Mad, Beautiful Ideas
OpenID Doomed to Fail?

OpenID is one of those technologies that I, and many others, truly believe is important and necessary, but has completely failed to gain traction with most users.Sort of like Public-Key Encryption. Hell, even on this site, which allows users to authenticate via OpenID to leave comments which will be posted immediately without me having to approve them, I don't get anyone using OpenID.

There are plenty of reasons for this, I think. Quite a few sites don't offer OpenID logins, and while Yahoo!, Microsoft, Google allow their logins to be used as OpenIDs, not a single one of them will honor OpenIDs from other providers. And Facebook's new Federated Login system is even worse, as it won't interoperate with anything.

Now, the argument for many is that OpenID is confusing. Google suggests using a "Login with you Google ID" form, which is a pain in the ass because you get their Google E-mail address, then have to request their OpenID URL from Google (a move which is far from standards compliant), and then go about the standard OpenID 2.0 login. Yahoo! at least allows their users to use "" as their URL, but then, even they suggest offering a "Login with your Yahoo! Account" button.

Currently, OpenID is clearly the realm of the geeks. But, is it worth promoting these alternative methods of using OpenID? While I think it's great that Google and Microsoft and Yahoo are all embracing the standard, I believe the better strategy is to educate the users on what OpenID is, and how to use it. OpenID is pretty easy to use (provided you don't need API access), and I believe one of the key aspects of the upcoming information economy must be that we have the control over our own idenity. OpenID enables that.

But it's this control over our own identity that is the core of why Google, Microsoft, Yahoo!, Amazon, Facebook and many others aren't taking OpenID authentication. These are companies that have built their empires on Data Mining. They take your information in order to better figure out how to market stuff to you. Now, this isn't necessarily a wholly bad thing, and frankly OpenID doesn't really negate their ability to do this (or even make it harder really), but what OpenID is enabling them to do, is track your activity outside of their normal sphere of influence.

If you log in to leave of comment here using Yahoo! OpenID, Yahoo! is going to know you're a user of my site, and that's information they can use. But, if Yahoo! accepts OpenID, and you log into Yahoo! with a Google Account, well, then Google now knows you're looking to use Yahoo! services ,and that may change things for those companies and their relationship with you.

I don't want to sound all doom and gloom. A lot of good can come from more directed methods of marketing. I don't really care about ads for Barbie dolls, and I'm perfectly fine not seeing them. I hope someone is taking notice of my tendency to quickly leave sites that have "talkie" ads. These metrics can all be good, but what is importance is thinking about what giving your online Identity to another entity means. Personally, I do use Yahoo!'s OpenID, but I do try to remain aware of what that potentially entails.

I think at this time, OpenID has enough traction that it can succeed against upstarts like Facebook Connect, but we do need to develop a mechanism to make it easier for most users to use. Perhaps some sort of DNS record to go alongside MX records, like say "IX" records (for Identity exchange) which can provide a service to change an e-mail address into the basis for an OpenID transaction, and do so in a standard way. Or perhaps a standard JavaScript login form which allows you to select your provider and give your login in an easily extensible manner (something like this exists, I don't remember where, though).

OpenID needs to be made easier, and I think there should be a way to do that without obfuscating the system further. The standard will likely need updating, but I believe that it can succeed. That it will succeed, and that it needs to succeed.