Friday, July 11, 2008

OpenID - Great in theory, but there's a big problem.

I have to admit, the first time I heard about OpenID I was pretty excited. The promise of being able to use one user account to logon to new websites was pretty cool. The benefits of avoiding a lengthy registration process, the ensuing email confirmation step and remembering yet another user name and password was great. However, as a web developer working on a couple new sites, I soon realized that OpenID wasn't going to work for everything.

I soon realized that OpenID is a great approach for Power Users and web savvy folks. However, OpenID is not for John and Suzy Smith living in middle America. If all web users consisted of developers, designers, IT Professionals, bloggers and silicon valley entrepreneurs, OpenID would be the silver bullet we've been looking for. Unfortunately, we are only a small, influential and very vocal minority of the overall web population.

There are two primary reasons why I believe OpenID works for us savvy folks but falls short for everyone else.

  1. Usability – Learning the OpenID process goes against what users have become accustomed to on the web. The idea of using a URI as your universal id is a concept that the average user will never fully grasp (or it will take some serious education). The abundance of OpenID provider choices will probably seem daunting initially. The average user will feel intimidated. They'll wonder if they made the right choice, if there's an “undo” feature if they change their mind. The major players haven't embraced OpenID, and that will definitely hurt its adoption. If OpenID was being promoted from the likes of Google, MySpace, FaceBook and Apple it would be easier to educate these users and see adoption grow.
  2. Security - The fact that a security conscious user won't be able to tell the difference between a phishing attack and valid OpenID redirection will probably deter them from even trying. The web has become a scary place and there are enough malicious people out there who will use every conceivable trick in the book to con these people into unknowingly expose their credentials. It will only take one high-profile phishing attack to shine a negative light on the OpenID approach.

So where does that leave me? Well, I came to the conclusion that I'll have to support my own registration process because I can't rely on my users to ever understand OpenID. The user-base for one of my sites looks like the following:
  • Uses Hotmail as a primary email account
  • Does their web searches on
  • Hasn't changed the default homepage from the one that was configured on their new PC.

I can't reasonably expect to see any benefit from the extra effort of supporting OpenID. So why did I decide to still support it? I still think OpenID will have its place on the web. Being the active web developer that I am, I want to learn as much about it as I possibly can so that my future sites can take full advantage of it. Who knows, maybe my users will surprise me! Supporting OpenID probably won't hurt you. It's really a business decision on spending the extra development time and effort to support it. My suggestion would be to support it, but have low expectations that it will succeed (unless you have a site frequented by tech savvy people).

If you decide to support it – READ THIS
If there is one recommendation that I'd make, it's to provide users with a link to a video of “how to login using OpenID”. Take a look at this video to get an idea It's important that you record the video showing the login process to YOUR site with a couple of the current primary providers (,,, This should give them some comfort and familiarity if they do decide to take the plunge.