I’ll need to see some ID
I logged into Facebook the other night and decided it was time to update the ol’ profile photo. I can only look at the same thumbnail for so long before I get sick of it, so I snapped a new pic and updated my profile. Then I proceeded to discard the dozens of ignored app invites to do god knows what… I’m sorry people, it’s not you. It’s Facebook.
With my Facebook page now updated and totally awesome, my other profile pages were looking a little shabby in comparison. I started logging into other sites to update those profiles, and then I stopped and took a drink of my beer, scratched my chin thusly (scratches chin), and realized this stupid system isn’t sustainable: as we become increasingly dependent on online apps, it’s only a matter of time before we break under the burden of maintaining so many separate profiles. We’re going to need a better way of managing our identity.
OpenID = Open, ID
That’s where OpenID comes in. OpenID is a universal, single sign-on system: once you have an OpenID account, you can use it to register and log into any site that accepts OpenID. This means you don’t have to create a new account, memorize yet another password, or worry that some jerk will take your username.
User authentication is performed by OpenID and then shared with the OpenID relying party. Since your identity is stored with the OpenID provider and merely shared with the relying party, you maintain greater control over your identity: no single third-party controls your information, so you can therefore update, move, or even delete your identity, completely independent from any relying party.
Thus in an ideal world, I would be able to access my Facebook account — and every other account — through a single OpenID identifier. If I wanted to update my profile photo, I would simply update my OpenID persona and let that change filter to each relying party. No fuss, no muss, thus more time for beer and chin scratching.
Unfortunately, OpenID needs to overcome a few issues before identity management is anywhere near this easy or useful.
One key to the kingdom
Psychologically, moving away from the traditional username and password combination and towards a URL identifier will require some massaging with the general Internet audience. Then again, this setup could change with future OpenID implementations — in any case, a standard still needs to emerge.
It’s important to note that OpenID is still in its infancy. It only performs user authentication right now, so even if sites supported OpenID in its current state, the photo updating scenario outlined above isn’t possible… yet. But there are good people working to turn OpenID into a more complete framework.
Security will always be a top concern, as information consolidation has clear advantages but inherently raises the potential for abuse. Phishing attacks will rise; however, this doesn’t imply these attempts will be any more successful, nor will gaining access to an OpenID account necessarily be any more damaging: many people use the same password for eachsites they visit, while others merely resort to common, easily crackable combinations anyway.
Despite these challenges, the answer isn’t to keep the current, fragmented system we have today. Instead, a robust standard needs to emerge, users need to be educated on identity management, and companies need to continue improving their barriers against identity theft, including moves into biometric authentication as those devices become increasingly commonplace.
The future of identity
Just a year ago, OpenID was more the hobby of a few fanboys than a serious challenge to the way identities are stored and managed. But in January, Yahoo! announced that all 250 million of its user accounts would become OpenID identifiers, thereby tripling the number of OpenID accounts overnight. Google quickly followed a few days later by turning all Blogger.com accounts (50 million) into OpenID identifiers. Granted, these were small steps: neither Yahoo! nor Google support OpenID bi-directionally. So while you can sign into OpenID sites with your Yahoo! ID, you can’t sign into Yahoo! properties with other OpenID accounts.
And that’s the biggest problem OpenID has right now: with Yahoo! and Google’s support, almost everyone on the Internet now has an OpenID-enabled account. But very few sites, outside a number of geeky web2.0 sites, accept OpenID logins. And until the movement gains a certain level of traction, there’s perhaps more reason for companies not to accept OpenID accounts: business models that depend on confidential user information would certainly be at odds with OpenID.
Whether OpenID will eventually win out as the de-facto standard remains to be seen. Despite the recent support from Yahoo! and Google, there’s still a long way to go before OpenID is accepted by mainstream audiences. But momentum appears to be on their side, and the potential networking possibilities are tantalizing. Take the notion of reputation: whether it’s in the form of years of reviews, or sets of photos, or hundreds of contacts, the actions we perform online likely paint a much fuller picture of who we are than the bits of information we self-report on profile pages. Given an open identity framework, it’ll be possible to take that online “cred” with you as you explore new sites and communities.
It’s my life
Online identity management is usually addressed from a technical standpoint, despite its sociological nature. But sometimes it’s good to stop and think, how do you embody someone’s identity in a way to truly represent who they are? And regardless of the Internet’s wealth of information and connectivity, is it possible that providing users with increasing control over how they present themselves assists in closing users away from any dissenting viewpoints and cultures?
In investing so much energy into improving how we present ourselves online, are we missing chances to genuinely improve ourselves?
I believe we are. And I say that because I think I already know what my next Facebook profile picture is. So love live the MySpace generation, and OpenID: bring it on. Please.
OpenId has a bunch of excellent features even despite the temporary drawbacks you mentioned: security varies from vendor to vendor and let’s admit it - it’s pretty geeky.
I work for PassPack, an online password manager. It can be used by whatever website you’re logging into without having to be accepted. Plus we take security very seriously.
