After three months away in San Francisco I was recently back in London visiting friends and family. With a couple of weeks to spare I got stuck into booking dinners with old friends. I'm a big fan of the offers on Top Table and with my eye on a nice little brasserie in Hampstead I knew I had enough points to get one of my meals on the trip for free.
Or at least I thought I did, only after so many months away, I'd forgotten my password to get back in. Not only that but I'd registered with an old email address and couldn't even get the password reminder. For the want of a password, me, my page views and my commission were lost.
Usernames and passwords are everywhere. In a web that's becoming more and more specialized and mashed, where storage comes en-masse from Amazon, video from YouTube, maps from Google, presence from MyBlogLog and sharing from del.icio.us, one last feature remains awkward and local: login.
The cost of sign-up
Sign-up: one simple and ubiquitous feature that costs websites users, lots of users. France Telecom recently did extensive research on the subject and found that at every new screen presented during sign up, 50% of users give up and go elsewhere.
That makes sign-up screens a very expensive part of your website. So you've built an incredible new service and spent a fortune advertising it on Google to get maybe a thousand clickthroughs. Of those, perhaps a hundred will be impressed enough with your service to reach that critical sign up screen. Ask the user for a username and password, confirm their email and you've just lost 75 of them.
The simple act of sign-up just multiplied your customer acquisition cost by a factor of four. Getting rid of the process would make your advertising a staggering four times more effective.
Even once the user has finally signed-up the login screen will continue to haunt both them and you. Up to 80% of calls to help desks are from users requesting password resets and every one costs an average of $30 to process.
The pain of sign up and login is both extensive and expensive. In the last two years though, a protocol has emerged to address it, a protocol which shows the early glimmers of even being able to solve it: OpenID.
OpenID, the HTML of identity
In 1990, Tim Berners Lee made the enormous simplification that most information people needed to access could be encoded into plain old HTML. “Information” is as broad a category of data as you can get though and can be encoded in lots of different formats: xml, pdf, jpg and plaintext being just some of them. In making that one extreme simplification though, Tim Berners Lee nailed the core of the problem and laid the foundations for the depth and complexity of the web that exists today.
Two years ago, Brad Fitzpatrick of Six Apart made the same simplification for identity. Identity is a complex and amorphous beast. Who are you, what qualifications do you have, who can verify them and how can I trust them? What's your reputation, who are your friends and are you really my second cousin once removed?
These are very difficult questions to structure and answer programatically and, like document encoding, too difficult to solve in one fell swoop. Brad proposed a solution to a different and far simpler question — are you the same user who was at my site last week?
Remember me … forever
At its core, all OpenID cares about is telling a website that you're the same person, the same user you were last time you visited them. It's a bit like a cookie you carry around with you and drop into any machine you're using — “remember me forever”. OpenID gives you, the website owner, the opportunity to personalize and customize your content to more users more of the time.
How it works
In essence, OpenID allows one website to piggy-back off an authenticated session from another website. I log into my OpenID provider (e.g. Clickpass.com, the startup I founded), pick up my OpenID URL and create a session there. When I want to use another site (e.g. 37 Signals' Basecamp), instead of giving them my username and password, I give them my OpenID URL.
Basecamp then has a quick word with Clickpass and asks whether I've got an authenticated session already set up. If I have, it logs me in to Basecamp and creates a new authenticated session for itself and if not, it sends me back to Clickpass to log in.
The WWW cloakroom attendant
You can imagine OpenID to be a little like the tickets a cloakroom attendant uses. When you leave your coat in the cloakroom of a nightclub they tear a ticket out of their book, pin one half to the coat and give the other half to you. When you want your coat back you give them your half of the ticket, they find the coat that matches it and give it back to you.
OpenID does exactly the same thing with a website. You go to a website, and give them a copy of your OpenID URL which they then pin to your account. Next time you come back, you flash them your OpenID, they look up the account that corresponds to it, do a quick check to make sure you really are the owner and then let you in.
Your user or mine?
So if OpenID is logging the user into your site then who exactly owns them? Is that user ultimately a user of the OpenID provider or the website itself.
A good place to look for the answer to this is Evite.com. One of the reasons Evite became so successful is that it didn't require people to create accounts in order to see their invitations. Clicking on a personalized link sent to you in an Evite email is proof that you own the email address and logs you directly into Evite.
Evite piggy-backs off the authentication from your email account. Nonetheless, it's clear that it is Evite, rather than Hotmail or GMail, that owns the user. In the same way as Evite piggy backs off email, OpenID lets you to piggy back off the OpenID provider's session and at the same time retain ownership of your user. The data that they enter at your site is something that is between you and them and nothing to do with the OpenID provider.
