I think I'm starting to understand 37signals advertising strategy through DHH tweets, that admittedly only works because they have listeners.
1) Tweet negative/positive questions about x.
2) Tweet negative/positive observations about x.
3) Tweet negative/positive observation backed by data about x.
4) Tweet article about how positive/negative x is on blog.
5) Take action about positive/negative x.
Usually over the span of a couple days. It feels like you are watching DHH come to the realization that something is good/bad which helps you come to the same realization.
There is nothing wrong with it, and I don't know if its intentional but its super effective.
I wish I could brand that as a fancy marketing scheme, but I think the answer is much simpler. It's simply transparent discovery and thinking. If it happens to work as advertising, that's a positive side-effect, but the main dish is coming to good conclusions.
I certainly grew more confident in the decision to dump OpenID after talking with lots and lots of people on Twitter about it. You get to test your ideas, see what the feedback is, tweak, and retry. All while making the decision process public.
It's authenticity is what makes it so effective. You share your thoughts in process, and people accompany you on your intellectual journey -- and their feedback helps to shape the conclusion. So it functions as great brand marketing for 37signals: you're the kind of company who takes what people say seriously.
Yea thats definitely it, just something I've noticed over time. Its a great strategy for getting people on your side, I think I see gruber doing the same thing from time to time, with less transparency though.
Totally understandable, one of the worst executed visions of all times.
I think there's a really huge opportunity in this space, and the first who'll be able to figure out the perfect (and, most importantly, simplest) way to offer a single-sign-on, integrating privacy and security features, will be hugely thanked.
That particular holy grail is a poisoned chalice and it's claimed plenty of victims, anyone remember Sxip? It's not a technical problem, it's power, control and ownership. Anyone in a position to allow a platform to get serious traction isn't going to give that control up and anyone that isn't can't make a system with enough traction. Then there's issues of trust, delegation and longevity. I'd love someone to do it well, I'd love the ability to have anonymous, durable, cryptographically verifiable identities online that could be optionally tied to meatspace identifiers but I just don't see it happening.
Anyone in a position to allow a platform to get serious traction isn't going to give that control up and anyone that isn't can't make a system with enough traction.
The department of commerce wants to create such an identity system. I'm not sure I like the idea, but it would be "single sign on". I think it is a safe bet that their intention is to eventually make it mandatory, and they have the "ownership", presumed trust, and longevity, not to mention the ability to pass laws "encouraging" adoption.
Putting it in the hands of the government actually fails the trust requirement. Trust is not a binary "this entity is trustworthy", trust is a set of relationships between two entities, and not everyone will trust the US Government, nor will everybody be trusted by the US Government. Even in a perfect world with a perfect US Government, that is the correct answer; not everyone is under US jurisdiction, after all, so we don't even need to get into the political issues. If made mandatory (and the only option), this is a critical failure on the trust front. It can't work, you can't tie your login system to only the US login system, and if you have to have other login systems, US citizens will be able to use those too.
I can already see the early adopters: Russia, China, France, Germany...
Even if you do it so that the actual data stores are separate and you manage to keep the APIs the same, lots of countries will have huge issues with adopting U.S. policies.
No, the Department of Commerce wants to help create a standard. It's a damn hard task, but even harder when the net's FUD is the feds want to create an identity system. No, no they don't. And their process is pretty great. But they will fail, in no small part due to FUD, and we'll all be using Facebook Login Plus soon and wondering why we never got an open standard.
I spent a couple of years advocating for OpenID adoption, because I believed that the alternative (one or two companies controlling login for the entire Web, ala Microsoft Passport or Facebook Connect) would be a massive blow to the decentralised nature of the internet. I believed that OpenID's usability issues could be resolved if enough smart people got involved in figuring them out.
Clearly I was wrong on that last point.
And yes, my latest project (lanyrd.com) uses Twitter rather than OpenID for authentication. From a developer point of view, that gets me the benefits I hoped for with OpenID (SSO, portable identities, instant contact lists) without having to wait for the world to agree on the standards. I just wish we could have figured out a decentralised solution.
For most users I talk to, an email address (rather than a URL) is how they think of identifying themself in a cross-system way. Orienting the spec around that would have made a huge difference.
Were there HCI experts a big part of the community that put together the vision and architecture? How diverse (tech background, language, age) was the original community? Both of those are areas that could have made a big difference.
It remains a great vision, so hopefully people will continue to work on it.
> For most users I talk to, an email address (rather than a URL)
Hits nail on head. It's unbelievable how dumb geeks who try to design UX experiences can be (and I say this as one of them). The first day I saw OpenID I was amazed that anybody would try and use a URL as an identifier.