We hope to partner up with OpenId down the road, just after our next release.
http://passpack.wordpress.com/2008/02/14/beta-6-a-bridge-to-better/
dani
[...] Chris Makarsky, I’ll need to see some ID [...]
While I wholeheartedly share your enthusiasm for OpenID, I’m not quite sure how you see it easing the burden of your online presence to any great degree.
While a personal avatar associated with your OpenID account would allow you to centralise some of the information for easier sharing on the various social networks, blog- and gallery sites etc., it would be but a drop in the ocean of information that you’d still have to maintain and update.
You could then argue that, in addition to the avatar, you could add more personal information to the OpenID account. That can however be argued to be contrary to the purpose of this general tool, the strength of which must surely be simplicity.
Once you centralise information for relaying to various social networking sites, then what’s the point of being on several? With the same information everywhere, you would be just as well off picking the one site which offers the best interface.
Some will choose to use several of these services. A musician may choose to use Facebook for interacting with friends, but MySpace for hosting sound- and video-clips and presenting carreer related info.
It would therefore be very useful for such individuals to be able to customise each instance of their online presences without having to set up seperate OpenIDs (which would directly go against the very concept).
I agree that simplicity is key, but this functionality doesn’t have to come from OpenID itself. There could be a third-party service that acts as the main identity repository, and OpenID remains primarily for authentication, for both the various relying parties and the syncing site. But OpenID or a similar service would need to be in place.
Maintaining profiles in different networks can serve a useful purpose, whether it’s reaching a different audience or taking advantage of site-specific features (albeit I think we have too many networks right now that haven’t done a good job in emphasizing their differences). But you’re also right that something like OpenID could also encourage a consolidation in social networks. And I have no problem with that.
Some OpenID providers, like myOpenID, already allow users to create multiple personas per identity. So users can have a professional persona, a casual persona, a sports-lover persona, etc., and they simply choose which persona to use when they initially link with relying parties.
Google does accept other OpenID logins as authentication for commenting on Blogger posts.
Yes it does, although you have to explicitly change your comment settings to accept OpenID submissions. And you still can’t log into your Blogger account with anything but a Google/Blogger account.
Hey Martin - did you get to chris’ site through eatvancouver or did you already know about it? This is weird, it feels like worlds are colliding.
Anyway, it does seem rather pointless to use an open ID with multiple personalities. Doesn’t that kind of defeat the point?
No, because the main point of OpenID is to keep users’ identities open and universal, so no one site can hold those details hostage (and thus so I can use my own information how I see fit). While creating personas is a feature certain service providers are offering to help with identity management, it’s not the driving value behind the OpenID movement.
Well it seemed from your article that the main point was you were fed up of updating multiple profiles. And that would be the main benefit for me as well. So updating multiple “personas” would make OpenID and unnecessary middleman.
That’s in addition to the point that I pretty much control my identity right now. It’s just annoying to control it on a lot of different websites so I canceled all all of those other ones and just do facebook right now.
Conclusion: OpenID is useless.
My example was just one possible situation where a system like OpenID could come in handy. It’s not the best example nor one that really represents the benefits of OpenID, so don’t go sour on the idea yet.
Maybe another scenario. Think about all that work you’ve put into your Facebook profile: connecting with friends, uploading photos, listing favorite movies, books, etc — wouldn’t it be nice to be able to package up that information and take it with you if you decided to leave Facebook? Unfortunately, that’s not possible right now: all that work into crafting your identity is Facebook’s property, not yours, and the lack of portability is just one issue with the current user system.
And on the development side, OpenID allows developers to focus on the novel portions of their app while the service providers worry about user authentication and identity management. Just about everyone needs this kind of service, and there’s no need to reinvent the wheel each time.
So, not useless — just perhaps at a point where it’s not obviously useful.
I believe that the whole idea of a single identity has flaws. The problem is a single compromise of the one piece of information that releases ‘Pandora’s Box’ results in a catastrophic compromise. This allows a single point of failure and the complete release of a person’s identity. Although there are keys and passwords required, if somehow this is compromised the entire database for that individual is available, and possibly more. If that happens then the identity of the individual is now available and that defeats the whole purpose.
We can try and use multiple keys and that can be compromised. We can use three parties to do this and that could minimize the risk. That would also add a cost to the service to another party and increase the cost to the individual and the complexity of the system. We would not want any government agency to be part or have access to these keys.
Resetting lost passwords and keys would become a nightmare. Somehow there has to be a single accepted identity that is verified and not stolen on the Internet. The third party is good but places so much in one key. A publicly available key with privately generated keys is not always acceptable as it adds cost to the individual, although not that much. There has to be another ‘Cost Effective’ open system that can provide a ‘Totally Private’ +’Private’ + Public key that is easily re-settable and should require 2 locations of differing entities to do so for the private keys. This could be possibly a combination of software and hardware on the local system that can create the keys that can be backed up to a tape or disk, however encrypted in case of failure. The separate parties that hold each piece of the key could also provide a replacement based on other personal information such as any combination of personal information that can be conscribed as legitimate identity for the individual