I think I'm starting to understand 37signals advertising strategy through DHH tweets, that admittedly only works because they have listeners.
1) Tweet negative/positive questions about x.
2) Tweet negative/positive observations about x.
3) Tweet negative/positive observation backed by data about x.
4) Tweet article about how positive/negative x is on blog.
5) Take action about positive/negative x.
Usually over the span of a couple days. It feels like you are watching DHH come to the realization that something is good/bad which helps you come to the same realization.
There is nothing wrong with it, and I don't know if its intentional but its super effective.
I wish I could brand that as a fancy marketing scheme, but I think the answer is much simpler. It's simply transparent discovery and thinking. If it happens to work as advertising, that's a positive side-effect, but the main dish is coming to good conclusions.
I certainly grew more confident in the decision to dump OpenID after talking with lots and lots of people on Twitter about it. You get to test your ideas, see what the feedback is, tweak, and retry. All while making the decision process public.
Totally understandable, one of the worst executed visions of all times.
I think there's a really huge opportunity in this space, and the first who'll be able to figure out the perfect (and, most importantly, simplest) way to offer a single-sign-on, integrating privacy and security features, will be hugely thanked.
That particular holy grail is a poisoned chalice and it's claimed plenty of victims, anyone remember Sxip? It's not a technical problem, it's power, control and ownership. Anyone in a position to allow a platform to get serious traction isn't going to give that control up and anyone that isn't can't make a system with enough traction. Then there's issues of trust, delegation and longevity. I'd love someone to do it well, I'd love the ability to have anonymous, durable, cryptographically verifiable identities online that could be optionally tied to meatspace identifiers but I just don't see it happening.
I spent a couple of years advocating for OpenID adoption, because I believed that the alternative (one or two companies controlling login for the entire Web, ala Microsoft Passport or Facebook Connect) would be a massive blow to the decentralised nature of the internet. I believed that OpenID's usability issues could be resolved if enough smart people got involved in figuring them out.
Clearly I was wrong on that last point.
And yes, my latest project (lanyrd.com) uses Twitter rather than OpenID for authentication. From a developer point of view, that gets me the benefits I hoped for with OpenID (SSO, portable identities, instant contact lists) without having to wait for the world to agree on the standards. I just wish we could have figured out a decentralised solution.
I think the problem lies in how those iedentities are established. A prolific Twitter or Facebook account makes a good identity precisely because you have spent time pouring your identity into it. Your family photos, relationships, residence and work history on your Facebook page. Your daily thoughts and actions cataloged on your Twitter feed. While not perfect, they're the best thing we have right now to externally verify that you are who you claim to be. They provide context to the authentication. Any external service that implemented the authentication standard that may arise out of this situation lacks that identifying context and the best case scenarion only serves to prove that the user authenticating is the user who setup the account. Taking away Facebook's and Twitter's context makes spoofing that authentication much easier.
Solving that in a way that doesn't violate the privacy concerns of your users seems like something of a holy grail. Panacea if it exists, but far from demonstrated.
"Login with Facebook, Login with Twitter" <- these are your new single sign on providers. I wonder if in the future they'll try to standardize these login providers and the information they share, we can call the new standard Open...something...ID...no...OpenLogin, there we go.
I think providing Facebook/Twitter logins for other social media sites make a lot of sense. Want to login to post on Yelp? Done. Want to checkin at 4sq? Gotcha.
But using those services to check into the applications running your business? Fuck no. I'm certainly not going to let anyone depend on their ability to get paying work done by whether Twitter is up or not. And I know of plenty of people who aren't interested in mixing their private-life Facebook with their work-life accounts.
Then of course there's Google. I'd be weary to let a large number of customers be owned by that Gorilla.
OpenID was promising because it was an open standard, not controlled by any one party. But unfortunately it had the usability of your average open source project (acceptable for hackers, terrible for anyone else).
I actually like this model too ... you're never going to get everybody to use one provider for storing their identities, because nobody will go and create one unless they absolutely need to.
So, it makes sense to go where users are. What I think needs to be done is standardize an api for the sites like twitter, facebook, Google and who-knows-what-in-the-future to use in providing accessing to user information to developers ...
That way, when superdupersocialnetworking.com explodes and has 1 billion users, providing sign on access to its users for your app is as simple as changing one or two lines of code.
I don't understand.
They use single text box of OpenID login.
They have it separated from login page in another page.
How do they want it to be successful and where is their ultimate usability mastery?