Why would anybody put something that no normal person understands front and center of their UX? This is like opening a shoe shop and putting a quiz about 2nd order differential equations on the front door. Guess what - nobody is going into your store!!!
It was already a huge challenge to get people to understand the concept of using a login from one site to login to another. But it was doomed from the start the minute someone said you should have "http:// in front of your username.
It uses your email address, and seems to offer a good way to get access to an OpenID-like sign in (maybe this is using OpenID or OAuth under the covers?)
It looks like WebFinger is not really an authentication system but functions more like a user profile. It lets someone know what music you listen too, or what programming language(s) you know but it doesn't prove that you are you.
Simon, I know the work you and others have done and continue to do in the OpenID world, and it's commendable work.
The problem with OpenID and other Open Web work IMO is the sheer number of half-baked specs brought forward. Much more than any other standards group. I don't know why. “The nicest thing about standards is that there are so many of them to choose from,” like Tannenbaum said. Perhaps there is a general lack of attention span, a ohh-shiny problem, a not-invented-here problem that is particularly rampant in this community.
"one of the worst executed visions of all times"
What could have been done better?
I'll tell you what it should look like (the fact that it's impossible is not the point): whenever I land on a site that asks me to login, I get a menu of all my possible accounts, I pick one, and I'm in. End of the story.
Kind of like Dropbox being simple and intuitive when everyone else was building overly complex stuff.
Ok, it's impossible. Now tell me how you're going to do it anyway and laugh all the way to the bank.
The fact that you can conceive of it means that it likely isn't impossible, merely very difficult and possibly non-obvious. But that's how pretty much every real success story starts. You really may be on to something here.
This could be possible if web browsers (not just web sites) were aware of the standard and participated in the UI flow. Mozilla Labs prototyped something along these lines (not targeted for inclusion in Firefox 4, but possibly for the next release):
It's kind of you to say but the reason our sales and marketing was poor was that we couldn't figure out what we were selling or marketing. Try as we might we couldn't figure out who really wanted it and where to make money.
Most websites simply can't see enough of a bang for an engineering buck they could be spending on something else (i.e. they don't even want to install it, never mind pay for it) and if it's done well consumers don't even see it so there's no money to be had from them either.
I'm sure we could have made it all slicker still but even Facebook login takes some justification and Clickpass didn't deliver anything like the value that that does.
For early adopters who try out lots of different sites, Clickpass would be a big win for both the users and the sites. Once the early adopters are doing it, everybody else will see the convenience.
The potential problem with this solution, although I do like it, is that your accounts can be attacked by someone who has any one of your login/pw combinations. You must treat them all as equally valuable. I'm not sure people on the web are at that point yet.
Isn't this kind of what Blogspot does? I'm not very firm on the background, but generally when I go to post a comment on a Blogspot/Blooger site, I'm given a choice of either my Google account or OpenID, with openID being a choice of several favicons (Yahoo, Google again, etc).
The real answer is that for the web to continue as it is, no such system must exist. If you require a single authentication, the web stops being a loosely couple system and becomes dependent on a single entity.
I believe that part of that design is what's so confusing to non-technical users. If somebody were to tell them that 'the box in your basement' could be used to verify access to their banking website, you'd completely lose them. Granted, its an implementation they'd likely never encounter, but the fact that its possible just contributes to the noise around OpenID.
If you were to tell people in 1985 that they would be able to see their credit card balance on an LCD of a mobile phone while jogging, you'd completely lose them too.
I think the problem lies in how those iedentities are established. A prolific Twitter or Facebook account makes a good identity precisely because you have spent time pouring your identity into it. Your family photos, relationships, residence and work history on your Facebook page. Your daily thoughts and actions cataloged on your Twitter feed. While not perfect, they're the best thing we have right now to externally verify that you are who you claim to be. They provide context to the authentication. Any external service that implemented the authentication standard that may arise out of this situation lacks that identifying context and the best case scenarion only serves to prove that the user authenticating is the user who setup the account. Taking away Facebook's and Twitter's context makes spoofing that authentication much easier.
Solving that in a way that doesn't violate the privacy concerns of your users seems like something of a holy grail. Panacea if it exists, but far from demonstrated.
Oh, yeah. Tie it to email addresses; let any domain publish an SRV record pointing to its ID server. Then all you have to know is your email address, not your OpenID URL.
not really. Consider for example yahoo's implementation: when I get redirected to Y! for login, I have my personal login seal on the page that grants me that I am actually talking to yahoo and not some scam site.
