After three months away in San Francisco I was recently back in London visiting friends and family. With a couple of weeks to spare I got stuck into booking dinners with old friends. I’m a big fan of the offers on Top Table and with my eye on a nice little brasserie in Hampstead I knew I had enough points to get one of my meals on the trip for free.
Or at least I thought I did, only after so many months away, I’d forgotten my password to get back in. Not only that but I’d registered with an old email address and couldn’t even get the password reminder. For the want of a password, me, my page views and my commission were lost.
Usernames and passwords are everywhere. In a web that’s becoming more and more specialized and mashed, where storage comes en-masse from Amazon, video from YouTube, maps from Google, presence from MyBlogLog and sharing from del.icio.us, one last feature remains awkward and local: login.
The cost of sign-up
Sign-up: one simple and ubiquitous feature that costs websites users, lots of users. France Telecom recently did extensive research on the subject and found that at every new screen presented during sign up, 50% of users give up and go elsewhere.
That makes sign-up screens a very expensive part of your website. So you’ve built an incredible new service and spent a fortune advertising it on Google to get maybe a thousand clickthroughs. Of those, perhaps a hundred will be impressed enough with your service to reach that critical sign up screen. Ask the user for a username and password, confirm their email and you’ve just lost 75 of them.
The simple act of sign-up just multiplied your customer acquisition cost by a factor of four. Getting rid of the process would make your advertising a staggering four times more effective.
Even once the user has finally signed-up the login screen will continue to haunt both them and you. Up to 80% of calls to help desks are from users requesting password resets and every one costs an average of $30 to process.
The pain of sign up and login is both extensive and expensive. In the last two years though, a protocol has emerged to address it, a protocol which shows the early glimmers of even being able to solve it: OpenID.
OpenID, the HTML of identity
In 1990, Tim Berners Lee made the enormous simplification that most information people needed to access could be encoded into plain old HTML. “Information” is as broad a category of data as you can get though and can be encoded in lots of different formats: xml, pdf, jpg and plaintext being just some of them. In making that one extreme simplification though, Tim Berners Lee nailed the core of the problem and laid the foundations for the depth and complexity of the web that exists today.
Two years ago, Brad Fitzpatrick of Six Apart made the same simplification for identity. Identity is a complex and amorphous beast. Who are you, what qualifications do you have, who can verify them and how can I trust them? What’s your reputation, who are your friends and are you really my second cousin once removed?
These are very difficult questions to structure and answer programatically and, like document encoding, too difficult to solve in one fell swoop. Brad proposed a solution to a different and far simpler question — are you the same user who was at my site last week?
Remember me … forever
At its core, all OpenID cares about is telling a website that you’re the same person, the same user you were last time you visited them. It’s a bit like a cookie you carry around with you and drop into any machine you’re using — “remember me forever”. OpenID gives you, the website owner, the opportunity to personalize and customize your content to more users more of the time.
How it works
In essence, OpenID allows one website to piggy-back off an authenticated session from another website. I log into my OpenID provider (e.g. Clickpass.com, the startup I founded), pick up my OpenID URL and create a session there. When I want to use another site (e.g. 37 Signals’ Basecamp), instead of giving them my username and password, I give them my OpenID URL.
Basecamp then has a quick word with Clickpass and asks whether I’ve got an authenticated session already set up. If I have, it logs me in to Basecamp and creates a new authenticated session for itself and if not, it sends me back to Clickpass to log in.
The WWW cloakroom attendant
You can imagine OpenID to be a little like the tickets a cloakroom attendant uses. When you leave your coat in the cloakroom of a nightclub they tear a ticket out of their book, pin one half to the coat and give the other half to you. When you want your coat back you give them your half of the ticket, they find the coat that matches it and give it back to you.
OpenID does exactly the same thing with a website. You go to a website, and give them a copy of your OpenID URL which they then pin to your account. Next time you come back, you flash them your OpenID, they look up the account that corresponds to it, do a quick check to make sure you really are the owner and then let you in.
Your user or mine?
So if OpenID is logging the user into your site then who exactly owns them? Is that user ultimately a user of the OpenID provider or the website itself.
A good place to look for the answer to this is Evite.com. One of the reasons Evite became so successful is that it didn’t require people to create accounts in order to see their invitations. Clicking on a personalized link sent to you in an Evite email is proof that you own the email address and logs you directly into Evite.
