Apparently it’s embrace the developer community day at Facebook. In addition to the news that they are making activity stream data available to third party developers, they’ll also be making an announcement around OpenID, we’ve heard. And importantly, the announcement is that they’ll become what’s called a relying party, meaning anyone with an OpenID (Yahoo, Google, AOL, MySpace are all issuers, and Microsoft is in beta) can create and log into a Facebook account using those credentials.
Let me take a step back. OpenID is a distributed single sign on solution that allows people to sign into different services with the same login credentials. There are two ways companies/websites can participate in the OpenID framework – as “issuing parties” or as “relying parties.” Issuing parties make their user accounts OpenID compatible. Relying parties are websites that allow users to sign into their sites with credentials from Issuing parties. Of course, sites can also be both. In fact, if they aren’t both it can be confusing and isn’t a good user experience.
All the big guys are now Issuing Parties, which allow their users logging in all over the Internet with those credentials. But none of them accept IDs from anywhere else, so anyone that uses their services has to create new credentials with them. It’s all gain, no pain. There are two exceptions – AOL Mapquest and Google’s Blogger – but for the most part the big guys are issuers, not relying parties. And that has led us in the past to accuse them of exploiting OpenID for their own benefit without giving back to the community. See our post Is OpenID Being Exploited By The Big Internet Companies?
Facebook has been a wild card with OpenID. They’ve talked about adopting it eventually, but their Facebook Connect product has actually muddled the situation – Facebook actually competes directly with OpenID when allowing users to sign in to third party sites via Facebook Connect.
Now that’s going to change, and we’ll soon see users have the ability to sign in to Facebook using, say, their MySpace credentials if they choose to. I like the thought of that.
But it still may be a while before we see the other major players take similar steps. Facebook has never really had notion of a user ID – you’ve always logged in with your Email address, which could have come from any number of other services, so Facebook isn’t really sacrificing much here. Instead of a user name, Facebook members are assigned a meaningless user ID number (though they’re experimenting with vanity pages).
Contrast that with Yahoo and Google, both of which have built up their own login systems, which can be used across multiple services using a single persistent account name. Users benefit because they can seamlessly jump between services, and Yahoo and Google get their users to stay within their own suite of products. There’s a good chance they’re not going to give that up so readily.
It just means that it’s not growing by itself anymore, that’s why this move.
yeah they only added 20 million new users last month
People still not believe social networks rule – in mainstream. All twitter etc are long way to go to become mainstream like email and current social networks. email was never monetized, similarly sn?
OpenID is useless as everyone can use an email-address as login. If they keep same password for same “email login” it is same as openid.
OpenID is far from useless as you say. OpenID decentralises the security authentication. Using the same email address and password is not the same thing. Sure, it presents a similar experience (although, not quite, if you have used OpenID you will understand) – but having decentralised authentication means you need only trust one party with your personal information rather than many parties (in ideal terms, but not quite in practice yet).
I’m all for it, as long as you can associate any OpenID with your existing FB account at any time.
They are quickly running out of money and have no revenue. The recession will absolutely kill Facebook. Soon it will be sold entirely to microsoft for a fraction and I wouldn’t be surprised if they started charging fees for photo storage. Server space is never free people and the ads won’t pay for it. Yahoo and Google will live forever because they have good e-mail programs which most people use daily. If facebook dies, will people really worry about their few e-mails or photos. Businesses are not advertising and users are not spending cash. Only the few companies with enough capability to generate revenue and transactions like Amazon will survive.
Wrong.
I wonder if they’re implement similar to how they’re “supporting” activity streams. Meaning they’re take OpenID and making something proprietary out of it.
Mike, Google Friend Connect not only supports OpenID as a Relying Party, it enables any website to become a Relying Party in 5 minutes by integrating Friend Connect.
That’s very germane when you’re discussing this space.
you mean it will once this goes live, right? Yeah I agree. FB connect is really an oauth competitor now, but that’s a level of product detail that I didn’t want to go into in the post. but you’re right, it’s important.
Read the comment, Mike. Google Friend Connect has supported OpenID login since it’s launch in May 2008. It would be nice if Facebook followed our lead a year later, sure.
ah yeah. Google Friend Connect. sure, that’s great but no one has really implemented it, so it’s not particularly relevant.
Oh, BURNNNNN!
This of course, was predicted by many in the OpenID community awhile ago. You’ve got the analysis backwards. By not being an issuing party, Facebook acts as a parasite on the users of companies that implement the issuing party spec, gaining the benefit of OpenID implementations of others (increasing Facebook traffic), while locking Facebook credentialed users behind non-OpenID, which means, Facebook is simply trying to undermine the OpenID spec while protecting their Facebook Connect turf.
