Analysis of OpenID implementations
February 8th, 2008 at 13:20 by Tamlyn
Update: Added review of VeriSign’s offering below.
As Kelly mentioned yesterday, I have spent a few hours looking at how other sites have implemented their OpenID interfaces. Yahoo!’s new service was my favourite because it explains everything and makes it very clear and simple. On the other hand it lacks some features that I think are essential.
Identity providers
- slickest design
- least features (cannot ‘remember’ authenticated sites)
- lots of useful explanatory text
- login to the service with the standard Yahoo! login screen which benefits from anti-phishing protection
- the default OpenID URI they give you is hideous (e.g. https://me.yahoo.com/a/cNS2XuhgzObzs5svX5owhplR09A_feaT) but you have the option to choose an alternative one such as a Flickr profile (e.g. http://flickr.com/photos/username)
- supports only OpenID 2.0, not 1.1 - this means you can’t use it for any sites that have not yet been upgraded to OpenID 2 (most of them at present)
- OpenID support is hidden away & difficult to access
- has the option to ‘Remember this site’ but doesn’t seem to provide any mechanism to manage authenticated sites
- supports OpenID 1.1
- most feature-rich implementation
- supports both OpenID 1.1 and 2.0
- fairly simple to use but extra features inevitably add complexity to the interface
- more than just OpenID, something like a digital life aggregator or lifestream
- supports only OpenID 1.1
- allows users to edit the details that will be sent for Simple Registration requests
Updated: VeriSign Personal Identity Provider
- OpenID 1.1
- more features & options that most users are likely to need (or understand)
- some advanced features tying-in with VeriSign’s security features
- very granular control of the personal information exposed to the relying party via Simple Registration
Relying parties (OpenID consumers)
- supports OpenID 1.1 and 2.0
- supports Simple Registration extension which makes signup a breeze
- nice login/signup screens
- doesn’t work!
- on first use can create screen name or associate with existing account
- can associate several OpenIDs with one Ma.gnolia account which seems a bit unnecessary
- must sign up for an account before being able to use OpenID
- login screen remembers your choice of OpenID as preferred system
- tabbed login screen
- prize for most amusing error message: “While we’re pretty sure that you exist, your OpenID provider says that you don’t. Will you try again, please?”
- Didn’t work for me
OpenID module for Drupal
- supports OpenID 2.0
- login fails completely if Simple Registration is not supported
- simplest, no-nonsense system
- supports Simple Registration
- doesn’t ask to reconfirm registration details, upon returning to the site you are already registered & ready to go
Conclusions
Yahoo! has done an excellent job at making OpenID easier to understand for less techy folks. Plaxo has probably the best implementation of an OpenID consumer. VeriSign demonstrates the use of advanced security features as well as improved phishing detection using a browser extension.
Directed identity in OpenID 2.0 affords a much improved user experience. Instead of remembering an arbitrary URL such as me.yahoo.com/something, users need only remember the URL of the identity provider, in the case yahoo.com. Everything else happens behind the scenes. Few sites currently support OpenID 2.0 and there is no way of tellin, at sign-in, which version of OpenID the relying party supports. This will undoubtedly create confusion especially since OpenID 2.0 support does not guarantee OpenID 1.1 support. The recommended option is to support both versions.
This entry was posted by Tamlyn on Friday, February 8th, 2008 at 1:20 pm and is tagged with communitysite, comparison, interface, OpenID, openid2, Usability and is posted in the category OpenID Guerrillas, PlusNet News, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
6 comments on "Analysis of OpenID implementations"
Interesting that this appeared on the Beeb site today :-
Hi: As the technical director for the OpenID development here at Verisign I would be remiss if I did not ask you to check out our implementation.
Our Identity provider called the “PiP” is located at: https://pip.verisignlabs.com I would also encourage you to check out or Firefox extension called “SeatBelt” which can be located at: https://pip.verisignlabs.com/seatbelt.do
Thanks!
Thanks Gary, we’ll check that out!
Hmmm, neither of those pages work for me, Gary.
Remove the .’s from the end of the URLs 
(fixed the URLs)
PiP is quite interesting. I was impressed by the granular control of the simple registration extension, i.e. you can choose exactly which details to expose to the Relying Party, but I missed having a “complete all fields” button. The ability to set a date on which your ‘trust’ for the Relying Party will expire (i.e. after which you will need to re-authorise it) seems a bit unnecessary. It may also give the false impression that your account at the site of the Relying party will be terminated after that date or that they will no longer have access to your information.
There appear to be lots of other features to tie in with VeriSign’s identity services but I haven’t had a chance to check them out yet.
Add a Comment
Forums
Users online: 102
- Total Topics: 65539
- Total Posts: 527876
- Total Members: 8850
