Blog Post

With Facebook, Has OpenID Moved Closer to Being the De Facto Login Standard?

OpenID LogoFacebook today rolled out support for the digital identity standard known as OpenID, the latest and to date most successful attempt to allow users to log into a web service (from many different, sometimes competing companies) with one login and password. Scoring Facebook, one of the biggest and fastest growing login-based web sites in the world, suggests OpenID may have reached critical mass. The technology is a bit obscure, however, and widespread adoption could turn out to be nothing more than geek fantasy, yet another feature the mainstream user simply doesn’t care about

Sharing a single digital identity across multiple web sites is big business. Corporations have been trying to establish a foothold in this market for years, dating all the way back to the dot-com days. Microsoft (s msft) (Windows Live ID), Yahoo (s yhoo) and AOL (s twx) have all taken cracks at it, with varying degrees of success. Both Facebook (Facebook Connect) and Google (s goog) (Google Accounts) have their own proprietary ID services, as well.

Unsurprisingly, none of the major players have showed interest in supporting competing platforms — until OpenID came along, that is. Yahoo, Google, AOL, MySpace (s nws) and Microsoft all support OpenID logins in one form or another, as well as a growing number of other organizations.

Web sites make significant amounts of money selling data collected from their users, including the resale of users’ emails addresses. One web site owner I spoke to, Drew Curtis of, said he could sell the email addresses of his site’s users for 25 cents each — though he was quick to note that he does not. This is why so many sites ask if you mind receiving “messages from our marketing partners.”

With a platform like OpenID, sites can’t gather this marketing data from their readers, and as such lose a potentially significant revenue stream. That makes shared ID adoption a potentially costly proposition — notwithstanding OpenID’s promise of “lower cost of password and account management.”

Having one standard digital identity might be good for users, but “there’s a lot lined up against a unified account service,” Curtis told me. “The killer app would be something like OpenID that implicitly allows sites to scrape personal data” and make money off it.

OpenID has the backing of most of the big names in the industry, and is primed for success like no other login service before it, but whether it receives widespread adoption from thousands of web sites currently asking users to set up proprietary logins remains to be seen.

What does OpenID mean for Facebook? At the end of the day, not much. The site has managed to get 200 million users without OpenID, so it is unlikely the site will get a big bump in traffic — but it does suggest that Facebook is willing to play nice with the rest of the web, rather than being the bully in the sandbox. Maybe.

6 Responses to “With Facebook, Has OpenID Moved Closer to Being the De Facto Login Standard?”

  1. Starting with OpenID Foundation to most writing about OpenID claim (erroneously in my opinion) that all RPs have to accept OpenIDs issued by any and all OPs. Let us be clear: OpenID is an authentication protocol; RPs are at liberty to decide which OPs to accept. For example, a site meant for school kids will accept OpenIDs issued by schools alone. This way this site depends on acredited third parties who are in a position to ascertain the ages of its users. Are we going to say that this is not an acceptable use? Likewise, why shouldn’t Google insist that they will accept only Google issued OpenID? It is unfortunate that people like Chris Massina have argued for open acceptance. It is not realistic and mistaken position of the technology.

    • “Likewise, why shouldn’t Google insist that they will accept only Google issued OpenID?”

      Because that mentality defeats the whole purpose of OpenID. It wasn’t created to merely be an authentication protocol…those are a dime a dozen. It’s strengths came from the idea that it could be used as a single digital identity which benefits the users, it would have low cost of operation (simplified implementation, security, authentication) which benefits companies/site owners, and a single company could not cause its downfall by misusing it. If everyone acted as the major companies have so far, it doesn’t work as a single identity because each site still requires you to create a login for their site. What’s the point in having all identity providers and no identity consumers?

      • I am not aware of those dozens of protocols that are federated and user-centric. I agree that OpenID community is pitching it as not only SSO, but also there is no need for registration. But the reality is going to be a bit more nuanced. The protocol has provisions for RPs to know what kind of authentication scheme OP is using; I would think this suggests that RP can decide whether that authentication is sufficient for its purpose and if it decides otherwise it can reject that OP.

        When Sun issued OpenID to its employees, it stated that this will help those companies that give employee discount can use Sun issued OpenID as a means to verify employment status. Surely those companies will decide which OPs to accept. We can force them to accept all OpenIDs. If we insist to RPs that it is all or nothing, then I assure you that many RPs will walk away. As it is, RPs are sharing some strategic info with OPs – OPs are in a position to size the traffic to the site.

        It is not clear why Facebook is using OpenID. But I can suggest one use. Socnets are required by AGs to protect minors. A socnet targeted for school children can comply by requiring OpenIDs issued by schools and no one else. Will we prohibit such a use of OpenID? Is this RP misusing it?

        Let me conclude by quoting an exchange I had with Brian Kissel, Chairman of OpenID Foundation (in OpenID group in LinkedIN):
        me: I am a strong supporter of OpenID. In a web application that I have developed, we accept only OpenID. But I take issue with a common position advocated by many in the OpenID community – one of the fundamental benefits of OpenID is SSO and that it simplifies registration procedure. I want people to realize that RPs can and will decide which OpenIDs they will accpet and that for legal or other reasons RP may ask for certain information even if OPs can provide them.

        I think we as a community should impress on OPs that they should add material value to the identification. Currently almost all of the OPs are “permissive” with no membership criteria. On the other hand, consider schools to be OPs. Then Myspace or Facebook can use OpenID to enforce age related policies. Attorneys General can force them to use school issued OpenIDs.

        Instead of Demand OpenID list (which is forcing the hands of RPs), we should be demanding OPs to add verification of some aspect of OpenID holders that will be difficult or expensive for RPs to do. This verification could be the revenue model as well.

        Brian: Absolutely, each RP has complete control over which OPs they choose to accept, even as end users get to choose which OPs they want to use. Your input on what features and services you want from an OP will be helpful contribution to this forum.

      • I agree that there’s a disjoint in the direction of the marketing of OpenID via the community versus the actual capabilities of the protocol and the benefits that provides. Hopefully they are able to reconcile their use cases so there is a single (and practical) direction to move forward. You raise some interesting points I hadn’t thought about, thanks for that!

  2. There’s 2 major points this article glossed over…while OpenID has had plenty of big names backing it, it’s generally only used as a provider by almost all of them (i.e. you can use your Google ID as an OpenID, but good luck trying to use an OpenID to use Google services). This seems like the first large-scale adoption by a company using it to let you login to their service using an OpenID.

    And second, Facebook has always been very keen on keeping their “walled garden” of user information (see Facebook Apps, Beacon, etc.), so what makes them so eager to adopt OpenID, especially when it directly competes with their proprietary ID service trying to be universally adopted, Facebook Connect? I don’t get their motivation for allowing OpenID logins, but it isn’t very believable that they’re doing it simply as a gesture of their openness. And if it’s not going to drive much new traffic as suggested in this article, why bother?