Is OpenID Still User-Centric?

I’m beginning to have second thoughts.

Plenty of people (myself included) got involved in internet identity because of its promise to put all of us as  individuals at the center of our interactions on-line. To empower individuals to define and offer and enforce their own terms in their interactions with others. To not merely be somebody’s user or consumer, but to be a first-class citizen of the net. To not be at the mercy of any government or organization.

And from a merry band of similar-minded individuals, the movement was born. The assumptions were:

  • Anybody could set up their “digital home” anywhere on the web at any URL of their choosing. The address of that home would be their LID or OpenID URL.
  • When visiting somebody else’s site, they would use that URL-to-home to create a relationship from your site to my site, from your on-line home to my on-line home. It wasn’t thought of single-sign-on, but the equivalent of leaving one’s card at someone else’s place with the invitation to visit and establish a relationship. Technologically similar, but very different in intent.
  • This relationship between your site and my site would enable two-directional information flow for a variety of interesting purposes that could be switched off by either participant at any time.

While OpenID, the technology, still can support all of this, the thrust of the thinking of many of its larger supporters today goes into a different direction:

  • There is a belief that URLs are too complicated to use by the average individual, which has encouraged what’s called the OpenID “NASCAR GUI“. However, because that GUI can only show a few icons, it clearly encourages me to use a big-company-provided identity instead of my own.
  • Directed identity and identifier select hides the identity URL and downplays the “let’s create a relationship by exchanging pointers to home” to the extent that few people new to OpenID can even comprehend they are getting mere single-sign-on, not relationships.
  • The primary focus of OpenID-based profile exchange is to convey the user’s e-mail address to the visited site (usually a vendor), so that vendors can send e-mail to the user. Note that because it is e-mail, the the user cannot turn it off. It didn’t have to be that way.
  • Certification has entered the picture. While many details are still unclear, all certification schemes that I’ve ever heard of require substantial effort and perhaps money to get certified. In all likelihood, that will make it all but impossible or impractical for individuals to play on a level playing field with mere users of large company’s products. This is particularly ironic when applied to the relationship between citizen and government, which suddenly will have to be mediated by substantial commercial entities. Among other things, they get to see which citizen interacts with which part of the government when and how often.

I know the argument that “if the user can see which attributes go over the wire, it’s user-centric.” Well, yes, perhaps, but in my view that’s user-centric in the same way a calorie-free chocolate cake is sweet. I ordered a real chocolate cake, though, please, where did it go?

Don’t get me wrong, there are good things about all of this, the most important of which is that the state of the art has driven substantially more adoption than it likely would have been in the less organized, decentralized, you-be-in-charge-of-your-own-destiny world.

But is the price of more adoption less user-centricity? Or is that just a phase we are going through?

I hope to discuss this and other big questions at the upcoming Internet Identity Workshop. Hope to see you there.

10 responses to “Is OpenID Still User-Centric?”

  1. Seems like Facebook’s publishing vanity URLs (ie:, Twitter likewise, now that login’s accomplished, I think the problem to be solved is in the Relying Party in terms of identity consolidation and identity management that transcends the simple login stuff that OpenID offers.

    We’re still stuck with the NASCAR interface for login, but once we get past that I think the matter of who’s providing the vanity URL (or, in the case of Twitter, more likely the redirect to the vanity URL) becomes less important.

  2. OpenID proposed to create a user-centric system under the assumption that all users would acquire and manage vanity URLs. The solution was practical and useful for active bloggers (and blog commentators) and enabled viral spread of OpenID among these highly connected communities. However, it is not clear at this point if this assumption is reasonable for the web public at large.

    Interesting questions to answer:

    1. Are vanity URLs the most accessible way to create a portable, open,and user-centric identity system for the web?

    2. If not, what technologies could be used in addition to vanity URLs to provide most of the user-centric benefits of OpenID with vanilla URLs to the average user?

  3. So the two things that are hampering OpenID adoption for any of the applications I’m playing with are:

    1. A decent user name mechanism.

    2. A reasonable set of consumer libraries that have enough of a pedigree that I trust that they’ll work with more than one specific implementation.

    Okay, I’d also like:

    3. A reasonable set of provider libraries, ditto, so that I can actually own my own identity rather than delegating it to someone who’s taken the time necessary to figure all this out.

    The last time I tried to implement OpenID either as a consumer or a producer I found all sorts of places where whichever libraries I was playing with fell short on both of the latter counts, and I’m told that #1 has been solved with some latest version of OpenID, kind-of, but it clearly isn’t solved with any of the sites I use OpenID on with the current delegation mechanism I’m playing with. Which means it’s too hard for any users out there.

    If I can get to the point where I can quickly and easily be a conforming OpenID consumer and provider, as easily as I did with LID back when you first released that, and where the user names don’t look like mine above, then I see it as a platform worth building on. But I’ve been through implementing just YADIS and the complexities there convinced me that I don’t want to build the rest of OpenID myself, and, as I said, I’ve had interop problems that sent me into Ethernet sniffers when I’ve tried to use anyone else’s Perl libraries.

