OpenID was emerging back then. It was and still is interesting to watch developments being made, see it grow, and gain momentum. I think I have learned a few things about the technology, though I am not a developer. I can’t code and while I am subscribed to the OpenID mailing list, some discussions there are over my head. I don’t have the background to follow them and simply don’t have enough time to gain some deeper knowledge. The only contribution to OpenID I can offer is an end user perspective, blogging and talking about it.

However some people have the false impression I was some kind of expert. That happened more than once already. I am certainly no expert. I am not even sure if everything I write about OpenID is technically correct. But I think information (especially) on new technologies has to be correct. How can people be convinced to adopt a technology if they can’t be sure the information given to them is correct? I can’t offer this guarantee.

So does it still make sense to write about OpenID (the same applies for other technologies like microformats as well)? Currently I am undecided. Today I have seen a post on Mashable associating FriendFeed with the semantic web. It’s nonsense, of course. But am I immune to such articles? I guess, not.

Maybe this is the most stupid article ever written on a blog but I will probably maintain a low profile on OpenID for a couple of weeks. In two weeks there will be a barcamp on identity in Bremen. I registered for it already but I won’t go, I guess. It doesn’t make much sense.

Related posts:

1. Good Thoughts on Online Identity
2. claimID: Verification of Identities
3. Confusing Lists

• Dennis Blöte of event calendaring service Venteria has launched a Ruby on Rails based OpenID server called masquerade. You can have a look at the code here.
  Dennis has also launched an OpenID provider as a demo application which works rather well. It’s also one of the first providers supporting Attribute Exchange. And it seems to also support VeriSign’s SeatBelt plugin. Really good.
• OpenID provider xlogon has supported the Verein Deutscher Bibliothekare (Society of German Librarians) to enable its website with OpenID. The society needed a convenient way for granting members access to a protected area of its website (see press release, German, PDF).
  The society and xlogon also provide a step by step introduction to OpenID on the society’s website. I think it’s crucial to explain a new login system to members as it helps to raise acceptance. Well done.
• Oliver Wagner has co-authored an article on the pros and cons of OpenID for the print magazine Das Wirtschaftsstudium (Economic Studies). The magazine focuses on education and career opportunities for students of economic studies. So a different audience will know about OpenID soon. the article can be downloaded already (German, PDF).

Related posts:

1. SeatBelt: Switch OpenID Providers Easily
2. Introduction to OpenID on Zeit Online
3. Online Shopping with OpenID

Users who want their MyBlogLog profile URL to be an OpenID identifier have to opt-in at the Yahoo! OpenID site. So it is no surprise that this implementation provides the same features as Yahoo!’s (see my post about it). It also means that users don’t have to log in with their complete profile URL (http://www.mybloglog.com/buzz/memebers/username) but can shorten the OpenID to mybloglog.com. OpenID 2.0 and directed identity make it possible.

Also interesting to note is the blog post about MyBlogLog’s OpenID support by Shreyas Doshi, product manager for Yahoo!’s OpenID initiative:

With this change, we have also eliminated the only-one-custom-OpenID-identifier per-account restriction. This means that you can select both your Flickr photostream AND your MyBlogLog profile URL as your OpenID identifiers, in addition to creating a pretty me.yahoo.com identifier.

Can we speculate about del.icio.us and Upcoming OpenID identifiers as well now? More providers? Please become relying parties!

By the way, MyBlogLog also added a nice FOAF icon next to the vCard and hCard icons on profiles. They heard you, Robert.

And Digg?

Meanwhile Digg has added XFN support to user profiles and RDFa to submitted stories. Good to see further implementations of open standards on Digg. Maybe we will eventually see OpenID support. Announcements have been made more than once.

Related posts:

1. Will Digg Embrace Open Standards?
2. MyBlogLog about to support OpenID
3. MyBlogLog Adds MicroID and FOAF

Though from my own experience I can say that I am hesistant creating accounts at online shops. If I have the option to purchase products without that step, I go for it. I rather type in the required information once again if I return to a certain shop later. There is no specific reason why I don’t want to create accounts all over the place. Maybe I just want to keep the number low.

What about OpenID?

