Interview: Chris Messina on OpenID

Chris Messina, Citizen-Participant & Open Source Advocate-at-Large, answered some questions from Yahoo!'s Christian Heilmann about OpenID and Yahoo!'s recent announcement.

Hi there Chris! Your twitter network probably suffered the same fate as mine - being bombarded with tweets about OpenID. Care to share what the OpenID fascination is all about?

I've been a believer for quite some time. Tara likes to say that when I see a parade, I jump in front of it. I wouldn't necessarily say that that happened in this case, but I certainly joined in walking alongside the project from very early on. I knew it was going to be big, I could just sense it.

For one thing, the approach was an open source approach, and no one could really claim to own the whole thing, so that was a good thing.

For another, there was a clear value in a protocol like OpenID as previously demonstrated by Passport. The major difference here was that the technology could be implemented in a distributed fashion, creating opportunity and competition where previously there was lockin and a monopolistic situation. The design of OpenID prevents that situation from re-emerging, and gives us a new building block with which to bring about new innovation.

In some senses, this is as big, if not bigger, than the mainstream realization and adoption of AJAX as a tenet of modern web design.

I am a big believer in solutions that solve a problem, rather than coming up with clever solutions to show off. What are the main problems the web suffers from that OpenID could solve?

Well, this is an interesting way to present the question, because OpenID 1.1 was a fairly straightforward solution to asserting, across sites, that the person who just showed up with a URL could actually prove that they had control over the URL. That was about it.

With OpenID 2.0, a lot of complexity was thrown into the mix, and as work on OpenID 3.0 gets underway, it will likely only get more complicated.

But that's only at the protocol level. So your question is actually two questions rolled into one phrasing.

From a human user perspective, OpenID solves a few problems:

  1. It asserts that portable identity is important and useful (i.e. for carrying reputation between contexts).
  2. It alleviates the burden of remembering countless usernames and passwords across many devices or contexts.
  3. It supports the notion of developing multiple personas for each OpenID or for different OpenIDs.

Now, of course, with these basic benefits, it will only matter which actually get adopted in the wild. But, I think that, with these three benefits, many things become possible, and so as the benefits each unfold individually, there will become a greater and greater reason to adopt the technology and begin using OpenID. We're a ways off yet (maybe a couple years) but I think this direction is unavoidable (and heck, a good thing for people!).

Stretch your imagination a bit and imagine me as a non-geek. How would you try to sell me OpenID? What is in it for the common web consumer rather than participator?

Well, I rarely take that approach with technology. Technology that works for people needs to be self-evident, and honestly, OpenID is not -- not yet anyway.

However, in some contexts, OpenID makes absolute sense and demonstrates quantifiable value as in the case of Basecamp. If you use more than one Basecamp site, or any other 37Signals product, there's very clear and compelling value in using OpenID to unify your account logins between these sites. For example, I've had clients set up accounts for me on their Basecamps and have assigned me any of five different usernames! It's a nightmare remembering which is which, especially when I'm on my iPhone and don't have a password manager. Once Basecamp adopted OpenID, I was able to use the same account for all of them, solving the problem for me once and for all.

It's examples like that that should drive OpenID adoption, not any ideological view. I mean yeah, I can see how OpenID is great and I use my OpenID everyday, but I also love 1Password and I think insomuch as people have solved the basic password management problem for themselves, OpenID is yet another account.

Where it becomes compelling, I think, is when people find themselves using more and more internet-enabled devices that *don't* remember their accounts for them. That's when OpenID will suddenly become a mandatory feature.

What are the technical barriers to OpenID?

Well, a lot of people are put off by the size of the libraries. And there are still compatibility issues and documentation needs to be drastically improved. But motivated developers are pretty resilient, and there have been a number of implementations, so I'm less worried about the technical hurdles, which typically can all be overcome.

I'm more worried about 1) generating sufficient user value and 2) improving the basic OpenID user experience. If we don't nail the user experience for OpenID (without sacrificing the benefits of being able to use any OpenID), I think we're going to be hard pressed to convince folks to switch or to take it seriously.