There is no way OpenID can be improved when there is no interest in solving global internet issues. Neither Facebook for implementing the own mechanism nor 37signals would get medal of honor for uniting the internet.
The key problem didn't come from people NOT using OpenID, but from the people who did. Supporting OpenID is a nightmare. You have different relaying services that go up and down (OpenID's answer is: "use more than one" - ha!), various levels of incompatibility, and a generally user hostile experience.
If OpenID usage had been in any serious numbers, our support department would have revolted.
If you're trying to build a profitable online business, cutting your support costs is key. And the easiest way to cut your support costs is to dump confusing features or technologies that people constantly write in about.
Same reason we originally dumped FTP in favor of hosting files ourselves. The support costs were way too high.
I use openid not to have a single signon to 37signals apps. I use to to have a single signon period. Not just 37signals but a ton of other apps use it as well (and I wish all of them did).
Every time I see a web app supporting openid Im glad that I don't have to invent yet another user/password combo. again.
As to failing openid providers I have a good suggestion - use OpenId delegation to have a single openid that you can reroute to any openid provider you want. all it takes is a domain name and a very small file hosted on S3 (for example). Then you can switch providers at will.
> Every time I see a web app supporting openid Im glad that I don't have to invent yet another user/password combo
The problem is most people don't bother doing this; they just trust every site with the same password. The benefit I see in OpenID is that it is not a secret, and canot be "compromised" (intentionally or not) in the same way as passwords.
(I also am one of the few, it seems, to use OpenID for my 37signals account)
The only ultimate, secure, technically valid solution to single sign-on is 2-way SSL.
Unfortunately, for this to work, several things need to happen:
1) Users need to learn what a private key is.
2) Browsers need to provide flexible, intuitive, easy-to-use user key support that's not tucked away in 3 levels of dialogs/tabs.
3) We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)
> We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)
Giving out your private keys like that (what, you actually trust an internet cafe computer?) is a rather bad idea. Instead have a service that your local client can authenticate to (with a normal password if you trust your client, or rsa keyfob, or application that makes your phone act like a keyfob), that acts vaguely like either ssh-agent (with the connection established in the opposite direction) or a kerberos KDC (which would let you not need to keep track of privkeys).
Uses the site's domain as a salt though which isn't exactly secure if whoever hacks the database decides to ignore the low-hanging unencrypted fruit and crack your password. You can configure the encryption settings a bit though and add your own pre-salt kinda deal.
I'm surprised that 37signal's thought process is so utterly flawed. Blaming a technology for implementation problems just doesn't make sense. Using this logic, we would have concluded in 1997 that since Geocities pages were ugly and slow, HTTP was a waste of time.
StackOverflow demonstrates aptly that OpenID is a technology that can work really well. You just need to:
- Funnel users to pervasive, competent providers like Google, Facebook, Verisign
- Make the integration experience as smooth as possible.
If your implementation of OpenID requires users to enter URLs and encourages users to use random providers, than yes, it sucks.
Really? Because yesterday I went to Meta StackOverflow and was utterly confused why I was getting new openid requests. (It was because MetaSO is different that SO.) Then I went to SO and was still confused because I thought I used yahoo but actually used google. Then, after I logged in with yahoo, I tried to change from google to yahoo and ended up with both, and now I can't remove the google openid. Very confusing.
Instead of managing 1 SO and 1 MetaSO login, I'm managing a connection from SO to one of many providers and MetaSO to one of many providers. Best case, that's 3 pages (SO, MetaSO and Yahoo) to manage logins to 2 sites.
Until you change ISPs and your ISP provided email address goes away. Sure you could say use gmail or yahoo mail, and that is obviously just fine until they become "evil" or go out of business. Or heck you get your own domain and want to migrate over to using it for email. I have had a number of email addresses over the years and most of the old ones I have lost access to, how does that work again?
It's a shame that CAS for multitenant apps never really took off. We have an integrated CAS and OpenID server to handle single-sign on for all our apps, and losing OpenID will mean an additional username/password for our people to remember for Highrise. We are probably going to write our own CRM at this point.
CAS is definitely somewhat less of a clusterfuck than OpenID, and actually gets the SSO cookie-handling part right.
But it's still a pile of redirects where the net result is that you can tie a user to their identifier and nothing more — it's mostly useless without implementing it paired with an LDAP/AD backend to get group membership and whatnot.
Just not storing a password field in your backend does nothing — you really have to get rid of the per-app account models entirely. WebFinger is a nice step along these lines, but it layers on top of OpenID and even then still doesn't provide the complete picture.