The possibilities
The consequences of reducing the barrier to account creation and login at websites are hard to understate. Users' resistance to signing up to your service falls, the number of users returning to it increases and the amount of time you have to spend reminding them how to do so plummets.
With one account logging them into so many places, the user can also now afford to bring more than just a new username and password to your site and you can afford to demand more. At the same time as lowering the barrier to legitimate users, OpenID raises the barrier to your unwanted visitors.
People are exhausted by having to prove themselves again and again to every new site they visit. OpenID opens the door to portable identity and to them accumulating reputation and credibility which can then be reused elsewhere just as they reuse their EBay reputation on auctions. Portable identity and credibility is, in turn, the key to demanding more proof from your visitors that they are who they say they are and in turn reducing chargebacks, fraud and spam.
One ring to bind them all … and lose them?
With one account to store everything in, many people's first reaction is that they now have one place from which to lose everything. Crack your OpenID provider and you crack every other site. Being able to get into all sites using one password is undeniably attractive but is it worth it if it lets someone else in too?
Today's access-all-areas: email
The irony is that we already face the threat of the latter without any of the convenience of the former. Ever forgotten your password? How did you get it back? Did you perhaps click the password reminder button?
Almost every account you have across the web can be accessed using your email account. As soon as someone has your email account they have the key to your other accounts.
Since over a third of users use the same username and password everywhere, the problem is actually far worse than this as they inadvertently grant access to their email account to each new service they sign up to. I ask for your username, password and email address when you sign up to WinAnotherIPod.com and you give me the same one you use for your email provider and Paypal.
Today's user has all of the risks associated with a centralized login and none of the benefits.
OpenID and phishing
Just like Paypal and Google Checkout, OpenID is a protocol vulnerable to phishing attacks. Click on a subversive Google Checkout link, enter your Google login details onto a phisher's website and you've given away your Google account and payment details. Click on a Paypal button that connects to a bogus storefront and you accidentally give away your Paypal username and password.
OpenID can be attacked in exactly the same way. Arrive at an OpenID enabled website without being logged in and you'll be redirected to your OpenID provider to do so. Don't look too carefully at the URL of that login page and you might accidentally find you've given your details to someone you didn't mean to.
There are various ways of making it far more difficult for this to happen and some that make it almost impossible. At their best, OpenID services like Clickpass.com make a user far more secure than they are using conventional logins and do so across all the sites the user visits.
Make yourself small
The last point is very important because when it comes to being attacked, it's always easier to defend a smaller area than a larger one. If spiders and aliens are descending on you in a computer game (or indeed in real life) you get your back against the wall. Leave the keys to your house under every pot in the garden and they're more likely to be found than if you leave them under just one.
Web users today defend their security and their privacy on lots of fronts simultaneously. For people who use the same password everywhere, every new account is a new place for it to be compromised, every new place you enter your details is another place they can be stolen from.
With only one account to log themselves into, user can afford to be more careful about how they do it They can use email authentication, SMS confirmations and even RSA key-fobs to secure that OpenID account and, by association, every other account that it links to. The power of single sign on means that the heightened level of authentication can now be re-used and re-demanded across the user's entire network of sites.
So where is it?
It would seem like OpenID is the the wonder-drug of the internet. With the power to decrease password reset requests, spam and fraud and the ability to increase conversion rates, user loyalty and security it seems almost too good to be true. Today unfortunately it still is.
OpenID is fully functional but still raw and too tricky for the average internet user to be able to understand. Even as I write though there is change afoot. Various startups and initiatives, including the OpenID specs themselves, are filling in the gaps and rounding off the corners.
The user experience isn't yet finally complete but with people like Verisign, Vidoop and our team at Clickpass working on solving the remaining parts of the puzzle, the future for OpenID looks very, very promising.
In your estimation, how long will it take for OpenID to finally gain mass adoption?
Will it end up the way of RSS and be an abstract concept for the masses?
Hi Dennis,
There are a lot of things that need to be tweaked in the OpenID user experience as it stands today and despite the brilliant simplicity of the protocol I think that it’s unlikely to get traction until those are complete.
That said, once the experience does constitute something that the average user understands and can follow I think that it’s probably got a couple of years before nudging on mainstream.
Unlike RSS, OpenID also has its own inbuilt killer-app: single-sign-on. It was always difficult to explain to the average user how RSS would actually help them but everyone hates passwords and given the choice most people would chose to get rid of them.
Vitamin: How will OpenID change your site?…
Peter Nixey answers “How will OpenID change your site?”.