What about man in the middle?(Go to yahoo get your image and display it for you.) Heck even pass your credentials through to yahoo to verify that you gave me the correct credentials.
"Login with Facebook, Login with Twitter" <- these are your new single sign on providers. I wonder if in the future they'll try to standardize these login providers and the information they share, we can call the new standard Open...something...ID...no...OpenLogin, there we go.
I think providing Facebook/Twitter logins for other social media sites make a lot of sense. Want to login to post on Yelp? Done. Want to checkin at 4sq? Gotcha.
But using those services to check into the applications running your business? Fuck no. I'm certainly not going to let anyone depend on their ability to get paying work done by whether Twitter is up or not. And I know of plenty of people who aren't interested in mixing their private-life Facebook with their work-life accounts.
Then of course there's Google. I'd be weary to let a large number of customers be owned by that Gorilla.
OpenID was promising because it was an open standard, not controlled by any one party. But unfortunately it had the usability of your average open source project (acceptable for hackers, terrible for anyone else).
I actually like this model too ... you're never going to get everybody to use one provider for storing their identities, because nobody will go and create one unless they absolutely need to.
So, it makes sense to go where users are. What I think needs to be done is standardize an api for the sites like twitter, facebook, Google and who-knows-what-in-the-future to use in providing accessing to user information to developers ...
That way, when superdupersocialnetworking.com explodes and has 1 billion users, providing sign on access to its users for your app is as simple as changing one or two lines of code.
> What I think needs to be done is standardize an api for the sites like twitter, facebook, Google and who-knows-what-in-the-future to use in providing accessing to user information to developers
It is my understanding that that's pretty much exactly what OpenID is.
a. Open ID is a protocol not an api ... I'm talking about something more akin to the old way twitter used to verify twitter logins in their api
b. Open ID deals mainly with authentication ... I'm talking about both authenticating and providing access to limited user information ... email, name, phone ... that sort of thing.
I just think Open ID was over elaborate, I'm hoping something simpler could succeed where it has failed.
Hope that makes sense.
> Its not crazy. Facebook just announced something along those lines today
Yep, and it's not exactly a standardized API, neither would it be easy to move a system built on this to the next greatest thing from Twitter or Google. User data lock-in is nice like that.
I don't understand.
They use single text box of OpenID login.
They have it separated from login page in another page.
How do they want it to be successful and where is their ultimate usability mastery?
There is no way OpenID can be improved when there is no interest in solving global internet issues. Neither Facebook for implementing the own mechanism nor 37signals would get medal of honor for uniting the internet.
The key problem didn't come from people NOT using OpenID, but from the people who did. Supporting OpenID is a nightmare. You have different relaying services that go up and down (OpenID's answer is: "use more than one" - ha!), various levels of incompatibility, and a generally user hostile experience.
If OpenID usage had been in any serious numbers, our support department would have revolted.
If you're trying to build a profitable online business, cutting your support costs is key. And the easiest way to cut your support costs is to dump confusing features or technologies that people constantly write in about.
Same reason we originally dumped FTP in favor of hosting files ourselves. The support costs were way too high.
The worst part the description of what OpenID is design for is too much promising. Those who retire OpenID never going to give another chance. Everybody will be waiting for new alternative but that's kind of everything from the beginning.
The story of OpenID (not)success sounds like the html compatibility issue. Overall, time pass by and it starts shaping up. But probably no lessons learned from it (yet).
And when the big players are giving up on it no way small startups will be able to maintain, improve and support OpenID features.
I use openid not to have a single signon to 37signals apps. I use to to have a single signon period. Not just 37signals but a ton of other apps use it as well (and I wish all of them did).
Every time I see a web app supporting openid Im glad that I don't have to invent yet another user/password combo. again.
As to failing openid providers I have a good suggestion - use OpenId delegation to have a single openid that you can reroute to any openid provider you want. all it takes is a domain name and a very small file hosted on S3 (for example). Then you can switch providers at will.
> Every time I see a web app supporting openid Im glad that I don't have to invent yet another user/password combo
The problem is most people don't bother doing this; they just trust every site with the same password. The benefit I see in OpenID is that it is not a secret, and canot be "compromised" (intentionally or not) in the same way as passwords.
(I also am one of the few, it seems, to use OpenID for my 37signals account)
The only ultimate, secure, technically valid solution to single sign-on is 2-way SSL.
Unfortunately, for this to work, several things need to happen:
1) Users need to learn what a private key is.
2) Browsers need to provide flexible, intuitive, easy-to-use user key support that's not tucked away in 3 levels of dialogs/tabs.
3) We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)
Not if it provides a significant-enough benefit. How many people had "passwords" as a daily part of their life before 1995 or so?