One has to wonder, why you love the idea of logging into Facebook with Myspace credentials? Do you think Myspace is gaining in this relationship? Wouldn’t the real value be being able to log into any OpenID RP site with Facebook credentials, since with 200+ million users, aren’t most people likely to have a Facebook account already?
This is a calculated move to undermine OpenID with the superficial appearance of supporting a standard, while promoting a proprietary one aimed at killing it.
don’t really get your logic flow.
I’m not surprised. Look Mike, it costs money and resources to run an issuing party, and the main beneficiary is to other sites, not yours. In contrast, being a relying party costs only a small implementation, and it lowers the barrier to using your site.
Imagine you set up a site, and 100 million users create accounts on it, but they never visit your site very much, and spend all of their time logging into Facebook using your server as the issuing party, who is benefiting more?
Implementing the RP spec, you risk nothing, but stand only to gain. You don’t risk commoditizing your user base. You don’t risk Facebook Connect. You either gain zero, or you gain some additional users through lower barriers, and you score a PR win with the appearance of embracing standards.
That it undermines OpenID is simple. Facebook has a competing “Relying Protocol” with themselves as the only “Issuing Party” that they control. They are pushing FB connect everywhere, and now by allowing FB user profiles to link with OpenID, they open up the possibility that FB Connect can be used to log into sites where the backend credential in fact originates from MySpace, Google, or some other OpenID provider, effectively an embrace-and-extend strategy.
It’s somewhat of a disservice to the community for TC not only to get this wrong, but to promote a very wrong headed idea that it is the Issuing Parties who are gaming the system.
You got everything right, except you forgot to tie in the Kennedy assassination. Otherwise, A+++ !
it must be really hard to be so smart in a sea of dumb people. thanks for condescending to explain your point. You’re totally right! wow. /sarcasm.
Mike, it would help if you had pointed out where you had disagreed with the logic. Instead, you said you didn’t follow it, which is why I broke it down in simpler terms.
I think vague twitter-style replies “wrong”, “don’t get it”, “conspiracy theory!” are somewhat unfair, because while I took non-trivial time to write out a detailed message to explain my point, you spent considerably less effort on snarky replies.
In retrospect, I don’t really think you didn’t understand the logic of the first message. You just chose not to put up a logical counterargument.
Ray, the name of the game is still the walled garden. As an Issuing Party only, a company like FB forces users to sign up directly with them. Then logging into CNN with the FB logo right there on the page only increases their brand.
Whereas once you’re a Relying Party, you lose control of your walled garden because you’re allowing people (like MySpace users) the benefits of your site without forcing them to register there and increase your user count.
I think that has been Mike’s point.
DT,
There’s no real benefit to just having a registration, there is benefit to having an active and engaged user. As an Issuing Party, users could register on your site, and then spend 100% of their time on a Relying Party site. Facebook does not lose out when MySpace users log into Facebook, they gain traffic at MySpace’s cost and expense. This just makes it easier for MySpace users to migrate, by lowering the account creation barrier, meanwhile MySpace is shouldered with the cost.
Likewise, if Facebook becomes an Issuing Party, then the proprietary “Facebook Connect” button on CNN changes from an FB Logo into an “Signin with OpenID” button. That means Facebook loses a prominent branded button on all of the relying sites (effectively a free ad), as well as any proprietary advantage their Facebook Connect API allowed them.
Anyway you slice it, the the cost of being an IP is much higher than an RP, and the benefit of being an IP is greater if and only if, you can get the RP sites to funnel data back to you. (which is what FB Connect does)
It makes the most logical sense for the sites with the largest number of user accounts registered to be Issuing Parties, not Relying Parties. If you’ve got 100-400 million people signed up with accounts, there is great benefit in allowing your hundreds of millions of users to use their account as a single-sign-on across the web (as FB Connect shows!), and comparably less use in letting people log into your site with other credentials, because there is a very high probability that the user’s primary credential is already owned by your site.
I think any large site should be an IP and a RP, but definately an IP. The true test of FB’s openness would be allowing people to use OpenID IP or making FB Connect somehow compatible with it.
Another reason why Facebook is worth $40 billion. They can do no wrong. I really hope they go public so I can buy buy shares.
http://www.clasilistados.org is doing an incredible job!
I’d love to see them get funded again; those guys deserve it.
Sull
It always struck me as counter-intuitve that the “issuing parties” which were not “relying parties” are the ones exploiting OpenID. It seems like, if I were to build webapp FooApp and could only be an issuer or a relying party, it would be in my best interest to be a relying party, and just say that anyone with an AOL, YAHOO, Livejournal, or other OpenID-issuing account already has an account with FooApp. Drop the entrance barrier down as close to zero as possible. On the other hand, as an issuing party, just because someone logged into my OpenID providing service doesn’t mean I can make money off them, just that they’re briefly using my hardware/software/bandwidth to potentially hang out at someone else’s website.
all ur streamz r belong 2 facebookz
lol
It would be cool if Facebook was an OpenID manager. I know personally I have created multiple OpenIDs and I want to consolidate them.