……
The problem with OpenID is that simply doesn’t work as advertised outside the sandbox. Any site utilizing it still needs to create a local record for each user that they can reference in their database.
Every time I’ve used a site that allows for OpenID authentication I still end up on a screen that asks me to enter my email address and then I have to wait and click a link to confirm.
If I have to go through that, then I’ve saved almost no time at all by not having to enter my username and password too. In fact, I’ve probably prolonged the process by being bounced to another site with a totally different look and feel requiring me to mentally jump back and forth between two visual models.
Show me a website who’s registration form consists of ONLY a username and a password and I’ll agree that it’s a good candidate for OpenID. Everything else has problems.
The problem Udi brings up is right on topic. What’s missing here is the ability for the user to easily and quickly pass data (with permission) to the new site. This is kind of like Roboform or it’s ilk. You want to allow the site to get other needed data (i.e., address) but not superfluous data for authentication (i.e., my social security number or mother’s maiden name). This is where the PayPal model works pretty well (i.e., here’s my address, the money’s in your bank account, but you don’t get my bank info). PayPal needs to do something more like ING (but perhaps not quite as draconian…I can’t believe how many times I’ve had to reauthenitcate into that puppy) - but something that shows me some personal item from the page, so that you can stand a good chance of defeating the inevitable phishing attacks.
Why doesn’t PayPal do this?
[…] New Vitamin article: How will OpenID change your site? […]
[…] Vitamin Features » How will OpenID change your site? Interesting stats around sign-in page conversion rates. (tags: conversion openid) […]
How will OpenID change your site?…
OpenID promises a lot — just one username and password for life — but can it deliver?…
@Udi - I couldn’t agree more, there are a lot of steps involved in someone using their OpenID somewhere and enough that it almost gets to the point where it’s not worth doing it. Some of them simply have to be in place but there are a few interesting things you can d to reduce those steps almost to zero
@X-Ray - I can’t speak for paypal but “form-filling” is the next big win for OpenID (or any portable identity). The challenge though is making that “form-filler” so easy and quick that users feel it’s worth the diversion without sacrificing their privacy in the process.
[…] Sono incappato in questo articolo, di cui copio solo un paio di righe: “The cost of sign-up Sign-up: one simple and ubiquitous feature that costs websites users, lots of users. France Telecom recently did extensive research on the subject and found that at every new screen presented during sign up, 50% of users give up and go elsewhere. […]
How does CardSpace fit with OpenID? Now and in the future?
Great article on OpenID……
OpenID is one of those things that does seem to be getting a lot of mainstream traction.
There is a great article about OpenID on Vitamin, wr ……
[…] Vitamin Features » How will OpenID change your site? (tags: openid authentication) […]
The biggest problem with Open ID is that there are not enough sites that consume them. I have yet to come across a new site that I was interested in that would let me use an Open ID to create an account. This is were the promise and reality fail to come together. The value to the user of Open ID is the number of sites they use that accept Open ID authentication (minus one if they have to get an Open ID from a site they would not otherwise use).
You’ve hit the nail on the head David. A single sign on solution is only as valuable as the sites you can sign on to using it. OpenID is actually accepted at a lot of different sites today and you can use it very extensively. The problem for a site owner though is in deciding whether the investment in installing it is going to pay off in value for their users once they have. Until it gets a little easier, it’s not clear that that is the case for mainstream sites just yet.
[…] How will OpenID change your site? […]
[…] How will OpenID change your site? “introduction to OpenID by Peter Nixey—includes some really nice analogies for explaining both the concept and the implications” (Simon Willison) Aimed at web property owners (tags: openid howto digitalidentity authentication webdevelopment businessmodel security) […]
[…] Vitamin Features » How will OpenID change your site? […]
[…] Vitamin Features » How will OpenID change your site? OpenID promises a lot — just one username and password for life — but can it deliver? (tags: openid) […]
[…] OpenID Article November 12th, 2007 by Dre Think Vitamin has a worthwhile article on OpenID. […]
Hey…
I am very interested in finding out about this OpenID stuff. And I am currently developing a webApp in ASP .NET 2. … But I cannot find any help as to how I can implement OpenID… I just wish there was some more help for developers. Coz if there was, then people could start using it a bit more.
Do you have any help with how I can start implementing it, to test etc in my site?