Every technology is new at some point. My thesis is that keys are not that hard and technical people should actually try to push understanding of them into the non-techie realm. If they fail, they fail, but if they succeed, it would make all computing so much more secure.
Edit: I should also point out that it's not really any more complicated than OpenID, and people seemed willing to give that a fair shake, at least to the extent that a lot of sites implemented it.
Kids have used passwords in games for years. everyone's seen spy movies. the story of alladin is part of popular culture.
but "here is a thing in two parts, one of which you give to everyone but one of which you need to keep absolutely to yourself or you're screwed" doesn't have a common analogy. even the "i give you an open box with a padlock" analogy can feel a bit contrived.
However I also feel that there was no cohesive attempt at building a similar story for OpenID - which is a shame as it could be as simple as "tell us which site you want to log in via and we'll do the rest"
> We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)
Giving out your private keys like that (what, you actually trust an internet cafe computer?) is a rather bad idea. Instead have a service that your local client can authenticate to (with a normal password if you trust your client, or rsa keyfob, or application that makes your phone act like a keyfob), that acts vaguely like either ssh-agent (with the connection established in the opposite direction) or a kerberos KDC (which would let you not need to keep track of privkeys).
Uses the site's domain as a salt though which isn't exactly secure if whoever hacks the database decides to ignore the low-hanging unencrypted fruit and crack your password. You can configure the encryption settings a bit though and add your own pre-salt kinda deal.
I'm surprised that 37signal's thought process is so utterly flawed. Blaming a technology for implementation problems just doesn't make sense. Using this logic, we would have concluded in 1997 that since Geocities pages were ugly and slow, HTTP was a waste of time.
StackOverflow demonstrates aptly that OpenID is a technology that can work really well. You just need to:
- Funnel users to pervasive, competent providers like Google, Facebook, Verisign
- Make the integration experience as smooth as possible.
If your implementation of OpenID requires users to enter URLs and encourages users to use random providers, than yes, it sucks.
Really? Because yesterday I went to Meta StackOverflow and was utterly confused why I was getting new openid requests. (It was because MetaSO is different that SO.) Then I went to SO and was still confused because I thought I used yahoo but actually used google. Then, after I logged in with yahoo, I tried to change from google to yahoo and ended up with both, and now I can't remove the google openid. Very confusing.
Instead of managing 1 SO and 1 MetaSO login, I'm managing a connection from SO to one of many providers and MetaSO to one of many providers. Best case, that's 3 pages (SO, MetaSO and Yahoo) to manage logins to 2 sites.
Until you change ISPs and your ISP provided email address goes away. Sure you could say use gmail or yahoo mail, and that is obviously just fine until they become "evil" or go out of business. Or heck you get your own domain and want to migrate over to using it for email. I have had a number of email addresses over the years and most of the old ones I have lost access to, how does that work again?
It's a shame that CAS for multitenant apps never really took off. We have an integrated CAS and OpenID server to handle single-sign on for all our apps, and losing OpenID will mean an additional username/password for our people to remember for Highrise. We are probably going to write our own CRM at this point.
CAS is definitely somewhat less of a clusterfuck than OpenID, and actually gets the SSO cookie-handling part right.
But it's still a pile of redirects where the net result is that you can tie a user to their identifier and nothing more — it's mostly useless without implementing it paired with an LDAP/AD backend to get group membership and whatnot.
Just not storing a password field in your backend does nothing — you really have to get rid of the per-app account models entirely. WebFinger is a nice step along these lines, but it layers on top of OpenID and even then still doesn't provide the complete picture.
We have the CAS server return a hash in extraAttributes called "MemberOf" that returns every group the user is a member of. I do feel that the next version of CAS should formally address this as part of the main spec. But our MemberOf is paired to AD; but I'm sure it could be configured to work with a non-AD data store.
I just skimmed the comments thread and have a vague idea of what OpenID is but haven't gotten around to it yet.
Sounds great, Yahoo/Google/Facebook take your pick with a button or if you're hacker/paranoid enough to have your own infrastructure the slightly complexity of using a URL?
Main complaint seems to be it's URL and not user@host? Couldn't one just add support for user@host into the next
iteration of the standard? Maybe using something like DNS SRV records that seem to work well enough for XMPP?
Decentralisation is important and more cultural than technical. We need to keep working for it and it's not a short term goal--if it happens over decades so be it, but we shouldn't give up ground where we don't have to, especially with things trending against at the moment.