    As to where I’d like this to go… well… I’d love it if the iPhone’s “Bump” exchanged identity URLs rather than passing a bunch of static information that may or may not include a URL, because the wiring necessary to accomplish that means most of the hard problems get solved. But the steps there involve a lot of issues of adoption and getting people to believe that having a central online identity is a good thing.

  4. Dan, I think you are throwing out the baby with the bath water. The baby may not have all the attributes we’d like her to have, but then, she’s young and she can learn. And we can teach her … I’m more interested in the discussion of what tricks we’d like her to learn, and how we can accomplish that.

  5. I think OpenID has probably destroyed any notion of a workable distributed single-sign-on solution ’til authentication makes it into the browser. I don’t know what authentication in the browser will mean for logging on from public terminals, but I also know that wireless is getting ubiquitous enough that tying authentication to a device or set of devices is an okay compromise with me, and there’ll always be a username/password fallback, even if that’s low security. And in the mean-time, there’ll be Facebook Connect.

    So I think the easier target is a distributed address book. Unfortunately, with the advent of the net we’ve (had to) become far more restrictive about our privacy: Publishing stuff that we used to think nothing of letting in to the White Pages (like home phone numbers) has become a daring act. So, alas, this won’t be as simple as “tag some info on a web page”.

    I have been known to use “whois” records to find addresses to send holiday cards to people I normally only communicate with via email, but most people now are obfuscating that data. “Bump” on the iPhone allows sending a URL, but doesn’t automate retrieving further data as tastes and preferences change.

    I think the next challenge is to find the user need for identity. I had hoped that OpenID would solve the “login to the web forum” stage of that, convincing users (both identity consumers and those logging in) that SSO was reasonable, but in ignoring that use case and focusing on all sorts of other crap, OpenID has become something that doesn’t work for the simple case, and is further from acceptance at, say, the banking and finance level. And as I’ve said, OpenID has poisoned the well enough that LID or something else can’t really step in there.

    Publishing contact info is great, but it’s not perceived as dynamic enough to mandate some sort of mechanized update scheme. Publishing preferences would be fantastic for vendors interested in personalizing their marketing, putting a lot of technology into making sure they understand me on an individual level as a customer, but given the horrors of marketing on Twitter, I fear that what that’d really do is open us up to more and more spam.

    So ya got me: I’m going to ignore identity and go look at other problems for a while.

  6. I’m with you, Johannes. I’ve got a great number of concerns that we’re losing the thrust of the conversation to both Facebook Connect and to the larger providers — and that it all is adding up to serious setbacks to user-centric, user-controlled identity.

    That said, without providing stronger and more effective guidance on how to make UCI actually user-friendly, we will continue to lose out on any argument — and so top priority must be how to enable the freedom of choice while at the same time making it “idiot proof” (are the two even reconcilable?!).

    My talk is relevant here, I think:

  7. Clearly I think it’s abandoned both of its potential user bases: People using OpenID to login, and people implementing web software that accepts an OpenID for identity.

    Instead I think it became a bad compromise between groups which were all trying to get their own little bit of commercial intent into the spec. One of the reasons the IIW doesn’t really appeal to me is that I look at the list of attending organizations and think that this is going to descend into the political idiocy that the OpenID mailing list did, and any possible solutions which come out of such a meeting are going to involve intricacies that make the inner recesses of OpenID look positively tame.

    To your points of what it’s become:

    * NASCAR GUI: Exactly. I now have *more* identities because I’m never sure if I’ve logged on to this site using my OpenID, my Facebook, my Twitter, a username and password combo, or something else entirely. And given that sometimes OpenID works and sometimes it doesn’t, that fracturing is even more likely.

    * Yes, hiding the URL means that the notion of profile exchange and an identity which transcends one of these other services is entirely lost. There’s no notion that if I change my mailing address then the vendors using that information will be able to find me, for instance.

    * If I’m going to give an email address to a client site, then I expect that email will be my identity with them. If I give them that email as part of an overall identity profile, then that’s different, but I expect them to be able to use *all* of the information I include in that identity profile.

    * Certification would have been great if it had been a “can you log in to this site?” and “can this URL log in to your site?” and maybe even “here’s the information we see when you’ve logged in from that URL”. But every attempt to build test suites seems to have been shot down hard.

    So, no, you won’t see me at IIW, I don’t have the patience for that much political posturing. The identity system I’m using for the web site/application (whose target is the iPhone) I’m currently building is email; I’d love to use a URL based identity system like LID, but OpenID is too complex and limiting for me to bother with.

    I am, however, interested in discussing systems which are designed for use and usability rather than paranoid theory and making sure that everyone’s pet way to own identity and make money off of this.