On OpenID’s Relying Party Adoption “Problem”

Just about everybody seem to be complaining that there aren’t enough sites where one use those hundreds of millions of OpenIDs. (Known as "relying parties" in the jargon.) And there is no denying, it’s a lot easier these days to get an OpenID than to use it.

There are conflicting views on how many OpenID relying parties there are. Our friends at JanRain post that there are about 18,000 by now, which would be respectable. The OpenID Directory knows only of 634. Yahoo!’s OpenID gallery is almost empty, although very clearly underpopulated. But regardless what the numbers may be, personal experience (certainly true for me) shows that one comes across an OpenID login box on the web far too rarely.

So what’s going on here? Should we worry?

First, let me be clear that if the situation continues the way it is now, OpenID is rather useless. Imagine hundreds of millions of keys, but no locks. Razors but no blades. Credit cards but no merchants taking them. Clearly not something that works. (Yes, Jeff, I agree.)

But there is a Big But: it’s NOT the ratio between available identities and relying parties today that matters to OpenID’s success, but whether the ratio will continue to be the same going forward. I am writing this to convince you that it will not.

The big fallacy by those declaring OpenID to be useless for all eternity is that they predict future market adoption by extrapolating linearly from the current numbers in what is still a very early market. But that’s wrong: new-technology markets aren’t linear, they never have been and they won’t be for OpenID either. So whatever conclusion you personally believe, make sure you don’t arrive at it from linear extrapolation.

The essence of my argument is that OpenID adoption occurs in two totally different customer segments: those adopting it for the purposes of being an OpenID provider, and those adopting it as relying party. (There are additional segments, such as vendors, that are irrelevant for this discussion.)

In my view, identity providers and relying parties are different customer segments in every standard sense of the term: they adopt the technology for different reasons, identity provider and relying party adopters do not reference each other, their value proposition is different, the solution components are different etc. etc. (So far, no surprises here, I’m stating the obvious if you are applying standard strategic marketing thinking.)

But this means that the timing of adoption by one customer segment is almost completely unrelated to the timing of adoption by the other customer segment. So we should not be surprised that adoption in one segment (identity providers) has occurred at a different point in time — earlier, and faster — than in the other. (Again, I refer to Crossing the Chasm.)

So why have identity providers been first, by some margin? A number of reasons:

  • The cost and risk of becoming an identity provider is far lower than the cost and risk of becoming a relying party. As an identity provider, all you have to do is to add some code to your existing user authentication system, set up a new site (like openid.aol.com or openid.yahoo.com), and at a minimum, you get all the marketing and thought leadership benefits of being an OpenID provider.

    Things are much more complicated for a relying party: first, you need to decide which identities and which identity providers to trust. (If you get that wrong, your site is likely going to get defrauded and you get fired!) Also, it’s not a new site that you are setting up as a relying party, but you have to change your existing website, which is far more complicated because you constantly worry that you impact your existing business.

  • The benefits for OpenID providers are strategic (and thus they can spend some "corporate play money") while the benefits for OpenID relying parties are operational (part of the regular risk-averse financial planning process with the CFO).

    If you’ve ever moved from a "new projects" department into a core business department in a company and banged your head against the wall about how hard it was to get anything innovative funded, you will understand immediately what I mean: potential relying parties have to win the argument against a conversative business case that is highly risk-averse, while potential identity providers only need to get (less) high-risk money. Based on that, it’s surprising that today we have any relying parties at all!

Given this (predicable) situation of potential relying parties, what’s really surprising here is not that relying party adoption lags, but that we have so much adoption by identity providers today: after all, anybody who does the analysis will realize that it will be difficult for a long time to sign up relying parties, and thus it is difficult to argue that one’s company should become an identity provider before enough relying parties are available.

This means: OpenID should suffer from a chicken-and-egg problem: relying parties won’t deploy because of a lack of identity providers, and identity providers won’t deploy because of a lack of relying parties. But it does not! That’s the really interesting thing, and the wonderful thing about the way OpenID adoption has progressed.

So. When will relying parties adopt en-masse?

Well, I admit that I don’t know. I don’t think anybody else knows either. It might still a couple of years out. (Yep, I don’t like that either.) Certainly, until very recently OpenID was not adoptable from a business perspective as a relying party due to a lack of identity provider customer share. That argument of course becomes less relevant every time another major identity provider springs up.

What I do know is that the time lag in adoption by relying parties is not only not surprising, but absolutely necessary for the above reasons. So let’s not complain about it. Instead, let’s ask "now that there is so much adoption of OpenID by identity providers, what needs to happen so that relying parties can also adopt it?" (Some of my items are listed here.)

Going into 2009, this should be the question at the top of everybody’s mind. Even MySpace‘s: what good does it to them to be an OpenID identity provider if there aren’t enough relying parties? So the other good news is: one more substantial party that is incentivized to help us figure it out — and the Facebook Connect announcement might just be the jolt that is needed.


Posted

in

by

Tags: