Analysis of OpenID implementations

Feb
8th

Analysis of OpenID implementations

February 8th, 2008 at 13:20 by Tamlyn Rhodes

Update: Added review of VeriSign’s offering below.

As Kelly mentioned yesterday, I have spent a few hours looking at how other sites have implemented their OpenID interfaces. Yahoo!’s new service was my favourite because it explains everything and makes it very clear and simple. On the other hand it lacks some features that I think are essential.

Identity providers

Yahoo!

slickest design
least features (cannot ‘remember’ authenticated sites)
lots of useful explanatory text
login to the service with the standard Yahoo! login screen which benefits from anti-phishing protection
the default OpenID URI they give you is hideous (e.g. https://me.yahoo.com/a/cNS2XuhgzObzs5svX5owhplR09A_feaT) but you have the option to choose an alternative one such as a Flickr profile (e.g. http://flickr.com/photos/username)
supports only OpenID 2.0, not 1.1 - this means you can’t use it for any sites that have not yet been upgraded to OpenID 2 (most of them at present)

AOL

OpenID support is hidden away & difficult to access
has the option to ‘Remember this site’ but doesn’t seem to provide any mechanism to manage authenticated sites
supports OpenID 1.1

myOpenID

most feature-rich implementation
supports both OpenID 1.1 and 2.0
fairly simple to use but extra features inevitably add complexity to the interface

ClaimID

more than just OpenID, something like a digital life aggregator or lifestream
supports only OpenID 1.1
allows users to edit the details that will be sent for Simple Registration requests

Updated: VeriSign Personal Identity Provider

OpenID 1.1
more features & options that most users are likely to need (or understand)
some advanced features tying-in with VeriSign’s security features
very granular control of the personal information exposed to the relying party via Simple Registration

Relying parties (OpenID consumers)

Plaxo

supports OpenID 1.1 and 2.0
supports Simple Registration extension which makes signup a breeze

CNN Political Markets

nice login/signup screens
doesn’t work!

Ma.gnolia

on first use can create screen name or associate with existing account
can associate several OpenIDs with one Ma.gnolia account which seems a bit unnecessary

37Signals

must sign up for an account before being able to use OpenID
login screen remembers your choice of OpenID as preferred system

Mixx

tabbed login screen
prize for most amusing error message: “While we’re pretty sure that you exist, your OpenID provider says that you don’t. Will you try again, please?”
Didn’t work for me

OpenID module for Drupal

supports OpenID 2.0
login fails completely if Simple Registration is not supported

Creative Commons Wiki

simplest, no-nonsense system
supports Simple Registration
doesn’t ask to reconfirm registration details, upon returning to the site you are already registered & ready to go

Conclusions

Yahoo! has done an excellent job at making OpenID easier to understand for less techy folks. Plaxo has probably the best implementation of an OpenID consumer. VeriSign demonstrates the use of advanced security features as well as improved phishing detection using a browser extension.

Directed identity in OpenID 2.0 affords a much improved user experience. Instead of remembering an arbitrary URL such as me.yahoo.com/something, users need only remember the URL of the identity provider, in the case yahoo.com. Everything else happens behind the scenes. Few sites currently support OpenID 2.0 and there is no way of tellin, at sign-in, which version of OpenID the relying party supports. This will undoubtedly create confusion especially since OpenID 2.0 support does not guarantee OpenID 1.1 support. The recommended option is to support both versions.

Bookmark to:

OpenID Guerrillas Day Three.
OpenID Guerrillas Day Two.
Customer Beta platform!
OpenID

This entry was posted by Tamlyn Rhodes on Friday, February 8th, 2008 at 1:20 pm and is tagged with communitysite, comparison, interface, OpenID, openid2, Usability and is posted in the category OpenID Guerrillas, PlusNet News, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 comments on "Analysis of OpenID implementations"

LiamM said:
February 8th, 2008

Interesting that this appeared on the Beeb site today :-

http://news.bbc.co.uk/1/hi/technology/7234499.stm

Gary Krall said:
February 8th, 2008

Hi: As the technical director for the OpenID development here at Verisign I would be remiss if I did not ask you to check out our implementation.

Our Identity provider called the "PiP" is located at: https://pip.verisignlabs.com I would also encourage you to check out or Firefox extension called "SeatBelt" which can be located at: https://pip.verisignlabs.com/seatbelt.do

Thanks!

Kelly said:
February 9th, 2008

Thanks Gary, we'll check that out!

LiamM said:
February 10th, 2008

Hmmm, neither of those pages work for me, Gary.

Kelly said:
February 10th, 2008

Remove the .'s from the end of the URLs

Tamlyn said:
February 11th, 2008

(fixed the URLs)

PiP is quite interesting. I was impressed by the granular control of the simple registration extension, i.e. you can choose exactly which details to expose to the Relying Party, but I missed having a "complete all fields" button. The ability to set a date on which your 'trust' for the Relying Party will expire (i.e. after which you will need to re-authorise it) seems a bit unnecessary. It may also give the false impression that your account at the site of the Relying party will be terminated after that date or that they will no longer have access to your information.

There appear to be lots of other features to tie in with VeriSign's identity services but I haven't had a chance to check them out yet.