
37Signals to retire OpenID for logins on May 1 - clintecker
http://productblog.37signals.com/products/2011/01/well-be-retiring-our-support-of-openid-on-may-1.html
======
peregrine
I think I'm starting to understand 37signals advertising strategy through DHH
tweets, that admittedly only works because they have listeners.

    
    
      1) Tweet negative/positive questions about x.
      2) Tweet negative/positive observations about x.
      3) Tweet negative/positive observation backed by data about x.
      4) Tweet article about how positive/negative x is on blog.
      5) Take action about positive/negative x.
    

Usually over the span of a couple days. It feels like you are watching DHH
come to the realization that something is good/bad which helps you come to the
same realization.

There is nothing wrong with it, and I don't know if its intentional but its
super effective.

~~~
dhh
I wish I could brand that as a fancy marketing scheme, but I think the answer
is much simpler. It's simply transparent discovery and thinking. If it happens
to work as advertising, that's a positive side-effect, but the main dish is
coming to good conclusions.

I certainly grew more confident in the decision to dump OpenID after talking
with lots and lots of people on Twitter about it. You get to test your ideas,
see what the feedback is, tweak, and retry. All while making the decision
process public.

~~~
jdp23
It's authenticity is what makes it so effective. You share your thoughts in
process, and people accompany you on your intellectual journey -- and their
feedback helps to shape the conclusion. So it functions as great brand
marketing for 37signals: you're the kind of company who takes what people say
seriously.

------
stefanobernardi
Totally understandable, one of the worst executed visions of all times.

I think there's a really huge opportunity in this space, and the first who'll
be able to figure out the perfect (and, most importantly, simplest) way to
offer a single-sign-on, integrating privacy and security features, will be
hugely thanked.

~~~
simonw
"one of the worst executed visions of all times"

What could have been done better?

I spent a couple of years advocating for OpenID adoption, because I believed
that the alternative (one or two companies controlling login for the entire
Web, ala Microsoft Passport or Facebook Connect) would be a massive blow to
the decentralised nature of the internet. I believed that OpenID's usability
issues could be resolved if enough smart people got involved in figuring them
out.

Clearly I was wrong on that last point.

And yes, my latest project (lanyrd.com) uses Twitter rather than OpenID for
authentication. From a developer point of view, that gets me the benefits I
hoped for with OpenID (SSO, portable identities, instant contact lists)
without having to wait for the world to agree on the standards. I just wish we
could have figured out a decentralised solution.

~~~
alain94040
_"one of the worst executed visions of all times" What could have been done
better?_

I'll tell you what it should look like (the fact that it's impossible is not
the point): whenever I land on a site that asks me to login, I get a menu of
all my possible accounts, I pick one, and I'm in. End of the story.

Kind of like Dropbox being simple and intuitive when everyone else was
building overly complex stuff.

~~~
jacquesm
Ok, it's impossible. Now tell me how you're going to do it anyway and laugh
all the way to the bank.

The fact that you can conceive of it means that it likely isn't impossible,
merely very difficult and possibly non-obvious. But that's how pretty much
every real success story starts. You really may be on to something here.

~~~
mbrubeck
This could be possible if web browsers (not just web sites) were aware of the
standard and participated in the UI flow. Mozilla Labs prototyped something
along these lines (not targeted for inclusion in Firefox 4, but possibly for
the next release):

[http://hacks.mozilla.org/2010/04/account-manager-coming-
to-f...](http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/)

------
seanalltogether
"Login with Facebook, Login with Twitter" <\- these are your new single sign
on providers. I wonder if in the future they'll try to standardize these login
providers and the information they share, we can call the new standard
Open...something...ID...no...OpenLogin, there we go.

~~~
dhh
I think providing Facebook/Twitter logins for other social media sites make a
lot of sense. Want to login to post on Yelp? Done. Want to checkin at 4sq?
Gotcha.

But using those services to check into the applications running your business?
Fuck no. I'm certainly not going to let anyone depend on their ability to get
paying work done by whether Twitter is up or not. And I know of plenty of
people who aren't interested in mixing their private-life Facebook with their
work-life accounts.

Then of course there's Google. I'd be weary to let a large number of customers
be owned by that Gorilla.

OpenID was promising because it was an open standard, not controlled by any
one party. But unfortunately it had the usability of your average open source
project (acceptable for hackers, terrible for anyone else).

~~~
swombat
Facebook has a registration tool, too, now:
<http://swombat.com/2011/1/24/facebook-registration-tool>

This might be the good middle ground between facebook login and an entirely
new login... a facebook-assisted signup procedure.