I just skimmed the comments thread and have a vague idea of what OpenID is but haven't gotten around to it yet.
Sounds great, Yahoo/Google/Facebook take your pick with a button or if you're hacker/paranoid enough to have your own infrastructure the slightly complexity of using a URL?
Main complaint seems to be it's URL and not user@host? Couldn't one just add support for user@host into the next
iteration of the standard? Maybe using something like DNS SRV records that seem to work well enough for XMPP?
Decentralisation is important and more cultural than technical. We need to keep working for it and it's not a short term goal--if it happens over decades so be it, but we shouldn't give up ground where we don't have to, especially with things trending against at the moment.
I wonder if it's reasoning like this that has kept OpenID alive when it should have died a long time ago. You want the Open world to win over the corporate overloads, build a technology that actually works. A lot of effort has been put into evangelizing OpenID because it's a technology that nobody would want on their own.
The problem was the underlying concept is not sound and no amount of layer on more features was ever going to solve it. What we need now is to get the browser makers involved in a secure authentication system and start it first inside of smartphones.
What exactly are OpenID usability issues? I personaly prefer to use OpenID where it is available, yet I don't use any login provider but a php script on my own website.
I use a TondioPlug[1] as a provider, and I've never had a problem with it. It is simple to use and doesn't require me to know anything about how OpenID works.
I suspect that until things like a TondioPlug become useful for a lot of people, (if they ever do) asking people to be their own provider will be a lost cause.
Indeed, I also think that OpenID is not designed well. I mean, I have tried to implement it already twice. And everytime, I think, I got the idea of OpenID, later I realize, no I still didn't got real wht it tries to do.
What is wrong in that a spammer could easily host its own OpenID server and log in with that account on numerous sites. You even can write scripts to do it automatically, so I didn't really get the idea of OpenID.
I think in the future we get OAuth as the winner. Yes, its main purpose is different, however "signing in" with OAuth is so much easier. Even a simple user can understand how it works. And by implicit use of only specific OAuth providers (where you registered your app), you close the door for "bot"-providers. Of course one can argue, that you can also force to use only specific OpenID providers, but this is not core idea of what OpenID was created for.
OpenID doesn't replace user accounts. It replaces account passwords. A site, instead of verifying a user's password, contacts the user's OpenID provider asking them to verify the user's identity.
Instead of using the same username + password combination for all the sites on the Internet (and suffering from Gawker-like incidents), or writing down a bazillion passwords in my keyring, I use my OpenID when I want to comment on random people's blogs or sites like StackOverflow.
It's more like a restaurant hiring a third party to handle billing without you needing to collect cash or hold consumer receivables. (ie. credit cards)
Who do you trust more to control who can use your identity? A gossip blog like Gawker Media? Or a place like Google, Verisign, etc who employs real security experts who know what they are doing.
I have a PayPal token so that I can use two-factor authorization for my account. Since Verisign PIP is powering that solution, I also now have a two-factor openid that I can use anywhere. So if I decide that I want to have additional protection for my StackOverflow or Tripit accounts -- I can.
I wrote a blog post[1] last week about a better solution for handling auth. The tldr version is that our user agents need to be doing a better job of managing authorization and multiple accounts for us. I posted it here on HN[2], but didn't get much traction on a Friday afternoon.
I still like OpenID for smallish projects and blog commenting. While people are ok with creating a username and password for a 37signals product, I doubt they're interested in creating one for something that tell my friends on facebook and twitter what my favorite color is.
Well, it's a damn good thing I switched away from OpenID for my current project. I was originally forced to switch because the ruby openid library did not work for ruby 1.9 due to encoding issues. It's amazing how much things change in a year.
[+] [-] peregrine|15 years ago|reply
There is nothing wrong with it, and I don't know if its intentional but its super effective.
[+] [-] dhh|15 years ago|reply
I certainly grew more confident in the decision to dump OpenID after talking with lots and lots of people on Twitter about it. You get to test your ideas, see what the feedback is, tweak, and retry. All while making the decision process public.
[+] [-] axod|15 years ago|reply
Surely you jest :) If there's one thing 37signals do extremely well it's getting people to talk/write about them.
[+] [-] stefanobernardi|15 years ago|reply
I think there's a really huge opportunity in this space, and the first who'll be able to figure out the perfect (and, most importantly, simplest) way to offer a single-sign-on, integrating privacy and security features, will be hugely thanked.
