Totally understandable, one of the worst executed visions of all times.
I think there's a really huge opportunity in this space, and the first who'll be able to figure out the perfect (and, most importantly, simplest) way to offer a single-sign-on, integrating privacy and security features, will be hugely thanked.
That particular holy grail is a poisoned chalice and it's claimed plenty of victims, anyone remember Sxip? It's not a technical problem, it's power, control and ownership. Anyone in a position to allow a platform to get serious traction isn't going to give that control up and anyone that isn't can't make a system with enough traction. Then there's issues of trust, delegation and longevity. I'd love someone to do it well, I'd love the ability to have anonymous, durable, cryptographically verifiable identities online that could be optionally tied to meatspace identifiers but I just don't see it happening.
Anyone in a position to allow a platform to get serious traction isn't going to give that control up and anyone that isn't can't make a system with enough traction.
The department of commerce wants to create such an identity system. I'm not sure I like the idea, but it would be "single sign on". I think it is a safe bet that their intention is to eventually make it mandatory, and they have the "ownership", presumed trust, and longevity, not to mention the ability to pass laws "encouraging" adoption.
Putting it in the hands of the government actually fails the trust requirement. Trust is not a binary "this entity is trustworthy", trust is a set of relationships between two entities, and not everyone will trust the US Government, nor will everybody be trusted by the US Government. Even in a perfect world with a perfect US Government, that is the correct answer; not everyone is under US jurisdiction, after all, so we don't even need to get into the political issues. If made mandatory (and the only option), this is a critical failure on the trust front. It can't work, you can't tie your login system to only the US login system, and if you have to have other login systems, US citizens will be able to use those too.
I can already see the early adopters: Russia, China, France, Germany...
Even if you do it so that the actual data stores are separate and you manage to keep the APIs the same, lots of countries will have huge issues with adopting U.S. policies.
No, the Department of Commerce wants to help create a standard. It's a damn hard task, but even harder when the net's FUD is the feds want to create an identity system. No, no they don't. And their process is pretty great. But they will fail, in no small part due to FUD, and we'll all be using Facebook Login Plus soon and wondering why we never got an open standard.
I spent a couple of years advocating for OpenID adoption, because I believed that the alternative (one or two companies controlling login for the entire Web, ala Microsoft Passport or Facebook Connect) would be a massive blow to the decentralised nature of the internet. I believed that OpenID's usability issues could be resolved if enough smart people got involved in figuring them out.
Clearly I was wrong on that last point.
And yes, my latest project (lanyrd.com) uses Twitter rather than OpenID for authentication. From a developer point of view, that gets me the benefits I hoped for with OpenID (SSO, portable identities, instant contact lists) without having to wait for the world to agree on the standards. I just wish we could have figured out a decentralised solution.
For most users I talk to, an email address (rather than a URL) is how they think of identifying themself in a cross-system way. Orienting the spec around that would have made a huge difference.
Were there HCI experts a big part of the community that put together the vision and architecture? How diverse (tech background, language, age) was the original community? Both of those are areas that could have made a big difference.
It remains a great vision, so hopefully people will continue to work on it.
> For most users I talk to, an email address (rather than a URL)
Hits nail on head. It's unbelievable how dumb geeks who try to design UX experiences can be (and I say this as one of them). The first day I saw OpenID I was amazed that anybody would try and use a URL as an identifier.
Why would anybody put something that no normal person understands front and center of their UX? This is like opening a shoe shop and putting a quiz about 2nd order differential equations on the front door. Guess what - nobody is going into your store!!!
It was already a huge challenge to get people to understand the concept of using a login from one site to login to another. But it was doomed from the start the minute someone said you should have "http:// in front of your username.
It uses your email address, and seems to offer a good way to get access to an OpenID-like sign in (maybe this is using OpenID or OAuth under the covers?)
It looks like WebFinger is not really an authentication system but functions more like a user profile. It lets someone know what music you listen too, or what programming language(s) you know but it doesn't prove that you are you.
Simon, I know the work you and others have done and continue to do in the OpenID world, and it's commendable work.
