Marketing OpenID
Jan 9th, 2008 by Aswath
There are reports that Google, IBM and Verisign are planning to join OpenID Foundation. But it is not clear what does this really mean. Verisign is already an OpenID Provider. Will the other two also become OPs? Since Blogger (which is part of Google) will accept OpenID as a way to authenticate commenters, will Google accept OpenID in other applications as well? Notwithstanding these open questions, this is encouraging. On the flip side, there is a significant amount of skepticism about the utility and usability of OpenID. For example, only yesterday Mark Evans wrote about his poor experience with using OpenID. So much so he feels that OpenID could become an Edsl. He also quotes Devon Young and The Identity Corner to substantiate his points. This clearly suggests that those of us who advocate OpenID must address their concerns and streamline user experience.
Benefits of OpenID – Company line
The current narrative on the benefits of OpenID is that it allows for single sign-on and registering at a new site becomes easy and simple. But the distracters reject the benefits of single sign-on based on privacy and security concerns. They prefer to have different login credentials. Directed identity will allow a user to present a different id to different sites. Still this is not satisfactory because the OpenID provider has the information on a big chunk of the user’s web activity.
As a practical matter, the registration process has not been simplified even with attribute exchange. It is possible that OpenID provider has not collected the information the site is interested in or they are compelled to recollect it for legal reasons. So how do we position OpenID?
Credit cards and OpenIDs
In my opinion it is better to compare OpenIDs to credit cards. A credit card company issues cards to its members and provides monetary guarantee to the retailers. An OpenID provider issues IDs to its users and provides some form of authentication to web sites. Just as a credit card company may place limit on the level of guarantee, web sites are at liberty to restrict the OpenIDs it will recognize and accept. Just as many of us carry more than one credit card, we may have multiple OpenIDs and use them for different occasions. Just as some department store credit card is not accepted outside of that store, it is possible that IDs issued by some OpenID providers may not be accepted by some sites. The credit card companies have good amount of information on our spending habits. But they are expected to maintain certain amount of privacy. Similarly we can expect OpenID providers to maintain privacy of their users. But at least initially, it becomes the users’ responsibility to identify conforming providers.
The beauty of credit card system is that credit management is independent of retailing. It frees the retailers from evaluating the credit worthiness of the card holders and collection activities. Thus even small retailers can afford to accept credit card, which simplifies the consumer’s life. Still, it is possible that a particular retailer asks for extra information like phone number from the consumer. OpenID provides analogous benefits to web site operators.
Restricting OpenID providers
Under certain circumstances, a web site operator may restrict the OpenID providers it will accept. For example a site targeted for senior citizens would like to ensure that a new user is indeed a senior citizen but that site can not reasonably confirm the age of a new registrant. But AARP is in a position to assure that its members are indeed senior citizens. So if AARP issues OpenID to its members, then they can use their OpenID to register themselves in that site. Interestingly, one of the reasons Sun stated for issuing OpenID to its current employees is to facilitate them to get employee discount from Sun’s partnering companies.
User Experience
OpenID verification protocol has too many redirection between the web site and the OpenID provider. This redirections could be a bit confusing and also prone for phishing attacks. We need to address this concern as well. Verisign has a Firefox plug-in called Seatbelt that simplifies the log-in procedure. But there is a simpler way that anybody can follow as long as the browser allows tabbed window. The idea is to visit the OpenID provider on the first tab and login there and leave that tab open for the rest of the session. Now if we use other tabs to visit the web sites of interest, then there is no need for providing login credentials. So if a web site presents with a screen asking for login credentials, we will know that a phishing attack is under way.
Hi Rao: I am the technical director for the PiP/SeatBelt product here at Verisign. Thanks for the comments about SeatBelt and I would also add a couple of additional features:
1) Delegation support. If you use OpenID delegation this feature is supported in SB.
2) OP support. In addition to our OP – MyOpenID, Vidoop, SignOn, AOL, idTail, Mojid, Myid, openid.ee, and xlogon have all added support.
3) Languages. SB has been translated into: Japanese, Korean, Spanish, French, Portuguese, German and Slovenian.
4) Anti-phishing. If the option is selected we do checking to make sure that on redirect the user is being directed to their logged in OP.
5) Multiple identities. If the user has set up multiple identities (for example on the PiP) they can selective choose which one to use during a rp-op login process.
The one thing about your suggestion with the tab while certainly will work it requires that a tab be dedicated to the logged in OP. With SB in Firefox an indicator is displayed either on the bookmark or status bar indicating current logged in status.
Thanks again.