… so if I hack your one email password I can do a fair amount of damage.
With OpenID everything is controlled in one place and so if for some reason an account was compromised all access can be shut off from one area as opposed to going to every site I had an account on to reset my details.
Also many OpenID providers offer security options beyond a simple l/p. I work for Vidoop and we have a two factor system involving activating a browser and using our ImageShield which shows images with letters associated with them. Each image is from a category you select at sign up, the letters displayed on the images form a random access code. The images change everytime and so do the letters making the system resistant to currently prevalent forms of hacking (phishing, key logging, …). We have account notifications as well so you can get a message any time your account is used for anything. I would trust my banking, medical, or other mission critical data to be secured by a myVidoop OpenID account.
There is a cool post up about why/how sites interested in being a full blown IDP should check out simply supporting OpenID delegation:
http://steven.b...gation-ship-it/
Interested to hear people’s thoughts on this… though at the end of the day I agree we still need more RPs and that killer OpenID app…