[…] While spending my Saturday morning working the PCC desk, I also managed to churn through the vast majority of the tech blogs that I’d been neglecting for the past couple of months. I found 2 articles on the Vitamin site that I wanted to comment on, so I’m including them both (despite them being about vastly different topics) in one post for my own convenience. The first one I came across was an article that explains OpenID pretty clearly. It gives a nice introduction to it, but also gives some responses to criticisms of it - such as the ’single-point-of-failure’ issue. If you log into all of your web services with your OpenID, you can lose all of your data when/if your OpenID gets hacked. Peter (the author) pointed out that most of us already have that sort of vulnerability - in our email. If you forget your password, where do most services send it? All someone has to do is hack your email account and they’ve got the ability to get most, if not all, of your other accounts’ information. OpenID is something I’ve certainly blogged about before (though those posts may be lost forever… I’m not doing a good job of grabbing them!) but I wanted to point to this article simply because it does the best job of taking potential vulnerabilities of the OpenID system and addressing them. The comments also bring up other issues with the system (requirement to still enter information such as email into each service you use, regardless of your use of the OpenID login and lack of mainstream sites accepting OpenID yet were two biggies) and the author does respond to those as well. I’d love to use the OpenID system at the library - but right now I don’t have control of about the only thing that users sign into - the catalog. Once we get more personalization/user profiles/whatnot into our main site, the OpenID system will definitely be one I implement to help our more tech-savvy users log in easily and quickly. The other article in the recent issues of Vitamin that I wanted to comment on was a description of a Design Description Document (DDD) that uses PowerPoint (or Keynote or some other presentation software) as it’s base format. The idea is to put a wireframe or storyboard for each interaction/task that the user might undertake on your site into a single slide in the DDD deck. Notes and use cases would be sprinkled throughout the document as well - giving everyone (boss, designers/coders and anyone else who is associated with the site) pretty much everything they need to evaluate the design of the site. Robert, the author, explains the process pretty clearly, so I won’t, but I did want to point out that he also provides templates of his system in both PowerPoint and Keynote formats - and encourages anyone using a different presentation system to submit templates in that format. It’s always interesting to see how other people work and create their deliverables for clients and/or bosses, even if I don’t end up adopting techniques wholesale, there are always good ideas that can be drawn from them to use in my own processes. This technique seems to have a few good ideas I might steal! […]
[…] How will OpenID change your site? Mussten Sie Ihre Benutzerdaten für Dutzende von Web-Diensten bisher fleißig sammeln oder merken, so erhalten Sie mit OpenID, einem URL-basierten Authentifizierunssystem, einen Online-Pass, mit dem Sie sich von Seite zur Seite ohne permanentes Einloggen wandern können. Der Beitrag erläutert, welche Vorteile OpenID für Ihre Web-Seite bringen kann. Zugabe: OpenID Blog Germany. […]
[…] How will OpenID change your site?OpenID promises a lot — just one username and password for life — but can it deliver? Peter Nixey’s the man to tell you. His startup Clickpass is all about bringing OpenID to the masses and he writes about the cost of sign up, fraud and more. […]
@Kris
Kris, you can find most of the OpenID libraries at:
http://wiki.openid.net/Libraries
and there is also a Google code .NET project at:
http://code.google.com/p/dotnetopenid/
[…] How will OpenID change your site?OpenID promises a lot â?? just one username and password for life â?? but can it deliver? Peter Nixeyâ??s the man to tell you. His startup Clickpass is all about bringing OpenID to the masses and he writes about the cost of sign up, fraud and more. […]
[…] Hur kommer OpenID att förändra din sajt […]
thank you editors
[…] How will OpenID change your site? OpenID会对你的网站产生什么影响? […]
[…] Sveiki, po šiokios tokios snieguotos pertraukos skaitiniai sugrįžta :) Ką gi, pasibaigė Pixel.lt konkursas. Nugalėtojai paskelbti. Konkurso metu, prie Pixel.lt bendruomenės prisijungė daug naujų narių, tikiuosi, jog jie ir toliau jais išliks ir pasidalins savo mintimis programavimo ir pan. temomis. Taip pat tikiuosi, jog artimiausiu metu vėl surengsime kokį nors konkursą. Savaitgalio Skaitiniai: Griebk RoR knygą! C# protected internal matomumo modifikatorius CSS Animations in Safari Hacking in International Keyboard Support in AIR beta 2 How will OpenID change your site? […]
OpenID Lietuviškai…
Šiandien skaičiau straipsnį apie OpenID. Pagalvojau, kodėl tokio dalyko nėra Lietuvoje? Tokią sistemą nėra labai sunku padaryti, aišku su laiku reikėtu labai galingų serverių, bet užtat kur būtu šita sistema, nereikėtu registruotis. Lab……
[…] Vitamin Features » How will OpenID change your site? (tags: OpenID Blog) […]
yes but getting access key is very very hard
[…] How will openID change your site?Ruby, Rails, Rails Plugins, Mac OS X […]
