BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Is OpenID Living Up to Our Expectations?

Is OpenID Living Up to Our Expectations?

This item in japanese

Bookmarks

OpenID has promised to simplify the user authentication process across multiple websites, but some complain it has actually created more problems. 37signals, an early supporter of OpenID, has announced the decision to stop using it across its products. Is OpenID delivering what it promised?

OpenID is an identity system enabling users to authenticate themselves to compliant websites based on a single username/password. OpenID is backed by the OpenID Foundation, an organization founded in 2008 and sponsored by companies such as Facebook, Google, IBM, Microsoft, PayPal or Yahoo!, among others. OpenID has been considered the authentication solution that would free people from creating accounts and memorizing usernames/passwords for every website they log into.

Recently Yahoo! announced they would let Google and Facebook users to log into the Yahoo! website using OpenID. This is seen as a way of attracting people to use Yahoo! services, such as Flickr. But another company, 37signals, and early proponent and adopter of OpenID from 2007, has recently announced dropping support for the authentication framework starting with May 1st, 2011. They complain that OpenID did not make life easier for their users, and the service has been a burden from the start:

What we've learned over the past three years is that it didn't actually make anything any simpler for the vast majority of our customers. Instead it just made things harder. Especially when people were having problems with the often flaky OpenID providers and couldn't log into their account. OpenID has been a burden on support since the day it was launched.

According to the post, only 1% of 37signals’ users are using OpenID, and most of those were doing so because “that used to be the only way to get single sign-on for our applications.” The company invites their users to switch to using regular authentication, concluding about OpenID that the “cure was worse than the disease.”

Larry Drebes, a Janrain employee, has commented 37signals’ decision to dump OpenID. Janrain is an early adopter of OpenID and a major identity provider. He said he is the only employee in his company using OpenID when connecting to Basecamp, a collaborative product provided by 37signals. He says that 37signals’ main problem has to do with the user interface and the user experience:

  • The UI treatment sports the circa 2007 URL input field, and while this resonated with the early adopter crowd, it's a high bar for the mainstream crowd. We learned several years ago that branded buttons make it very obvious for users that they can use their Google, Yahoo, Facebook, or other account to login. The naked URL bar makes it nearly impossible to take a Google or Google apps OpenID. Just a side note, Google is the most popular provider (transactional basis) across the 300,000 sites currently using Janrain Engage for social login.
  • Offering just OpenID is no longer enough. In fact we prefer to focus on enabling users to login with a social identity they already have, and not highlight the protocols under the cover (OpenID, OAuth, or an API to a proprietary system). The user doesn't need to know it's OpenID (Google, Yahoo, AOL), or OAuth (Facebook, MySpace, Twitter), or proprietary (Microsoft, etc).
  • The OpenID login is hard to find on 37signals’ interface and once users find it, they are not able to create new accounts with an OpenID. Unfortunately this diminishes a significant portion of the value proposition.

Rob Conery, creator of project SubSonic and co-founder of Tekpub.com and a former proponent of OpenID, wrote a post entitled “Open ID Is A Nightmare”, describing in detail some of the problems he had with OpenID and why he decided to stop using it. One of the main problems was with flaky identity providers which do not provide the service when you need it. His conclusion was: “[OpenID is] a great solution to a long-standing problem and solves a lot of issues for developers. Unfortunately it creates a ton more for business owners.”

Answering a Quora question, What's wrong with OpenID? It hasn't taken over the world, Yishan Wong said “OpenID is the worst possible ‘solution’ I have ever seen in my entire life to a problem that most people don't really have.” One of the problems he mentions is the confusion OpenID creates:

Proponents [of OpenID] are literally expecting people to sign up for yet another third-party service, in some cases log in by typing in a URL, and at best flip away to another branded service's page to log in and, in many cases, answer an obscurely-worded prompt about allowing third-party credentials, all in order to log in to a site.  This is the height of irony - in order to ease my too-many-registrations woes, you are asking me to register yet again somewhere else??  Or in order to ease my inconvenience of having to type in my username and password, you are having me log in to another site instead?? …

At best, a re-directed third-party proxy login is used, which is the worst possible branding experience known on the web - discombobulating even for savvy internet users and utterly confusing for regular users.  Even Facebook Connect suffers from this problem - people think "Wait, I want to log into X, not Facebook..." and needs to overcome it by making the brand and purpose of what that "Connect with Facebook" button ubiquitous in order to overcome the confusion. 

Wong considers that OpenID cannot be fixed with some tweaks, and the entire system needs to be thrown away.

What is your experience with using OpenID? Has it delivered the authentication simplicity promised, or has it been a nightmare as some suggest?

Rate this Article

Adoption
Style

BT