Evite piggy-backs off the authentication from your email account. Nonetheless, it’s clear that it is Evite, rather than Hotmail or GMail, that owns the user. In the same way as Evite piggy backs off email, OpenID lets you to piggy back off the OpenID provider’s session and at the same time retain ownership of your user. The data that they enter at your site is something that is between you and them and nothing to do with the OpenID provider.
The consequences of reducing the barrier to account creation and login at websites are hard to understate. Users’ resistance to signing up to your service falls, the number of users returning to it increases and the amount of time you have to spend reminding them how to do so plummets.
With one account logging them into so many places, the user can also now afford to bring more than just a new username and password to your site and you can afford to demand more. At the same time as lowering the barrier to legitimate users, OpenID raises the barrier to your unwanted visitors.
People are exhausted by having to prove themselves again and again to every new site they visit. OpenID opens the door to portable identity and to them accumulating reputation and credibility which can then be reused elsewhere just as they reuse their EBay reputation on auctions. Portable identity and credibility is, in turn, the key to demanding more proof from your visitors that they are who they say they are and in turn reducing chargebacks, fraud and spam.
One ring to bind them all … and lose them?
With one account to store everything in, many people’s first reaction is that they now have one place from which to lose everything. Crack your OpenID provider and you crack every other site. Being able to get into all sites using one password is undeniably attractive but is it worth it if it lets someone else in too?
Today’s access-all-areas: email
The irony is that we already face the threat of the latter without any of the convenience of the former. Ever forgotten your password? How did you get it back? Did you perhaps click the password reminder button?
Almost every account you have across the web can be accessed using your email account. As soon as someone has your email account they have the key to your other accounts.
Since over a third of users use the same username and password everywhere, the problem is actually far worse than this as they inadvertently grant access to their email account to each new service they sign up to. I ask for your username, password and email address when you sign up to WinAnotherIPod.com and you give me the same one you use for your email provider and Paypal.
Today’s user has all of the risks associated with a centralized login and none of the benefits.
OpenID and phishing
Just like Paypal and Google Checkout, OpenID is a protocol vulnerable to phishing attacks. Click on a subversive Google Checkout link, enter your Google login details onto a phisher’s website and you’ve given away your Google account and payment details. Click on a Paypal button that connects to a bogus storefront and you accidentally give away your Paypal username and password.
OpenID can be attacked in exactly the same way. Arrive at an OpenID enabled website without being logged in and you’ll be redirected to your OpenID provider to do so. Don’t look too carefully at the URL of that login page and you might accidentally find you’ve given your details to someone you didn’t mean to.
There are various ways of making it far more difficult for this to happen and some that make it almost impossible. At their best, OpenID services like Clickpass.com make a user far more secure than they are using conventional logins and do so across all the sites the user visits.
Make yourself small
The last point is very important because when it comes to being attacked, it’s always easier to defend a smaller area than a larger one. If spiders and aliens are descending on you in a computer game (or indeed in real life) you get your back against the wall. Leave the keys to your house under every pot in the garden and they’re more likely to be found than if you leave them under just one.
Web users today defend their security and their privacy on lots of fronts simultaneously. For people who use the same password everywhere, every new account is a new place for it to be compromised, every new place you enter your details is another place they can be stolen from.
With only one account to log themselves into, user can afford to be more careful about how they do it They can use email authentication, SMS confirmations and even RSA key-fobs to secure that OpenID account and, by association, every other account that it links to. The power of single sign on means that the heightened level of authentication can now be re-used and re-demanded across the user’s entire network of sites.
So where is it?
It would seem like OpenID is the the wonder-drug of the internet. With the power to decrease password reset requests, spam and fraud and the ability to increase conversion rates, user loyalty and security it seems almost too good to be true. Today unfortunately it still is.
OpenID is fully functional but still raw and too tricky for the average internet user to be able to understand. Even as I write though there is change afoot. Various startups and initiatives, including the OpenID specs themselves, are filling in the gaps and rounding off the corners.
The user experience isn’t yet finally complete but with people like Verisign and our team at Clickpass working on solving the remaining parts of the puzzle, the future for OpenID looks very, very promising.