A View from Christopher Mims
How OpenID Lost to Facebook Connect in the Battle for Your Online Identity
Users care about simplicity, not privacy, which is why portable identities are destined to be controlled by corporations instead of by open standards.
It is now apparent that OpenID, a standard that allows users to securely integrate and control their online identity across all websites, has failed to gain traction and will be supplanted by commercial rivals like Facebook Connect and Twitter, says a flurry of posts by Silicon Valley elites on question-and-answer site Quora, including a drop-kick-to-the-TSA’s-favorite-nether-regions by Yishan Wong, a former top engineer at PayPal and Facebook.
In answer to the question “What’s wrong with OpenID?” Wong opined:
It boggles my mind that this is apparently a big question for techies and, to me, is a perfect example of the Silicon Valley mindset that doesn’t understand how to build products that real people want to use.
For anyone who thinks about identity on the web, or merely pines for the day when it won’t be such a mess of usernames, passwords, and security vulnerabilities, his full post is well worth reading, but here’s the gist:
OpenID is far too complicated a solution for a problem that most users simply don’t have. Most users don’t care about security, and that’s why they let their browsers save usernames and passwords, re-use passwords across sites, refuse to log in in the first place, avoid sites that request logins, and perform a host of other behaviors that make geeks cringe.
The price of entry for OpenID is simply too high, agrees engineer Charlie Cheever, who managed the Facebook Connect team from 2008 until 2009:
Facebook Connect is a simpler user experience since there are fewer decisions for the user to make and one less layer of abstraction for the user to have to understand.
One example of this is that, on sites where I’ve signed up with an OpenID, I often forget which provider I’ve used to sign up for that site. In a lot of ways, this is worse than forgetting your password–it’s like forgetting your username or e-mail address–since you can’t have the thing you’re signing into e-mail you a reset link since it doesn’t know who you are or where to send it (unless you’ve provided the site with an e-mail address–which is something that people think you shouldn’t have to do if you use OpenID.)
Lest you think that only Facebook engineers feel this way, check out this hot off the presses post from Chris Messina, currently at Google and board member of the OpenID foundation.
Is [the OpenID Foundation] in a better position now than when I joined the board in 2008? In some respects, it is. In many others — particularly ones that I care about — perhaps not. When I think about where OpenID should go in 2011 and 2012, I think back to the original aspirations that I had in 2008 and think about how few of them were achieved. It really makes me wonder whether there’s enough soul left in the dwindling community to make things happen — especially the right things.
Messina admits that it was probably a mistake for the OpenID foundation to shift its focus to the “mother of all use cases,” the use of OpenID by the U.S. Federal Government. It took members’ attention away from creating something that was usable by small businesses and the countless webmasters who are now embracing technologies like Facebook Connect.
Messina chalks this up to problems with the branding of OpenID, while ignoring the fundamentally frustrating user experience that anyone who has attempted to use the protocol has encountered.
Here’s an idea for Silicon Valley: the next time you want to come up with a protocol that ultimately must be used by people like your grandmother in order to reach widespread adoption, whip out your WWSJD (What Would Steve Jobs Do?) bracelet and repeat after me:
Absolute devotion to simplicity is the shortest route between your idea and the soul of the consumer.