Online shops should implement OpenID. That changed things for me. I had to provide necessary details like my address just once. Not to any shop but only to my OpenID provider. There are cool extensions to the OpenID protocol which support this: Simple Registration and Attribute Exchange (also see Dennis Blöte’s excellent article on the topic). Both extensions allow transfer of profile data from an OpenID provider to a relying party, e.g. a shop. The first time I confirm my OpenID to a shop, it (=the shop) asks for that data. If I allow it to always fetch that data all future authentication requests work without me interferring.

So what happens if my address changes? Now you might argue that I still had to update all my accounts at online shops. I think that’s unnecessary. Shops don’t even have to store that data. Thanks to Simple Registration and Attribute Exchange. Assuming my address changes I will update it at my provider. When returning to a shop it simply asks my provider for the necessary details again and gets updated information. It’s really that simple: the shop will always have updated data but doesn’t have to store it and doesn’t even have to ask me for it. When the products are delivered and paid, it can delete my data.

Recommendations

Can online shopping be even more convenient? APML comes to mind. It collects users’ attention data and their interests, e.g. their favourite music or movies. Just think of Amazon’s recommendation system. The data is stored in a file which can be shared and parsed by services that support the standard.

The APML file can be stored everywhere. Why not at my OpenID provider? A shop could ask for that file and it would be transferred to it from my provider and I could get recommendations based on my attention profile even if it’s the first time I visit the shop. That’s not suitable for every kind of shop, of course, but for CD shops it worked if my APML file contained all the music I listened to on Last.fm for example. And that’s the difference to Amazon. Amazon can only recommend products to me if I already purchased products there or surfed the site intensively. A shop supporting APML can do that right away.

As far as I know there is no discovery specification for APML files yet. I had to tell the shop where it is. But I think that problem could be solved someday. I am not a developer, though. So maybe it can’t!? Update May 3: Actually there is discovery already implemented. I just should have had a look at the source of my blog. It looks like this:
<link rel="meta" type="application/xml+apml" title="APML" href="http://example.com/apml"/>

Well, it was even a greater shopping experience if the online shop could update my APML file based on the products I purchased there and wrote it back to my OpenID provider. Once again I don’t know how this could work. Maybe OAuth is a solution or even Attribute Exchange as it is capable of storing data at the OpenID provider. Maybe some clever minds know. I just write stupid articles.

Conclusion

Maybe those ideas are really just plain stupid but I think OpenID could really help making online shopping more user friendly. There are benefits for both customers and shops. Customers don’t have to deal with registration processes anymore and get better recommendations for products they might be interested in. On the other hand, shops will always have more accurate data of their customers and with APML support they could even boost sales because customers are only shown relevant products. Also they can save on data management.

Maybe there is even some revenue for OpenID providers. Since they provide user data and even valuable attention profiles they could get a fixed percentage of sales made by their users. Think of credit card companies’ business model.

Related posts:

1. Recommendations by TasteBroker
2. Publishing Attention Data
3. A Good Year for OpenID?

ID Selector

JanRain has launched a new tool for relying parties called ID Selector. It’s a widget that is being added to existing login forms. Relying parties can populate it with OpenID providers of their choice. If users click ID Selector they only have to choose their provider and type in the username part of their OpenID; they don’t have to remember the complete URL. The widget remembers the provider even across different relying parties. JanRain also makes sure that only those providers are visible to users which support the OpenID standard the relying party also supports.

ID Selector is a great improvement in terms of usability. While some people have raised security questions (see the discussion on the OpenID mailing list), this is a great step in the right direction to attract more users and maybe even help websites becoming relying parties.

Here’s a screenshot of ClaimID’s implementation of ID Selector:

ConfIdent RecognitionAUTH

ConfIdent Technologies has made its RecognitionAUTH system available to OpenID providers. RecognitionAUTH provides a grid of images of different categories. Users simply choose a few categories and remember them (refer to the example below). People familiar with OpenID providers will know this system already: it is the one myVidoop uses which is no surprise at all as ConfIdent Technologies is a company founded by Vidoop employees. Currently ClaimID, Clickpass, and ooTao feature this system as well. It provides more security than the usual password for login at providers because it adds a second factor for authentication.