Is there a way to make existing Facebook accounts compatible with OpenID?
Or do sites that want to let existing Facebook users login using their existing credentials still have to support Facebook Connect?
Aren’t AOL and Google “big sites?” Your headline is blatantly incorrect, since it doesn’t have the qualifier you provide later in the article.
See this is the big difference between Facebook and Myspace. Facebook has been embracing new ideas and actually pushing the button, unlike Myspace.
not really. The problem with myspace is that it sucks, plain and simple.
The correct response should have been: “The problem with MySpace is that I’m outside the demographic.”
Don’t worry, mate. I’m clearly outside their demographic.
Great to see the news of Faceook becoming an RP! JanRain has enjoyed working with the FB team on integrating Facebook Identity into RPX (http://rpxnow.com) allowing any website to get up and running in accepting users with either OpenIDs from AOL, Google, Yahoo, MySpace or identities from other providers like Facebook and Windows Live ID.
This actually falls in line with Facebook becoming the defacto standard for identity. From experience with implementing and using both, FB Connect is a vastly superior experience thant OID. However, the problem with FB Connect is that there’s “only” a couple hundred million FB users vs half a billion OIDs.
Now FB allows those half-billion OID people from MySpace, Blogger, Yahoo, AOL to create a FB Account in 5 seconds and now use the FB credentials around the web.
It also lets Facebook start capturing OID credentials so when the inevitable distributed identity/Activity Stream standard flys across the web they’ll be able to hit the ground running.
Genius.
Omar, I respectfully disagree with your notion that FB Connect’s user experience trumps that of OpenID. As previously mentioned, JanRain’s RPX (http://rpxnow.com) is a platform solution that allows website to easily accept logins from Google, Yahoo, MySpace, AOL, Windows Live ID, Blogger and Wordpress in addition to Facebook. The process is seamless for the end user and requires only two clicks as long as the user is logged into his/her preferred identity provider.
You can see how intuitive the login process is with RPX at http://www.user...com/session/new.
WHAM! this is huge…come on guys – this is a wall that just crumbled.
Perhaps the new landscape is confusing, but it’s a new landscape. OpenID just got life.
Facebook owns your personal information, but have no intention of using it for malicious purposes. where is recession??/ http://iamned.com/blog help me find it. no doom and gloom.
Facebook, Facebook Connect, Facebook Desktop…
Facebook “World”
They have an impressive portfolio that’s getting stronger…
How is facebook the first really big site to implement?
I believe Yahoo! beat google to the punch a year ago.
openid.yahoo.com
This is troubling. So what Facebook allows people to login with their OpenID? That is near worthless. This would be news only if they were an issuing partner.
Why don’t you people see through this move as a way for them to build FB Connect?
entourage fan?!
Is that you, Billy Walsh?
Cool. It means that those who lust openID can use it. Facebook are both relying and issuing party I thought? If not Facebook should try to become an issuing party as well. Still think the facebook method is better and it has a wider base. Many organisations will only allow their OpenID. That defeats the purpose for me. I already have 4+ OpenID’s. I just want one that I can use anywhere. Still some way to go before OpenID totally rocks imo.
Interesting news no matter where you stand on OpenID, the comment section @techcrunch is running like the 3rd hour of a cocktail party though, lots of talking very little listening
The Veggie BK has an inordinately high amount of MSG in it.
Actually OpenID can’t win if it has only issuing or only relying partners. They need both. And there were obviously a lot of companies willing to be issuers, but not relay partner.
So this is a good news. On the other hand it is obvious that FB Connects competes with OpenID directly (and it is currently winning, that “F connect” button is simpler than what openid provides)
Andraz Tori, Zemanta
Last summer (2008) designing http://www.10ThousandDoors.org for the Methodists (launched just last week) we needed an OpenID solution and considered all options available then and through this last year. Developed other aspects of the site in partnership with Google, so utilized Google Friend Connect, assuming that OpenID would be standardized and Facebook would adopt. Kudos to Facebook for getting with the program.
As someone that is implementing Facebook Connect this makes my head explode!
For Facebook this is a little risky. Although we have to give them credit for trying something new.
is something like this secure at all for fb users? social networking site are already huge targets for hackers and spammers. i’m a little worried. i took a look on justaskgemalto, its a good digital security resource site, some decent information
Interviews should not be phony & intimidating just a form of getting to know somone at a first impression & learning the skills they possess. ,