OpenID

While I know a little bit about OpenID I never really cared much about the technical background, the specification, and other related issues. I am an end user and I just want the relying party redirecting me to my provider which then should do some funny authentication schemes happening in the background, sending me back to the relying party, and eventually I will be logged in there. And fortunately this is exactly what happens most of the time.

Normalization

Most of the time? Not always? Well, sometimes things start to go wrong right in the beginning of a user’s OpenID experience: when typing in their OpenID in the relying party’s form field. Remember, an OpenID is a URL, something like this: http://youropenid.com/.

However is there a difference if you type:

• http://youropenid.com or
• youropenid.com

There shouldn’t be a difference but sometimes there is. According to the OpenID 2.0 specification relying parties must normalize those inputs to http://youropenid.com/. There are some more examples given in the specification, so have a look at them as well. Normalization was mentioned in the OpenID 1.1 specification as well, but certainly not as clearly as in the OpenID 2.0 one.

User Experience

However there are some relying parties out there which have not implemented normalization properly or at all. And this is a problem to end users like me. If I create an account with http://youropenid.com and the next time I log in with http://youropenid.com/ I have created two accounts. Not a good idea. The only difference is the trailing slash. That’s not obvious or understandable for non-techie users. I have learned about that just today as well.

OpenID still suffers from claims to be too technical and not being particularly user friendly. Lack of normalization just adds to those claims. Although people use social networks and probably know how to access their profiles there, a URL is still rather uncommon to use. So relying parties should do their best to make users’ life as comfortable as they can. In the meantime it’s probably best for end users to always add http:// and to remember if they used a trailing slash or not.

Last night it was mentioned on the Vidoop blog that social bookmarking service Ma.gnolia has launched a new sign in page. I still wait for the Ma.gnolia newsletter to read it straight from the horse’s mouth, though.

Anyway, what’s so interesting about a new sign in page, you may ask? Well, simply Ma.gnolia requires that users have a verified identity with another service already. It won’t be possible for new members to use a username and password combination to join Ma.gnolia anymore. The sign in page looks like this:

The screenshot can be interpreted that the verified identity can only be an OpenID. Though that’s wrong. From the dropdown menu users can choose from these services:

Of course, the majority also works as an OpenID provider, though a Facebook ID is also possible.

Spam

So what’s the reason for Ma.gnolia to change the sign in method? According to a blog post from Larry Halff from January already, it’s spam. Larry explained that almost 80% of all new accounts created were ones by spammers. Actually I didn’t expect such a high number. Spam still seems to be a very profitable business. Some spammers create accounts manually but most of them are created by bots. As you can see from the comments of that blog post, Ma.gnolia is not the only service affected by spam, Simpy suffers as well.

Will the new sign in process prevent spammers from joining? Probably not. Spammers can sign up for Facebook and they can also get an OpenID from different providers. But it makes their shady business harder and hopefully less profitable.

Outsourcing Identity Verification

Other companies like Buxfer also allow users to sign in with identities from other services (see screenshot below). It seems to become a trend and it’s actually a rather smart move by companies because in most cases they will get more accurate information about new users while they don’t have to deal with account verification.

Users profit as well as they don’t have to provide passwords to another company. Also they don’t have to build the same amount of trust to those companies. They can stay with a provider who they trust.

Buxfer’s sign in options:

One of the major obstacles of OpenID is certainly usability. Most people are not used to a URL as a method of login. This prevents OpenID from mass adoption. So any tool, service, or application making the login procedure easier and more comfortable is welcome.

Today ClickPass has launched which promises one-click signin to OpenID enabled websites. As far as I understand it, it aims to reduce transfers which happen behind the scenes between the OpenID provider and the relying party. Well, I have tried it, so here is a small guide of how to use it.

Using ClickPass

Currently ClickPass just works with a small number of websites, one being Plaxo. It is not really suprising that Plaxo is one of the sites. Everytime some company is offering a new service making things easier for users, it seems like those companies are calling Joseph Smarr of Plaxo and asking him to implement it quickly. And faster than I could add a new plugin to WordPress, Joseph implements those services to Plaxo. It’s strange, but not surprising at all anymore. Oh yeah, other sites currently supported include Disqus and Hacker News; also a WordPress plugin is available.

Since I have a Plaxo account already I have tried logging in to it with ClickPass; I have created a ClickPass account before. On the Plaxo sign in page there is a new button now: the ClickPass button. If you click on the OpenID image, a list of popular OpenID providers is dropping down. Anyway, clicking Enter I am forwarded to ClickPass to set things up.

Once forwarded to ClickPass I am asked which websites I want to use with it. I only choose Plaxo.

Next I have to connect Plaxo to ClickPass and something strange happens: I am asked for my Plaxo login credentials! Although it says, those credentials are not stored on ClickPass I feel rather uncomfortable giving away my login details. Luckily I can skip this step.

After choosing a username (which is part of my ClickPass OpenID) my ClickPass profile is build.

ClickPass appends a unique ID to each site. This is directed identity, right? So ClickPass will only work with OpenID 2.0 enabled websites since it is not supported by OpenID 1.1.

So can I use Plaxo with ClickPass now? Let’s see. Back at Plaxo I click on the ClickPass button, magic happens…

…and then I should merge my existing Plaxo account with ClickPass. It wants my Plaxo login credentials again! And this time I can’t skip the step.

Stop!

Solution?

I don’t give passwords to any third party website anymore. That’s simply not cool! The ClickPass guys are probably totally sound people and even Scott Kveton is on their board. But I refuse to do that.

There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.

Also it is not really looking good to have another button on relying parties’ sites. Yahoo! has introduced a signin button already. Now there is ClickPass. How will websites look if every provider had their own signin button? Ugly, unclear, confusing even.

I don’t like it. But maybe I just totally missed the point of it. Maybe…

While there has been much talk about companies joining the OpenID Foundation, I should mention that individuals can join it as well. It is a great way to show support for OpenID and help it grow and providing financial backing for future efforts in marketing and generally spreading the word about it.

So if you have a strong interest in OpenID and have some money left, you might consider joining it. Annual fees are from $50 for students to $10,000 for organizations with more than 1,000 employees.

Also local chapters of the OpenID Foundation are formed. The first one wil be a Japanese chapter being established in April.