Fortunately, we have momentum now with large providers like Yahoo! coming online, but even their implementations are confusing to bit-literate types like me. If *I* have a hard time with this stuff, I can't imagine that folks who don't care about the technology are going to wade through our mess.

And oh, one more thing. OpenID has to become a first class login citizen... it can't be relegated off to some "geeky no man's land". Of course this demands that we fix the user experience, but by putting it front and center, perhaps there'll be more motivation to take care of the unsightly and inconsistent mess that is OpenID consumption today.

You've recently been at the OpenIDDevCamp and chaired a discussion about openID usability. What were the outcomes? What are the big obstacles in terms of interfaces?

Well, we came up with three classes of OpenID login forms: inline (as in Dopplr), boxed (like in comment forms) and full page (seen in the WordPress plugin and on Moveable Type). From here we'll be developing guidelines for implementing login boxes that conform to best practices extracted from existing real-world implementations.

We also spent a lot of time coming up with all the potential error conditions for the OpenID login dance and will be documenting them soon and providing recommended language for reporting problems to users, and possibly even recommending ways to address common failures. Since OpenID relies on remote websites for logging in, when things go wrong, they can go really wrong. Helping people cope with such problems and get back on track is something that we desperately need to address.

The biggest obstacle for OpenID is going to be enforcing consistency in interfaces. While I'm all for experimentation, when it comes to something like logging in to a website, you shouldn't mess around. Streamlining the look of login boxes is something that really needs some attention and unification. It's not that all login forms need to necessarily look identical, but that standards are needed, and meeting people's expectations is a huge part of that. The more confusion we can save from the login experience, the better. And so providing clear, consistent and usable interfaces is a primary means to that end.

In December you published a wishlist on OpenID and support by Yahoo! was one of the wishes. Have you taken a look at what was done, how do you think we are doing so far and what would you want to see next?

Well, I think it's excellent to see Yahoo! become a provider. That's huge and really gives OpenID a needed push in both its longterm viability and in validating the investment people will make in becoming OpenID consumers. But providing OpenIDs is the easy part; for Yahoo to really earn full credit, it needs to consume OpenIDs, and so I'm hopeful that that will happen in time as well.

So far I'm actually a bit under... or over... whelmed by Yahoo's OpenID implementation. I think the process feels too heavy when compared with getting a regular account, and is sold to the user defensively (especially talking about "geeky stuff", which seems to be dismissive of the value of picking a unique and memorable OpenID).

That said, I'm excited to see a good implementation of directed identity, and if someone only needs to enter "yahoo.com" as their OpenID provider (or click a button), we're getting closer to an ideal user experience.

Next steps I think include working on profile portability and pushing forward the use of microformats and OAuth for secondary data and authorization use cases.

Do you think a big player like Yahoo! supporting OpenID will have an impact? Could it be that there might be a geek retaliation?

I think it has already. I don't think there will be a retaliation, but it certainly would go a long way to avoid one if Yahoo! became an OpenID consumer!

What do you see as the big opportunities a wider-known OpenID would bring us? What is your dream implementation?

Well, my dream is moving towards a "citizen-centric web", where web citizens can come and go to services they choose to use and choose to broker their data to for limited or specific purposes and where they're always in charge.

I see this as restoring the village model of the web, where big and small players compete on a similar level, as opposed to the way things are now, where so many people are locked up in proprietary highrises that it's hard to develop external web services that get any lasting pickup because people are content to stay put in places that are uniform and familiar (like Facebook).

Long term, OpenID and web citizen identity restores balance to the open nature of the web, and provides yet another building block with which to create compelling and useful applications.

As I've said, we have a long way to go, and we're just getting started, but I see a bright future ahead for identity-centric service delivery on the web, where you can be friends with your friends based on *who* they are, not based on which network they're in. And a lot of this stuff is just political and inertia, but with OpenID, I see advances in the state and architecture of web technologies that will keep us busy for the next several years, easily.

Exciting times, exciting times indeed.

See Also