Tag: relaying party

A Pyrrhic Victory for OpenID

The blogosphere is abuzz this morning about the great news for OpenID – Yahoo! is now supporting the single user sign-on process. Kinda.

While you can read the grand headlines at CNet, Mashable, or TechCrunch, cutting to the chase is what’s happening here.

This is a pyrrhic victory for OpenID. Yahoo! is now allowing you to use your Yahoo! ID as an OpenID, but they aren’t ACCEPTING OpenID to log in to their site. Acceptance as a relaying party is where the bottleneck is – something Yahoo! themselves mistakenly aluded to on their own OpenID page:

OpenID is an open technology standard that solves all of these problems. The OpenID technology will allow you to use your Yahoo! account to sign in to hundreds of web sites! And this list is growing every day…

Nice. There were at least 120,000,000 million OpenIDs in existence, including those served up by AOL, MyOpenID, ClaimID etc., and now there are something like 370,000,000 with the inclusion of Yahoo! IDs. And there are hundreds of websites you can use it on? I’d hardly call this “finally reaching critical mass.”

Technical reasoning

I’ve heard a number of reasons why OpenID has had such a difficult time, but the biggest has surely been technical. It’s justified (coming from experience), and then not.

Getting your website to accept OpenID can be a bit of a chore. If you’re a blogger, your primarily reliant on the work of smart developers in the open source community. They produce the plug-in for, say WordPress, and you download and install. If you are running a platform that isn’t getting much attention, you have to pull source from the libraries and try implementing it yourself – the same goes for any website you are running not using some “preferred platform.” And there are always associated problems to deal with – even though I prodded one outstanding developer to update a plug-in so I could accept OpenID comments on this blog, I’ve got database problems which I’m too busy (aka lazy) to fix so I can.

Conversely, putting up a simple OpenID provider is not too difficult a task. You can install a copy of WordPress MU and add the OpenID plugin. You can grab a copy of Drupal which has most of the components built into the core. Or you can just pick up some free standalone server code and spend a few more hours tweaking it yourself. You don’t yet have a critical mass of users, but you do have a functioning system.

Boiling down misaligned incentives

  • If I take the time to fix some issues and accept OpenID here, I’ve now got an additional way for people to comment. Unfortunately, they can comment right now and just as easily – I’ve therefore decided to do it next time I break a collarbone while snowboarding – I’ll have plenty of free time to fix my database since I won’t be able to ride (or cast a fly rod).
  • If I build a nifty new service and accept unmitigated OpenID-based sign-up/sign-in, I could potential gather many techno-elites as clients. This isn’t a bad proposition, but I’ll have to maintain the awareness that I’m also giving up valuable data on my users to whomever their OpenID provider is – if the providers are few and large, I run the risk that one of them is going to replicate my service and inform my new-found user base of said fact.
  • If I launch an OpenID server to provide IDs and gain significant traction, I can then gather a plethora of data on my users. I’ll know their site visitation habits, who’s blogs they comment on, and what times of the day they are active on the internet. If I’m creative, while maintaining their trust, that data could become quite valuable. If I’m already a 10,000 pound gorilla and I integrate a provider, I may not even bother with the “trust” bit.
  • It seems there is little or no incentive to accept OpenID, or I’m going to have to weigh some risks – and it is difficult to execute. Meanwhile, there are plenty of reasons to hand out IDs, and I can have a server up within hours.

    Bottom line

    Why aren’t the megaliths tripping over themselves to integrate relaying agents? The answer is simple – data. Offering OpenID on a provider-only basis could be a boon for sites – they have all the information associated with your use of their service, and can grab tidbits on your use of other websites. It presents the perfect opportunity for someone like Yahoo! to gather “social graph” information on its users without the cost associated with building (or buying) another Facebook. If you were allowed to use your third-party (or self-managed) OpenID on their site, you’d have no incentive to maintain your Yahoo! ID and Yahoo! would potentially lose two sources of information.

    What’s needed

    Acceptance is still the big issue. If millions of sites allowed OpenID, the authentication process could solve a lot of problems – it isn’t happening because there are few if any incentives to accept it. There has to be a tangible benefit for those allowing OpenIDs in (and please don’t say “but you’ll get more comments” – that’s like saying you’ll get more spam). I’m now beginning to believe that OpenID is also going to need choice, in the form of millions of OpenID providers. A dozen or so significant providers controlling hundreds of millions of accounts isn’t going to cut it. Unless of course it’s renamed OligarchyID.

    UPDATE: Marshall Kirkpatrick says don’t throw a party just yet. Pay attention to the points about extension of provider brands versus extension of the OpenID brand.

    UPDATE 2: Information Week yawns, and a press release confirms what Marshall Kirkpatrick inferred: this is about Yahoo! ID, not OpenID.

    UPDATE 3: Yahoo! could have done much better here for sure. Maybe they should break themselves up before they bring their partners down with them?