For about a year I have been pushing OpenID and OAuth as a key component to a large scale “Social Process” system (see posts here, here, and here). In the past year I have tested these ideas with a project called “Process Leaves” which is essentially a wiki which supports a couple of non-profit organizations I volunteer with. In order to access the protected content, you must log in with an OpenId. Yet there is still a problem.
OpenIDs are readily available and free, but there is still a significant barrier to use. Typical users don’t understand why they need to go somewhere else to get a login ID. It seems like just one more complication. To a user, it is clearly a lot more trouble than simply being presented with “set your password” prompt. It is conceptually not obvious why you need to get a password at another site, nor how it safeguards your access in the first place. To the casual user, it seems like “magic without a need”.
A lot of work has been done by the OpenId people to make the user interface seamless so that places like myopenid.com offer both user registration as well as user login screen. While clearly solving a usability problem, this opens the door for phishing sites which steal your password when you think you are logging in. WordPress refuses to offer a login page, requiring instead that you use your own shortcut to access their login. While safer, most users simply don’t understand why they can’t just log in. I have been forced to add a regular username/password access to “Process Leaves” so users can choose whichever is most convenient to them.
I remain convinced that OpenID is a certainty for the future. Once there are enough sites using OpenID, once there is enough benefit from getting an OpenId, once the average person can see the utility to getting and re-using one id at many sites, only then will it really take off. Until that time, average users will find it a bother.
There is some hope that the next Mozilla browser may offer OpenID “built in”. A very interesting video by Dan Mills shows Identity in the Browser coming out of the Weave project. Weave is mainly focused on sharing settings across multiple browsers, this identity angle might be a killer feature for them. I hope, however, that this can advance from an extension to a built in part of the browser, which would really solve the user interface problem once and for all. Similarly, it is expected that Google will build OpenId into Chrome. Microsoft of course has CardSpace which might play well with OpenID but it remains to be seen how tied this is to the OS.
Some think that social network may be the key to managing identity and authenticating to sites. Don’t miss this interesting article on how the social networks are converging with browser technology: Firefox Could Be the Real Facebook Challenger. This is further supported by Edwin K with his post on Browsers and the Future of Identity and Authentication. From my point of view: authentication in the browser can’t come soon enough.