[+] [-] msy|15 years ago|reply
[+] [-] simonw|15 years ago|reply
What could have been done better?
I spent a couple of years advocating for OpenID adoption, because I believed that the alternative (one or two companies controlling login for the entire Web, ala Microsoft Passport or Facebook Connect) would be a massive blow to the decentralised nature of the internet. I believed that OpenID's usability issues could be resolved if enough smart people got involved in figuring them out.
Clearly I was wrong on that last point.
And yes, my latest project (lanyrd.com) uses Twitter rather than OpenID for authentication. From a developer point of view, that gets me the benefits I hoped for with OpenID (SSO, portable identities, instant contact lists) without having to wait for the world to agree on the standards. I just wish we could have figured out a decentralised solution.
[+] [-] yock|15 years ago|reply
Solving that in a way that doesn't violate the privacy concerns of your users seems like something of a holy grail. Panacea if it exists, but far from demonstrated.
[+] [-] lallysingh|15 years ago|reply
[+] [-] clyfe|15 years ago|reply
http://autho.me/
[+] [-] weavejester|15 years ago|reply
[+] [-] lionhearted|15 years ago|reply
[+] [-] seanalltogether|15 years ago|reply
[+] [-] dhh|15 years ago|reply
But using those services to check into the applications running your business? Fuck no. I'm certainly not going to let anyone depend on their ability to get paying work done by whether Twitter is up or not. And I know of plenty of people who aren't interested in mixing their private-life Facebook with their work-life accounts.
Then of course there's Google. I'd be weary to let a large number of customers be owned by that Gorilla.
OpenID was promising because it was an open standard, not controlled by any one party. But unfortunately it had the usability of your average open source project (acceptable for hackers, terrible for anyone else).
[+] [-] luigi|15 years ago|reply
[+] [-] trustfundbaby|15 years ago|reply
So, it makes sense to go where users are. What I think needs to be done is standardize an api for the sites like twitter, facebook, Google and who-knows-what-in-the-future to use in providing accessing to user information to developers ...
That way, when superdupersocialnetworking.com explodes and has 1 billion users, providing sign on access to its users for your app is as simple as changing one or two lines of code.
That would be really awesome
[+] [-] edvinasbartkus|15 years ago|reply
There is no way OpenID can be improved when there is no interest in solving global internet issues. Neither Facebook for implementing the own mechanism nor 37signals would get medal of honor for uniting the internet.
[+] [-] dhh|15 years ago|reply
If OpenID usage had been in any serious numbers, our support department would have revolted.
If you're trying to build a profitable online business, cutting your support costs is key. And the easiest way to cut your support costs is to dump confusing features or technologies that people constantly write in about.
Same reason we originally dumped FTP in favor of hosting files ourselves. The support costs were way too high.
[+] [-] tptacek|15 years ago|reply
[+] [-] Vitaly|15 years ago|reply
Every time I see a web app supporting openid Im glad that I don't have to invent yet another user/password combo. again.
As to failing openid providers I have a good suggestion - use OpenId delegation to have a single openid that you can reroute to any openid provider you want. all it takes is a domain name and a very small file hosted on S3 (for example). Then you can switch providers at will.
[+] [-] cobbal|15 years ago|reply
The problem is most people don't bother doing this; they just trust every site with the same password. The benefit I see in OpenID is that it is not a secret, and canot be "compromised" (intentionally or not) in the same way as passwords.
(I also am one of the few, it seems, to use OpenID for my 37signals account)
[+] [-] lukev|15 years ago|reply
Unfortunately, for this to work, several things need to happen:
1) Users need to learn what a private key is.
2) Browsers need to provide flexible, intuitive, easy-to-use user key support that's not tucked away in 3 levels of dialogs/tabs.
3) We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)
[+] [-] eli|15 years ago|reply
[+] [-] tbrownaw|15 years ago|reply
Giving out your private keys like that (what, you actually trust an internet cafe computer?) is a rather bad idea. Instead have a service that your local client can authenticate to (with a normal password if you trust your client, or rsa keyfob, or application that makes your phone act like a keyfob), that acts vaguely like either ssh-agent (with the connection established in the opposite direction) or a kerberos KDC (which would let you not need to keep track of privkeys).
[+] [-] rapind|15 years ago|reply
Uses the site's domain as a salt though which isn't exactly secure if whoever hacks the database decides to ignore the low-hanging unencrypted fruit and crack your password. You can configure the encryption settings a bit though and add your own pre-salt kinda deal.