BBC Joins OpenID Foundation

The BBC has joined the OpenID Foundation today. It won’t offer OpenID logins soon, though, but it will have a closer look at the technology.

However, at this stage [...] this doesn’t mean that we are going to immediately be offering OpenIDs on bbc.co.uk or even promising to do so.

The blog post announcing this also makes references towards OAuth, APML, and RDF. So hopefully there will be some more announcements by the BBC in the not so distant future.

[via OpenID.net]

Related posts:

1. Five Industry Leaders Join OpenID Foundation
2. Some Ideas for Relying Parties
3. Creators of OpenID?

mymobile-ID uses a text message (=SMS) to verify new users. Though that service is just available to German users. That’s a little bit irritating because all text is in English on the website. Maybe it will open up for international users after alpha or beta testing. I don’t really know, though.

SREG is supported and login worked smoothly on the website I tested it. I can’t report much on more features. That’s probably too early as it has just been launched. However I don’t like the identity page. It looks rather empty:

[via Museum of Modern Betas]

Related posts:

1. German OpenID Provider Launched
2. Xlogon: Another Provider for the German Community
3. Yahoo! will be an OpenID Provider

What is it about?

So what is this about, you might be wondering. Well, basically it gives several people an OpenID which is tied to a domain a user controls. Still don’t get it? Here’s a quote from the MyOpenID website:

myOpenID for Domains is a new service that helps you give members of your small business, family, or organization an OpenID URL at your own domain. Members get all the features of myOpenID, but get a URL at your domain instead of at myopenid.com. You still own the domain, we just host the identity pages and handle all of the other OpenID stuff.

It works by adding a CNAME entry to the DNS of the domain users control.

Update April 16, 10:33pm: Matthias noted in the comments of his blog that website verification is not done by MicroID. Why? It’s suitable for that purpose, I think.

OpenID for everyone

I think that’s a really great idea because many more people are able to get an OpenID this way. Especially small companies could benefit from it and follow Sun Microsystem’s example by providing OpenIDs for their staff. They won’t have to deal with the technical issues of setting up an OpenID server themselves and securing and maintaining it. Provided the companies trust MyOpenID.com, of course.

A business model?

I often wondered if there was a business model for specialized OpenID providers like MyOpenID.com. MyOpenID for Domains could be one. It is free of charge so far and small to medium sized businesses are mentioned as example uses on the website. But when is a company not medium sized anymore? MyOpenID.com could offer larger companies the same service for a fee. While this probably won’t be sufficient to survive in the long run, it could be a start to generate revenue.

[via Marshall Kirkpatrick on Twitter]

Related posts:

1. myOpenID Security Features
2. Identity Pages Don’t Have to Be Boring
3. claimID: Verification of Identities

Normalization

Most of the time? Not always? Well, sometimes things start to go wrong right in the beginning of a user’s OpenID experience: when typing in their OpenID in the relying party’s form field. Remember, an OpenID is a URL, something like this: http://youropenid.com/.

However is there a difference if you type:

• http://youropenid.com or
• youropenid.com

There shouldn’t be a difference but sometimes there is. According to the OpenID 2.0 specification relying parties must normalize those inputs to http://youropenid.com/. There are some more examples given in the specification, so have a look at them as well. Normalization was mentioned in the OpenID 1.1 specification as well, but certainly not as clearly as in the OpenID 2.0 one.

User Experience

However there are some relying parties out there which have not implemented normalization properly or at all. And this is a problem to end users like me. If I create an account with http://youropenid.com and the next time I log in with http://youropenid.com/ I have created two accounts. Not a good idea. The only difference is the trailing slash. That’s not obvious or understandable for non-techie users. I have learned about that just today as well.

OpenID still suffers from claims to be too technical and not being particularly user friendly. Lack of normalization just adds to those claims. Although people use social networks and probably know how to access their profiles there, a URL is still rather uncommon to use. So relying parties should do their best to make users’ life as comfortable as they can. In the meantime it’s probably best for end users to always add http:// and to remember if they used a trailing slash or not.