I wonder if it's reasoning like this that has kept OpenID alive when it should have died a long time ago. You want the Open world to win over the corporate overloads, build a technology that actually works. A lot of effort has been put into evangelizing OpenID because it's a technology that nobody would want on their own.
The problem was the underlying concept is not sound and no amount of layer on more features was ever going to solve it. What we need now is to get the browser makers involved in a secure authentication system and start it first inside of smartphones.
What exactly are OpenID usability issues? I personaly prefer to use OpenID where it is available, yet I don't use any login provider but a php script on my own website.
I use a TondioPlug[1] as a provider, and I've never had a problem with it. It is simple to use and doesn't require me to know anything about how OpenID works.
I suspect that until things like a TondioPlug become useful for a lot of people, (if they ever do) asking people to be their own provider will be a lost cause.
It doesn't matter when yahoo, google, aol and more offer openid, it's just a click on a button, what could be easier than that? I agree that entering a whole URL is horrible though but that's not how I use openid, I just click on the google button and that's it, just like facebook or twitter connect.
StackOverflow is a good example (IMHO) of OpenID login done right. It's so easy to sign up for a StackOverflow account, and I don't have to remember or write down yet another fucking password!
IMHO, one of the things they do correctly is that the user doesn't have to remember an OpenID url in most cases, just click on the logo for which of your likely ID providers (Google, Facebook, Yahoo, etc.) that you want to use. What could possibly be easier or friendlier for the end user?
StackOverflow is a good example (IMHO) of OpenID login done right.
The problem is that StackOverflow is also about the only example of OpenID done right, or done at all...
Yes, there are a few others. But at least in my internet usage I hardly ever run into one. I can't remember having used my OpenID for any site other than SO in the past couple years.
Other examples of user-friendly OpenID login pages:
* Tripit.com only supports Google, Google Apps, and Facebook, but it's very end-user friendly to use any of those three.
* Catch.com, like Tripit, supports Google and Facebook OpenID logins.
* mindmeister.com supports Google, Google Apps, or a generic OpenID login.
* springnote.com supports a number of openID providers including generic OpenID. This one is actually an even better example than StackOverflow of an end-user friendly OpenID login/signup page.
Those are just ones I pulled from my Google account settings page. I'm sure there are other good examples out there.
It shows that it's possible. The question is then why others don't implement it well. Obviously it's not worth it to them, but I think that say more about those doing the poor implementations than it does about OpenID.
Indeed, I also think that OpenID is not designed well. I mean, I have tried to implement it already twice. And everytime, I think, I got the idea of OpenID, later I realize, no I still didn't got real wht it tries to do.
What is wrong in that a spammer could easily host its own OpenID server and log in with that account on numerous sites. You even can write scripts to do it automatically, so I didn't really get the idea of OpenID.
I think in the future we get OAuth as the winner. Yes, its main purpose is different, however "signing in" with OAuth is so much easier. Even a simple user can understand how it works. And by implicit use of only specific OAuth providers (where you registered your app), you close the door for "bot"-providers. Of course one can argue, that you can also force to use only specific OpenID providers, but this is not core idea of what OpenID was created for.
OpenID doesn't replace user accounts. It replaces account passwords. A site, instead of verifying a user's password, contacts the user's OpenID provider asking them to verify the user's identity.
Instead of using the same username + password combination for all the sites on the Internet (and suffering from Gawker-like incidents), or writing down a bazillion passwords in my keyring, I use my OpenID when I want to comment on random people's blogs or sites like StackOverflow.
It's more like a restaurant hiring a third party to handle billing without you needing to collect cash or hold consumer receivables. (ie. credit cards)
Who do you trust more to control who can use your identity? A gossip blog like Gawker Media? Or a place like Google, Verisign, etc who employs real security experts who know what they are doing.
I have a PayPal token so that I can use two-factor authorization for my account. Since Verisign PIP is powering that solution, I also now have a two-factor openid that I can use anywhere. So if I decide that I want to have additional protection for my StackOverflow or Tripit accounts -- I can.
I wrote a blog post[1] last week about a better solution for handling auth. The tldr version is that our user agents need to be doing a better job of managing authorization and multiple accounts for us. I posted it here on HN[2], but didn't get much traction on a Friday afternoon.
I still like OpenID for smallish projects and blog commenting. While people are ok with creating a username and password for a 37signals product, I doubt they're interested in creating one for something that tell my friends on facebook and twitter what my favorite color is.
Well, it's a damn good thing I switched away from OpenID for my current project. I was originally forced to switch because the ruby openid library did not work for ruby 1.9 due to encoding issues. It's amazing how much things change in a year.
There is nothing wrong with it, and I don't know if its intentional but its super effective.