------
edvinasbartkus
I don't understand. They use single text box of OpenID login. They have it
separated from login page in another page. How do they want it to be
successful and where is their ultimate usability mastery?

There is no way OpenID can be improved when there is no interest in solving
global internet issues. Neither Facebook for implementing the own mechanism
nor 37signals would get medal of honor for uniting the internet.

~~~
dhh
The key problem didn't come from people NOT using OpenID, but from the people
who did. Supporting OpenID is a nightmare. You have different relaying
services that go up and down (OpenID's answer is: "use more than one" - ha!),
various levels of incompatibility, and a generally user hostile experience.

If OpenID usage had been in any serious numbers, our support department would
have revolted.

If you're trying to build a profitable online business, cutting your support
costs is key. And the easiest way to cut your support costs is to dump
confusing features or technologies that people constantly write in about.

Same reason we originally dumped FTP in favor of hosting files ourselves. The
support costs were way too high.

~~~
jdp23
For any individual company, economics favor a proprietary single sign-on
(37signals ID).

OpenID was not successful in changing that equation.

RPX, by contrast, appears to have done so successfully for a lot of people.

~~~
jackolas
<http://www.janrain.com/products/engage>

Looks like they renamed it... seems proprietary?

------
Vitaly
I use openid not to have a single signon to 37signals apps. I use to to have a
single signon period. Not just 37signals but a ton of other apps use it as
well (and I wish all of them did).

Every time I see a web app supporting openid Im glad that I don't have to
invent yet another user/password combo. again.

As to failing openid providers I have a good suggestion - use OpenId
delegation to have a single openid that you can reroute to any openid provider
you want. all it takes is a domain name and a very small file hosted on S3
(for example). Then you can switch providers at will.

~~~
cobbal
> Every time I see a web app supporting openid Im glad that I don't have to
> invent yet another user/password combo

The problem is most people don't bother doing this; they just trust every site
with the same password. The benefit I see in OpenID is that it is not a
secret, and canot be "compromised" (intentionally or not) in the same way as
passwords.

(I also am one of the few, it seems, to use OpenID for my 37signals account)

------
lukev
The only ultimate, secure, technically valid solution to single sign-on is
2-way SSL.

Unfortunately, for this to work, several things need to happen:

1) Users need to learn what a private key is.

2) Browsers need to provide flexible, intuitive, easy-to-use user key support
that's not tucked away in 3 levels of dialogs/tabs.

3) We need good key-management tools so I can log on to sites from internet
cafes, etc (perhaps a session-lived key cache in the browser, with support for
syncing it remotely?)

~~~
eli
Anything that starts with, users need to learn <new technical concept> seems
doomed to fail.

~~~
lukev
Not if it provides a significant-enough benefit. How many people had
"passwords" as a daily part of their life before 1995 or so?

Every technology is new at some point. My thesis is that keys are _not that
hard_ and technical people should actually _try_ to push understanding of them
into the non-techie realm. If they fail, they fail, but if they succeed, it
would make all computing so much more secure.

Edit: I should also point out that it's not really any more complicated than
OpenID, and people seemed willing to give that a fair shake, at least to the
extent that a lot of sites implemented it.

~~~
rahoulb
Kids have used passwords in games for years. everyone's seen spy movies. the
story of alladin is part of popular culture.

but "here is a thing in two parts, one of which you give to everyone but one
of which you need to keep absolutely to yourself or you're screwed" doesn't
have a common analogy. even the "i give you an open box with a padlock"
analogy can feel a bit contrived.

However I also feel that there was no _cohesive_ attempt at building a similar
story for OpenID - which is a shame as it could be as simple as "tell us which
site you want to log in via and we'll do the rest"

~~~
jarek
Public key = your address. Private key = the key to the front door.

------
Duff
I'm surprised that 37signal's thought process is so utterly flawed. Blaming a
technology for implementation problems just doesn't make sense. Using this
logic, we would have concluded in 1997 that since Geocities pages were ugly
and slow, HTTP was a waste of time.

StackOverflow demonstrates aptly that OpenID is a technology that can work
really well. You just need to: \- Funnel users to pervasive, competent
providers like Google, Facebook, Verisign \- Make the integration experience
as smooth as possible.