Related posts:

1. Online Shopping with OpenID
2. User Friendly OpenID Implementation
3. An ID Selector, Images, and the BBC

Anyway, what’s so interesting about a new sign in page, you may ask? Well, simply Ma.gnolia requires that users have a verified identity with another service already. It won’t be possible for new members to use a username and password combination to join Ma.gnolia anymore. The sign in page looks like this:

The screenshot can be interpreted that the verified identity can only be an OpenID. Though that’s wrong. From the dropdown menu users can choose from these services:

Of course, the majority also works as an OpenID provider, though a Facebook ID is also possible.

Spam

So what’s the reason for Ma.gnolia to change the sign in method? According to a blog post from Larry Halff from January already, it’s spam. Larry explained that almost 80% of all new accounts created were ones by spammers. Actually I didn’t expect such a high number. Spam still seems to be a very profitable business. Some spammers create accounts manually but most of them are created by bots. As you can see from the comments of that blog post, Ma.gnolia is not the only service affected by spam, Simpy suffers as well.

Will the new sign in process prevent spammers from joining? Probably not. Spammers can sign up for Facebook and they can also get an OpenID from different providers. But it makes their shady business harder and hopefully less profitable.

Outsourcing Identity Verification

Other companies like Buxfer also allow users to sign in with identities from other services (see screenshot below). It seems to become a trend and it’s actually a rather smart move by companies because in most cases they will get more accurate information about new users while they don’t have to deal with account verification.

Users profit as well as they don’t have to provide passwords to another company. Also they don’t have to build the same amount of trust to those companies. They can stay with a provider who they trust.

Buxfer’s sign in options:

Related posts:

1. Ma.gnolia is getting even more Social
2. This Week’s Bookmarks
3. Ma.gnolia

Today ClickPass has launched which promises one-click signin to OpenID enabled websites. As far as I understand it, it aims to reduce transfers which happen behind the scenes between the OpenID provider and the relying party. Well, I have tried it, so here is a small guide of how to use it.

Using ClickPass

Currently ClickPass just works with a small number of websites, one being Plaxo. It is not really suprising that Plaxo is one of the sites. Everytime some company is offering a new service making things easier for users, it seems like those companies are calling Joseph Smarr of Plaxo and asking him to implement it quickly. And faster than I could add a new plugin to WordPress, Joseph implements those services to Plaxo. It’s strange, but not surprising at all anymore. Oh yeah, other sites currently supported include Disqus and Hacker News; also a WordPress plugin is available.

Since I have a Plaxo account already I have tried logging in to it with ClickPass; I have created a ClickPass account before. On the Plaxo sign in page there is a new button now: the ClickPass button. If you click on the OpenID image, a list of popular OpenID providers is dropping down. Anyway, clicking Enter I am forwarded to ClickPass to set things up.

Once forwarded to ClickPass I am asked which websites I want to use with it. I only choose Plaxo.

Next I have to connect Plaxo to ClickPass and something strange happens: I am asked for my Plaxo login credentials! Although it says, those credentials are not stored on ClickPass I feel rather uncomfortable giving away my login details. Luckily I can skip this step.

After choosing a username (which is part of my ClickPass OpenID) my ClickPass profile is build.

ClickPass appends a unique ID to each site. This is directed identity, right? So ClickPass will only work with OpenID 2.0 enabled websites since it is not supported by OpenID 1.1.

So can I use Plaxo with ClickPass now? Let’s see. Back at Plaxo I click on the ClickPass button, magic happens…

…and then I should merge my existing Plaxo account with ClickPass. It wants my Plaxo login credentials again! And this time I can’t skip the step.

Stop!

Solution?

I don’t give passwords to any third party website anymore. That’s simply not cool! The ClickPass guys are probably totally sound people and even Scott Kveton is on their board. But I refuse to do that.

There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.

Also it is not really looking good to have another button on relying parties’ sites. Yahoo! has introduced a signin button already. Now there is ClickPass. How will websites look if every provider had their own signin button? Ugly, unclear, confusing even.

I don’t like it. But maybe I just totally missed the point of it. Maybe…

Related posts:

1. Two OpenID Enabled Productivity Tools
2. Plaxo: OpenID and Microformats Support
3. OpenID Directory: Where can I use my OpenID?