[+] [-] Duff|15 years ago|reply
StackOverflow demonstrates aptly that OpenID is a technology that can work really well. You just need to: - Funnel users to pervasive, competent providers like Google, Facebook, Verisign - Make the integration experience as smooth as possible.
If your implementation of OpenID requires users to enter URLs and encourages users to use random providers, than yes, it sucks.
[+] [-] brianpan|15 years ago|reply
Instead of managing 1 SO and 1 MetaSO login, I'm managing a connection from SO to one of many providers and MetaSO to one of many providers. Best case, that's 3 pages (SO, MetaSO and Yahoo) to manage logins to 2 sites.
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] damoncali|15 years ago|reply
[+] [-] stonemetal|15 years ago|reply
[+] [-] ecaron|15 years ago|reply
[+] [-] dhh|15 years ago|reply
[+] [-] jasonjei|15 years ago|reply
[+] [-] blasdel|15 years ago|reply
But it's still a pile of redirects where the net result is that you can tie a user to their identifier and nothing more — it's mostly useless without implementing it paired with an LDAP/AD backend to get group membership and whatnot.
Just not storing a password field in your backend does nothing — you really have to get rid of the per-app account models entirely. WebFinger is a nice step along these lines, but it layers on top of OpenID and even then still doesn't provide the complete picture.
[+] [-] skomorokh|15 years ago|reply
Sounds great, Yahoo/Google/Facebook take your pick with a button or if you're hacker/paranoid enough to have your own infrastructure the slightly complexity of using a URL?
Main complaint seems to be it's URL and not user@host? Couldn't one just add support for user@host into the next iteration of the standard? Maybe using something like DNS SRV records that seem to work well enough for XMPP?
Decentralisation is important and more cultural than technical. We need to keep working for it and it's not a short term goal--if it happens over decades so be it, but we shouldn't give up ground where we don't have to, especially with things trending against at the moment.
[+] [-] maayank|15 years ago|reply
Maybe the execution was not crystal perfect, but I think all of us would have liked OpenID (or some other free and open standard) to succeed.
Open world 0 : Corporate overlords 1
[+] [-] wvenable|15 years ago|reply
The problem was the underlying concept is not sound and no amount of layer on more features was ever going to solve it. What we need now is to get the browser makers involved in a secure authentication system and start it first inside of smartphones.
[+] [-] Fice|15 years ago|reply
[+] [-] chris_atwood|15 years ago|reply
[+] [-] icarus_drowning|15 years ago|reply
I suspect that until things like a TondioPlug become useful for a lot of people, (if they ever do) asking people to be their own provider will be a lost cause.
[1]http://www.tonidoplug.com/tonido_plug.html
[+] [-] riobard|15 years ago|reply
[+] [-] cgart|15 years ago|reply
What is wrong in that a spammer could easily host its own OpenID server and log in with that account on numerous sites. You even can write scripts to do it automatically, so I didn't really get the idea of OpenID.
I think in the future we get OAuth as the winner. Yes, its main purpose is different, however "signing in" with OAuth is so much easier. Even a simple user can understand how it works. And by implicit use of only specific OAuth providers (where you registered your app), you close the door for "bot"-providers. Of course one can argue, that you can also force to use only specific OpenID providers, but this is not core idea of what OpenID was created for.
[+] [-] mgedmin|15 years ago|reply
Instead of using the same username + password combination for all the sites on the Internet (and suffering from Gawker-like incidents), or writing down a bazillion passwords in my keyring, I use my OpenID when I want to comment on random people's blogs or sites like StackOverflow.
[+] [-] didip|15 years ago|reply
Furthermore, when using OpenID, users have to remember yet another type of token. As opposed to the ubiquitous email+password.
[+] [-] Duff|15 years ago|reply
Who do you trust more to control who can use your identity? A gossip blog like Gawker Media? Or a place like Google, Verisign, etc who employs real security experts who know what they are doing.
I have a PayPal token so that I can use two-factor authorization for my account. Since Verisign PIP is powering that solution, I also now have a two-factor openid that I can use anywhere. So if I decide that I want to have additional protection for my StackOverflow or Tripit accounts -- I can.
[+] [-] psadauskas|15 years ago|reply
[1]: http://blog.theamazingrando.com/the-road-to-better-authoriza... [2]: http://news.ycombinator.com/item?id=2128966
[+] [-] antidaily|15 years ago|reply
[+] [-] epochwolf|15 years ago|reply
[+] [-] drdaeman|15 years ago|reply