The problem with OpenID and other Open Web work IMO is the sheer number of half-baked specs brought forward. Much more than any other standards group. I don't know why. “The nicest thing about standards is that there are so many of them to choose from,” like Tannenbaum said. Perhaps there is a general lack of attention span, a ohh-shiny problem, a not-invented-here problem that is particularly rampant in this community.
"one of the worst executed visions of all times"
What could have been done better?
I'll tell you what it should look like (the fact that it's impossible is not the point): whenever I land on a site that asks me to login, I get a menu of all my possible accounts, I pick one, and I'm in. End of the story.
Kind of like Dropbox being simple and intuitive when everyone else was building overly complex stuff.
Ok, it's impossible. Now tell me how you're going to do it anyway and laugh all the way to the bank.
The fact that you can conceive of it means that it likely isn't impossible, merely very difficult and possibly non-obvious. But that's how pretty much every real success story starts. You really may be on to something here.
This could be possible if web browsers (not just web sites) were aware of the standard and participated in the UI flow. Mozilla Labs prototyped something along these lines (not targeted for inclusion in Firefox 4, but possibly for the next release):
It's kind of you to say but the reason our sales and marketing was poor was that we couldn't figure out what we were selling or marketing. Try as we might we couldn't figure out who really wanted it and where to make money.
Most websites simply can't see enough of a bang for an engineering buck they could be spending on something else (i.e. they don't even want to install it, never mind pay for it) and if it's done well consumers don't even see it so there's no money to be had from them either.
I'm sure we could have made it all slicker still but even Facebook login takes some justification and Clickpass didn't deliver anything like the value that that does.
For early adopters who try out lots of different sites, Clickpass would be a big win for both the users and the sites. Once the early adopters are doing it, everybody else will see the convenience.
The potential problem with this solution, although I do like it, is that your accounts can be attacked by someone who has any one of your login/pw combinations. You must treat them all as equally valuable. I'm not sure people on the web are at that point yet.
Isn't this kind of what Blogspot does? I'm not very firm on the background, but generally when I go to post a comment on a Blogspot/Blooger site, I'm given a choice of either my Google account or OpenID, with openID being a choice of several favicons (Yahoo, Google again, etc).
The real answer is that for the web to continue as it is, no such system must exist. If you require a single authentication, the web stops being a loosely couple system and becomes dependent on a single entity.
I believe that part of that design is what's so confusing to non-technical users. If somebody were to tell them that 'the box in your basement' could be used to verify access to their banking website, you'd completely lose them. Granted, its an implementation they'd likely never encounter, but the fact that its possible just contributes to the noise around OpenID.
If you were to tell people in 1985 that they would be able to see their credit card balance on an LCD of a mobile phone while jogging, you'd completely lose them too.
I think the problem lies in how those iedentities are established. A prolific Twitter or Facebook account makes a good identity precisely because you have spent time pouring your identity into it. Your family photos, relationships, residence and work history on your Facebook page. Your daily thoughts and actions cataloged on your Twitter feed. While not perfect, they're the best thing we have right now to externally verify that you are who you claim to be. They provide context to the authentication. Any external service that implemented the authentication standard that may arise out of this situation lacks that identifying context and the best case scenarion only serves to prove that the user authenticating is the user who setup the account. Taking away Facebook's and Twitter's context makes spoofing that authentication much easier.
Solving that in a way that doesn't violate the privacy concerns of your users seems like something of a holy grail. Panacea if it exists, but far from demonstrated.
Oh, yeah. Tie it to email addresses; let any domain publish an SRV record pointing to its ID server. Then all you have to know is your email address, not your OpenID URL.
not really. Consider for example yahoo's implementation: when I get redirected to Y! for login, I have my personal login seal on the page that grants me that I am actually talking to yahoo and not some scam site.
What about man in the middle?(Go to yahoo get your image and display it for you.) Heck even pass your credentials through to yahoo to verify that you gave me the correct credentials.
I think there's a really huge opportunity in this space, and the first who'll be able to figure out the perfect (and, most importantly, simplest) way to offer a single-sign-on, integrating privacy and security features, will be hugely thanked.