Time for an update about the current state of affairs and developments relating to OpenID – the possibility of choosing your own identity and reusing it on the web.
It is already four years ago that Google announced that all Googlers could use their account as OpenID to login to (an)other website(s). Supported by major providers such as FaceBook, Google, Microsoft and PayPal, OpenID was intended to become the worldwide standard to set the consumer free from his or her massive number of passwords. Now, in 2012, all consumers are still using many different passwords on different website(s). Despite every consumer acknowledging the password problem and websites leaking passwords on a daily basis, only a few providers offer the possibility of using your own identity to login. Time for an update about the current state of affairs and developments relating to OpenID – the possibility of choosing your own identity and reusing it on the web.
OpenID, bring your own Identity (BYOID)
The development that allows consumers to use their own iPad, Iphone or laptop at work is gaining more and more attention. This development is commonly known as the “Bring your own device” (BYOD) development. OpenID represents a similar development, whereby the consumer has the possibility of using his or her own online identity (OpenID) on the web (BYOID).
OpenID was originally created as a technique for making it easy to post a blog comment. The inventor, Brad Fitzpatrick, believed it was handy not to have to re-register every time you wanted to post a blog comment. Major players such as Google, Microsoft and Facebook quickly signed up to the technical standard and OpenID became the brand mark that represented easy login to websites using your own ID. The international OpenID Foundation develops the technological standards and promotes the use of OpenID. The foundation is supported by the membership of technology and industry leaders, all directly benefit from the joint efforts in standardisation, developments and promotions.
What happened to OpenID?
Despite the popularity and emergence in 2007 the enthusiasm and the buzz surrounding OpenID gradually declined. There was criticism from the community about the fact that Google, for example, wanted to be an OpenID provider yet it would not accept any other OpenIDs. In addition, the OpenID providers prefer to display their own logo rather than the OpenID logo. Consumers did not understand entering an OpenID URL as username and website(s) found it complicated to integrate it easily into their services.
Despite the OpenID logo gradually disappearing from websites, more and more websites did offer the possibility of logging in using your Facebook, Google or Paypal account. The underlying technology is still based on OpenID and related technology such as oauth.
Important for this follow-on success are the additional possibilities of social networks and sharing of information with your friends or other applications. These days, for example, you can easily log in to Spotify and AirBnB using a single identity that you already have. Facebook Connect is by far the most successful implementation, with in excess of 250 million logins per month. The question is whether every consumer is comfortable to have their identities managed by Facebook. Because of the dominant position of these major players consumers can still not always choose which OpenID they use to log in.
By using the experiences of the various OpenID providers and online service providers, the OpenID Foundation is working on two improvements for 2012. A great deal of work is being undertaken on the successor to the technical standard; OpenID Connect and a solution, Accountchooser, for the issue surrounding OpenID provider choice. More interesting OpenID technology standards like BackplaneX to come.
Accept OpenID on my website?
Due to the need to have a better relationship with existing users more and more websites are offering the possibility of linking your Facebook, Twitter or Google account. This is valuable because of the additional information that your website is able to obtain about the user and for sharing messages with their network of friends.
However, there are also additional benefits to be gained by supporting other OpenID providers, despite these not immediately providing the social benefits.
In recent years, many online webshops have opted to offer customers the possibility of making an online purchase without having to register (Fast Checkout). This is disastrous from the perspective of building a relationship with your customer, but is driven by the loss of sales conversions caused by registration barriers, e-mail verification and forgotten password procedures.
Reusing your identity by means of an OpenID can help webshops to still build a relationship with the customer easily, without losing sales conversions. It is for good reason that Thuiswinkel.org, the Dutch Online Retail association, has called for the development of an OpenID for online shopping (NL).
As an online provider you are also faced more and more often with new channels such as mobile or television. It is important that your existing method of identifying users can also support these channels. External OpenID providers and identity service providers like JanRain, Gigya and Prooflink are more specialised in this, as a result of which users do not have to register on your website first before being able to use your mobile application.
On the other hand you can of course implement the OpenID technology for our own accounts. Using OpenID technology standards does not oblige you to directly accept external OpenID’s.
Last but not least, as an online service provider you may not have the appropriate know-how for correctly organising password management. By accepting an OpenID it is no longer necessary to store passwords and you therefore void the risk of this data getting into the wrong hands.
Is this of value to the consumer?
Every consumer struggles with managing his or her passwords. Despite the various suggestions and tips for thinking of a good password, in practice there are two types of users: users who think of a different password for each website and maintain a list of these and users who use the same password on various websites.
The first group gets annoyed if the browser does not pre-fill the password on the basis of the “remember password” feature or when they have to login from a different PC or Mobile. After all, you then have to check the list to find that elaborate password. There is then a great temptation to choose a password that you can easily remember. In practice the largest group of users has a number of favourite passwords that they use as standard on various websites.
Hackers are also familiar with this behaviour and are increasingly searching for websites that don’t have their password management well organised. Using the data that they are able to retrieve easily from those websites they then attempt to gain access to as many other websites as possible. In some cases this is to ask friends or other contacts for money, allegedly because you are stranded somewhere while travelling.
Once such a hack has been uncovered this group of consumers is very busy trying to remember the websites on which they have used this data. With a race against the clock, they then have to change this data as much as possible.
An OpenID gives users the possibility of managing an identity from a central location.
Ultimately, as a user, you choose where or with whom you want this OpenID to be managed. This choice depends on what a user considers to be important. Do I choose Google, a regional provider, a government facility or do I prefer to manage my own OpenID? Ease of use, trust, costs and, potentially, insurance in the event of loss play a possible role in this. It is important that there are simple solutions that are easy to use by the cross-section of Internet users. Various parties such as banks, telecom, insurers, Apple and Google can play a potential role in this. Organisations like the OpenIdentityExchange foundation work on the trust and governance for OpenID providers. This is not a technology problem. It is a business, legal, and social problem.
The central management of your identity creates potential risks because you will then be dependent on this account. In practice you may therefore have a number of OpenIDs so that you are not dependent on a single solution. That also provides you with the possibility to protect this OpenID better than just a password, for example via supplementary measures such as a code on your mobile or by means of biometry.
The next time that a website requests a password ask yourself whether this website is capable of protecting your data properly and if it is not, ask why they don’t offer you the option of using an OpenID. If you support this developments, think about becoming an OpenID ambassador!
The development of Bring your own Identity (BYOID) and using this on the web has further developed in recent years. This has been primarily driven from additional social interaction as offered by players such as Facebook, Twitter and Google.
OpenID provides the various technologies that make it possible to reuse an identity in increasingly better ways, whereby OpenID providers find it important to promote their own brand. On the basis of market developments it is expected that consumers shall bring their own OpenID more and more often if they wish to use an online service.
As an online service provider it is important that you prepare yourself for the possibilities of accepting OpenIDs. This may be driven by user demand but may also be driven by the various benefits associated with this for improved online service and customer relationship building.