[…] Link: www.vitamin.com - How Will Open ID Change Your Site? by Peter Nixey […]
[…] Flickr Related Tag Viewer - Take an interactive journey through Flickr. from the maker of SimpleViewer. World of Warcraft Commercials - Mr. T pities you with his Night Elf Mohawk. Willy Shatner gets in on the fun too. Internet out of room in two years - I guess 1.1 billion gigabytes this year alone is just way too much. Bhakarwadi Recipe - How random and delicious can a spicy Indian dish be? About like this. Arktyp’s Poster Site List - Ya like posters? I like them. A wall isn’t a wall without the right print. What about OpenID? - OpenID. Heard of it? Could change the way you access things online. Worth reading. Related PostsFriday SmackdownI don’t know if you know this but there are actually many ways an ant can…Friday SmackdownIt’s friday and time to run screaming outside and then back inside to check…Friday SmackdownOh yeah! I’m feelin’ it today. you feelin’ it? yeahhh, you’re feelin’ it!!!…Friday SmackdownFriday SmackdownIf you haven’t already, consider subscribing to SolidSmack so you can easily receive updates when new articles are published or announcements are made.Share This […]
This comment:
“A good place to look for the answer to this is Evite.com. One of the reasons Evite became so successful is that it didn’t require people to create accounts in order to see their invitations. Clicking on a personalized link sent to you in an Evite email is proof that you own the email address and logs you directly into Evite.”
is *so* wrong with regard to one’s “identity.” (You are probably right that uptake of evite was strong in part because registration is not necessary, but that is a different issue.) If you forward your link by accident to someone (perhaps thinking you’re going to invite them, too) then they can log in as you. The personalized link is NOT ‘proof that you own the e-mail address’ (as you claim). It is only proof that you received the link.
One reason evite can do this is because, for the most part, it is a trivial service. If, for instance, someone was sending you money via a link, you can bet that additional work would be required to do anything on behalf of the intended recipient of the evite.
Quite serious, the analogy with evite is profoundly flawed, and doesn’t fit with the surrounding discussion of openid.
There is a funny tshirt that addresses one of the main concerns about openID. Check it out.
Despite the worry about one place to loose your password - I like open ID and will support it where I can.
Wow!! OpenID concept is just like living in the world of Utopia.
Really an ideal case.
[…] - Lees het artikel op Vitamin – How will OpenID change your site? […]
I realize this thread has been going on for some time now, but I did want to point out that many of the questions and concerns posed over the last few months have been addressed in the latest OpenID Spec (2.0) as we as greater benefits through Attribution Exchange 1.0, which I hope will encourage more mainstream sites to start consuming OpenID’s. It is helpful to the survival of the OpenID “movement” having Google (Blogger,) Yahoo and AOL, among many others starting to consume. 2008 may be the year OpenID truly enters mainstream. I would however like to see more focus on the benefits of implementing OpenID directed to sites (Relying Parties.) Does anyone know of such a resource? I am trying to compile a bullet list of key reasons sites should become Relying Parties. SpreadOpenID.org is great for consumers, OpenID.net is great for techies and developers.
[…] Articolele mai vechi de pe Lifehacker care abordează întrebări similare, sau cel de pe Thinkvitamin care explică anvergura schimbărilor par să sugereze răspunsul la această întrebare. […]
no comment
I really like the idea of OpenID from a users perspective. Sure its great to have one ID / Password to access multiple web sites. I have accounts all over the web and keeping up with them all is a nightmare, especially after reinstalling my operating system and losing all my cookies. I suspect its alot more than 30% of users who use the same password on multiple web sites. I would bet the number is much closer to 90%.
Personally I look how major a web site is and how well designed it looks. I also take into account how important it would be to me if my account at xyz.com should get hacked or not. If its just a forum or something simple I use a basic easy to remember password. If its something much more important like a bank or paypal then since it is important and I do trust this web site I use a much more secure password. So basically for most sites I have a weak password and a strong password.
From the perspective of a web site designer and programmer setting up OpenID looks rather complicated. There are many things I’m not sure how they would function without first going through the whole process. If I didn’t like it then I just wasted valuable time. I plan to offer a service that my users will pay for so its important that if I did intergrate OpenID with my site that I still maintain some controll. Like would my users still have their own username on my site? Can they still have a profile and private info on my site thats seperate from their OpenID profile. So many unknowns hold me back
Thank You,
MyWebs
I dont like that somethings are out of my control while coding. That’s why I will never use asp.net or openId.
Much better for my site!