Some Ideas for Relying Parties

While I was complaining about rather poor coverage on OpenID on German blogs the other day, this post is actually inspired by blog posts on two recommended German blogs, which are both sympathetic to OpenID but also raise some questions about it.

Yahoo!’s decision to become an OpenID provider and to join – together with other big tech companies – the OpenID Foundation has sparked a lot of media attention, discussion and interest in OpenID. I even dare to say that media coverage has never been bigger before and it is certainly encouraging more people to check out OpenID. Nevertheless it is still fairly new and most people are not used to it yet. From now on not only some geeks will use it, but also the guy next door or colleagues who are not tech savvy at all. So relying parties and providers are well advised to make the OpenID experience as easy and comfortable as possible for those people.

In this article I concentrate on ideas (best practices?) relying parties should think about.

Not only OpenID

Admittedly, this sounds strange coming from an OpenID advocate, and please, don’t get me wrong. I love OpenID but for the next few years, I don’t think it is a good idea to only accept OpenIDs. Users who don’t know about OpenID might turn away from a site when they are faced with a login method they don’t have a clue about. Most people are still used to the username/password method and typing in a URL might be strange to them. Also some users have probably fears or at least reservations against OpenID. Remember, it’s still new. Relying parties would be stupid to pass on those users just because they think OpenID was the best, the coolest.

Switching between OpenID and username/password

Users should be able to switch between an OpenID and a username and password combination. Assigning an OpenID to an existing account should be mandatory for relying parties because more people will adopt OpenID later. But it should work the other way around as well. Some users may abandon OpenID because of bad experiences or whatever.

One OpenID is not enough

Theoretically one OpenID is all users need to sign in to any site they fancy. But really, that’s not the way things will work. What happens if a provider runs out of business or starts being nasty? If users can’t assign more than one OpenID to their accounts they will lose all their data on those sites when signing in with a new OpenID. Not all users have the chance to use delegation, simply because they don’t run a website or blog on their own. Those users can’t switch providers easily. And even if they use delegation: what happens if their blogs are down, they forget to renew payment for their domain,…? A second OpenID would prevent much hassle.

Educate users

Like I have mentioned above, OpenID is still new. So relying parties should educate users about OpenID. Providing short tutorials or linking to some doesn’t require much work but it will surely help spreading the word about OpenID. It also shows that companies care about their users.