If your implementation of OpenID requires users to enter URLs and encourages
users to use random providers, than yes, it sucks.

~~~
brianpan
Really? Because yesterday I went to _Meta_ StackOverflow and was utterly
confused why I was getting new openid requests. (It was because MetaSO is
different that SO.) Then I went to SO and was still confused because I thought
I used yahoo but actually used google. Then, after I logged in with yahoo, I
tried to change from google to yahoo and ended up with both, and now I can't
remove the google openid. Very confusing.

Instead of managing 1 SO and 1 MetaSO login, I'm managing a connection from SO
to one of many providers and MetaSO to one of many providers. Best case,
that's 3 pages (SO, MetaSO and Yahoo) to manage logins to 2 sites.

------
damoncali
Now if we could just kill off this facebook/twitter/nextbigthing login
nonsense and use email like proper gentlemen things will be just peachy.

~~~
stonemetal
Until you change ISPs and your ISP provided email address goes away. Sure you
could say use gmail or yahoo mail, and that is obviously just fine until they
become "evil" or go out of business. Or heck you get your own domain and want
to migrate over to using it for email. I have had a number of email addresses
over the years and most of the old ones I have lost access to, how does that
work again?

~~~
acdha
Exactly as well as OpenID, only it's a much better understood problem and
avoids a ton of confusion?

------
ecaron
This is apparently their reaction to this support ticket -
[http://answers.37signals.com/basecamp/4899-openid-having-
iss...](http://answers.37signals.com/basecamp/4899-openid-having-issues) \- in
which they say "Something changed with the MyOpenID provider recently and
we're tracking the issue as we look for a fix."

~~~
dhh
That was just the latest in a long string of issues with OpenID. Hardly the
sole reason.

------
jasonjei
It's a shame that CAS for multitenant apps never really took off. We have an
integrated CAS and OpenID server to handle single-sign on for all our apps,
and losing OpenID will mean an additional username/password for our people to
remember for Highrise. We are probably going to write our own CRM at this
point.

~~~
blasdel
CAS is definitely somewhat less of a clusterfuck than OpenID, and actually
gets the SSO cookie-handling part right.

But it's still a pile of redirects where the net result is that you can tie a
user to their identifier and nothing more — it's mostly useless without
implementing it paired with an LDAP/AD backend to get group membership and
whatnot.

Just not storing a password field in your backend does nothing — you really
have to get rid of the per-app account models entirely. WebFinger is a nice
step along these lines, but it layers on top of OpenID and even then still
doesn't provide the complete picture.

~~~
jasonjei
We have the CAS server return a hash in extraAttributes called "MemberOf" that
returns every group the user is a member of. I do feel that the next version
of CAS should formally address this as part of the main spec. But our MemberOf
is paired to AD; but I'm sure it could be configured to work with a non-AD
data store.

------
skomorokh
I just skimmed the comments thread and have a vague idea of what OpenID is but
haven't gotten around to it yet.

Sounds great, Yahoo/Google/Facebook take your pick with a button or if you're
hacker/paranoid enough to have your own infrastructure the slightly complexity
of using a URL?

Main complaint seems to be it's URL and not user@host? Couldn't one just add
support for user@host into the next iteration of the standard? Maybe using
something like DNS SRV records that seem to work well enough for XMPP?

Decentralisation is important and more cultural than technical. We need to
keep working for it and it's not a short term goal--if it happens over decades
so be it, but we shouldn't give up ground where we don't have to, especially
with things trending against at the moment.

~~~
drdaeman
37signals do not care about decentralisation. It is as simple as that.

------
maayank
I think that I speak for all when I say "NOOOOOOOOOOOOOO!!!" (think skywalker)

Maybe the execution was not crystal perfect, but I think all of us would have
liked OpenID (or some other free and open standard) to succeed.

Open world 0 : Corporate overlords 1

~~~
wvenable
I wonder if it's reasoning like this that has kept OpenID alive when it should
have died a long time ago. You want the Open world to win over the corporate
overloads, build a technology that actually _works_. A lot of effort has been
put into evangelizing OpenID because it's a technology that nobody would want
on their own.

The problem was the underlying concept is not sound and no amount of layer on
more features was ever going to solve it. What we need now is to get the
browser makers involved in a secure authentication system and start it first
inside of smartphones.

------
Fice
What exactly are OpenID usability issues? I personaly prefer to use OpenID
where it is available, yet I don't use any login provider but a php script on
my own website.

~~~
riobard
The problem is that the number of people hosting their own OpenID solutions
is, and will be, rather insignificant.

