Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?
But now, Microsoft has decided to increase the number of relying parties by 50%. To three.
So who was the lucky relying party who made it through the door? Portland-based JanRain‘s myOpenID.
A number of folks—me among them—are surprised it’s taken Microsoft this long to add another relying party. And it seems like the list is still missing a few other obvious and highly secure choices.
But myOpenID is a great place to start:
JanRain’s myOpenID service, the first and most popular independent OpenID service on the Internet, provides consumers with a free, fully featured, reliable, and secure solution for managing their personal online identity. Every myOpenID user receives several choices for secure authentication beyond password. These enhanced security options include: Microsoft InfoCard, Client Certificate, or Phone-based two factor authentication.
See? Smiling and nodding indeed. But at least it keeps a consistent theme to the week. That theme being “Great panel, but what is Rick doing up there?”
Sound interesting? I hear that there still a couple of seats left. So if you’d like to attend, swing by the Silicon Forest Forum site to register. And if you’re going to be there, please make sure to grab me and introduce yourself.
Portland-based JanRain, arguably the leading developer for OpenID solutions, is on a roll. It seems like they just released ID Selector, and now they’ve come forward with another OpenID solution: CallVerfID.
CallVerfID allows OpenID users who login with an *.myopenid.com identity to take an extra security precaution with their login: getting a phone call.
And here’s the best part: it’s on any phone. Well, okay, any phone with buttons.
Instantly receive a call when signing into myOpenID. Simply answer and press # to authenticate. No certificates or text messages. Use any phone.
My point was: it’s not SMS messaging. It’s an actual phone call.
I even tried it with Skype and it worked flawlessly.
Since I’m always one to try to shoehorn an analogy into any situation, I’d say that CallVerifID is akin to your credit card company calling you when a strange charge request is made. It’s simply an added precaution to ensure that your credentials are being used by you, and only you.
So, why the added precaution? Do I really want to get called every time I post a blog comment?
No, of course not. But as OpenID begins to take hold, and more and more personal and business applications become available, this type of multi-factor authentication is going to become necessary. Because, at some point, there’s going to be some fairly sensitive information and access rights tied to that OpenID. Banking, travel, and shopping just to name a few.
JanRain’s solution is quite simple and elegant. And it’s easy to adopt, no matter what your technical expertise. I, for one, think this is a step in the right direction.
This week, Portland-based JanRain will be unveiling their latest contribution to the OpenID community: a compelling means of simplifying OpenID logins for the everyday user called ID Selector. With ID Selector, JanRain has managed to reduce the complexity—and, well, geekiness—of the OpenID login process in the same way that products like AddThis have simplified the social-media-submission process.
Long story short, the ID Selector reduces your OpenID login to clicking an icon and providing a username. It’s a shrewd move, given that every OpenID provider has a standard structure for its URLs, a structure that allows JanRain to reduce the amount of user input to a traditional “username.”
JanRain has always done a great deal of the heavy lifting when it comes to working on OpenID and being open with the libraries they’ve developed. So they understand how to work for the greater good when implementing OpenID solutions.
Their take on the OpenID ID Selector is no different. It allows the folks who implement it to customize the providers that show and the order in which they are listed—even if that means JanRain’s MyOpenID doesn’t make the list.
This is yet another step forward for OpenID and its burgeoning user base. And, truly, one of the first ways I’ve seen that highlights to everyday Web users—millions of people who use services like AOL, Yahoo!, and Blogger—that they already have live OpenIDs which they could be using to manage services.
Major sites, like portals, could still do a much better job pushing the OpenID concept. That would be good for them, not just because it’d make OpenID more accessible to users, but because there’s a lot of brand affinity that sites can win by having users authenticate against their sites even when they’re using some other company’s service. Think of OpenID branding as the affinity credit card of the Web: Every time a user logs on to a service they’d get the authenticator’s brand popped up in front of them — just like Harley-Davidson does when its Visa affinity card users make purchases.
JanRain, not surprisingly, gets this, and will provide a complete white-label OpenID technology infrastructure for companies or brands that want to become authenticators. So if you want to log on to Web sites with an ID from your alma mater or local Rotary club, JanRain will make that possible.
From my side, I am starting to believe that we don’t need to market the term ‘OpenID’ to consumers. No one cares about the technology, they only want to login to their favorite service using their AOL or Google id. It’s like TCP/IP, no one cares how it works, just that our email shows up in the inbox and Twitter loads when we want to tell our friends we just saw Britney at CVS.
Clearly, we’re not out of the geek forest yet. But JanRain is making significant strides to see that we’re on our way.
The problem, though, is that the Big Four Internet companies that I mentioned above have made big press announcements about their support for OpenID, but haven’t done enough to actually implement it. Microsoft has done absolutely nothing, even though Bill Gates announced their support over a year ago. Google has limited its support to Blogger, where it is both an Issuing and Relying party. Yahoo and AOL are Issuing parties only.
This is a tenuous position at best. For as much ground as we can cover from a grassroots perspective, it’s going to be exceedingly difficult to get anyone—beyond early adopters—to take on OpenID without the support of some of these bigger entities.
Without the bigs, there is no OpenID tipping point.
But the funny thing—not funny “ha ha,” but funny “sad”—is that all of these gigantic companies are struggling with one very similar issue that would be partially—if not completely—solved by an effective implementation of OpenID: bringing acquisitions under a common login credential.
Yahoo! throws its acquirees’ respective user bases into turmoil every time it asks them to move over to a Yahoo! ID. Google takes years in its struggles to get everyone on the Google credential system. Microsoft and AOL are no different.
To me, it seems obvious that OpenID could solve this issue, now and for the foreseeable future. And I can’t be the only one seeing that.
As hard as it may be for them to accept it, the bigs need to move away from their proprietary credentialing structures. They need to embrace concepts like OpenID and OAuth for what they can do to solve their problems, today.
In short, they need to let go and let OpenID.
For now, the jury is still out on when and how the big company momentum will fall behind OpenID in terms of something more than spin and lip service. But let’s hope that day is soon approaching. For all of our sakes.
I can tell you one thing: from a grassroots level, Portland is sure to be leading the charge. And we’re not going to slowing our OpenID fandom anytime soon.