~~~
patrickaljord
It doesn't matter when yahoo, google, aol and more offer openid, it's just a
click on a button, what could be easier than that? I agree that entering a
whole URL is horrible though but that's not how I use openid, I just click on
the google button and that's it, just like facebook or twitter connect.

~~~
theBobMcCormick
StackOverflow is a good example (IMHO) of OpenID login done right. It's _so_
easy to sign up for a StackOverflow account, and I don't have to remember or
write down _yet another fucking password_!

IMHO, one of the things they do correctly is that the user doesn't have to
remember an OpenID url in most cases, just click on the logo for which of your
likely ID providers (Google, Facebook, Yahoo, etc.) that you want to use. What
could _possibly_ be easier or friendlier for the end user?

~~~
moe
_StackOverflow is a good example (IMHO) of OpenID login done right._

The problem is that StackOverflow is also about the _only_ example of OpenID
done right, or done at all...

Yes, there are a few others. But at least in my internet usage I hardly ever
run into one. I can't remember having used my OpenID for any site other than
SO in the past couple years.

~~~
theBobMcCormick
Other examples of user-friendly OpenID login pages:

* Tripit.com only supports Google, Google Apps, and Facebook, but it's very end-user friendly to use any of those three.

* Catch.com, like Tripit, supports Google and Facebook OpenID logins.

* mindmeister.com supports Google, Google Apps, or a generic OpenID login.

* springnote.com supports a number of openID providers including generic OpenID. This one is actually an even better example than StackOverflow of an end-user friendly OpenID login/signup page.

Those are just ones I pulled from my Google account settings page. I'm sure
there are other good examples out there.

------
cgart
Indeed, I also think that OpenID is not designed well. I mean, I have tried to
implement it already twice. And everytime, I think, I got the idea of OpenID,
later I realize, no I still didn't got real wht it tries to do.

What is wrong in that a spammer could easily host its own OpenID server and
log in with that account on numerous sites. You even can write scripts to do
it automatically, so I didn't really get the idea of OpenID.

I think in the future we get OAuth as the winner. Yes, its main purpose is
different, however "signing in" with OAuth is so much easier. Even a simple
user can understand how it works. And by implicit use of only specific OAuth
providers (where you registered your app), you close the door for
"bot"-providers. Of course one can argue, that you can also force to use only
specific OpenID providers, but this is not core idea of what OpenID was
created for.

~~~
mgedmin
OpenID doesn't replace user accounts. It replaces account passwords. A site,
instead of verifying a user's password, contacts the user's OpenID provider
asking them to verify the user's identity.

Instead of using the same username + password combination for all the sites on
the Internet (and suffering from Gawker-like incidents), or writing down a
bazillion passwords in my keyring, I use my OpenID when I want to comment on
random people's blogs or sites like StackOverflow.

------
didip
I never quite get the idea of OpenID. It's like outsourcing the front door of
your Italian restaurant business.

Furthermore, when using OpenID, users have to remember yet another type of
token. As opposed to the ubiquitous email+password.

~~~
Duff
It's more like a restaurant hiring a third party to handle billing without you
needing to collect cash or hold consumer receivables. (ie. credit cards)

Who do you trust more to control who can use your identity? A gossip blog like
Gawker Media? Or a place like Google, Verisign, etc who employs real security
experts who know what they are doing.

I have a PayPal token so that I can use two-factor authorization for my
account. Since Verisign PIP is powering that solution, I also now have a two-
factor openid that I can use anywhere. So if I decide that I want to have
additional protection for my StackOverflow or Tripit accounts -- I can.

------
psadauskas
I wrote a blog post[1] last week about a better solution for handling auth.
The tldr version is that our user agents need to be doing a better job of
managing authorization and multiple accounts for us. I posted it here on
HN[2], but didn't get much traction on a Friday afternoon.

[1]: [http://blog.theamazingrando.com/the-road-to-better-
authoriza...](http://blog.theamazingrando.com/the-road-to-better-
authorization) [2]: <http://news.ycombinator.com/item?id=2128966>

------
antidaily
I still like OpenID for smallish projects and blog commenting. While people
are ok with creating a username and password for a 37signals product, I doubt
they're interested in creating one for something that tell my friends on
facebook and twitter what my favorite color is.

------
epochwolf
Well, it's a damn good thing I switched away from OpenID for my current
project. I was originally forced to switch because the ruby openid library did
not work for ruby 1.9 due to encoding issues. It's amazing how much things
change in a year.

------
drdaeman
Am I the only one to find the top-voted answer on linked Quora question to be
completely wrong, and missing the point?

