Peter Nixey’s fantastic write-up of his experience launching Clickpass at SxSW reads like an edge-of-your-seat, action-thriller-adventure!
…
11:25am: As I shut my Mac and go to do the screencast I happen to glance at TechCrunch. We’re on. Top story. It’s an incredible review — everything we could have hoped for. Fantastic, except that we didn’t expect this for another two hours and the site’s still behind a password!
11:25am 10s: I call San Francisco: “Immad, we’re live, TechCrunch just published the story — let’s push!”
11:25am and 30s: <ping> Aral Balkan twitters that he can’t see the site — how do people find these things out so quickly?!
11:26am: Immad, as fast as ever, IM’s to say that everything’s live. Clickpass is go.
11:37am: An email arrives kindly offering to sell me Clickpass.cn. Un. Believable. I start buying other countries.
…
Clickpass has just launched a new OpenID offering which aims to make single sign-in easy enough for the masses. It takes a rather different approach to OpenID than other sites I have tried. The first obvious difference is that sites must, in addition to supporting OpenID, add a special Clickpass button to their sign-in screen. Behind the scenes it also generates a new, unique OpenID URL for each site you use. This is an interesting extra layer of privacy as it makes you completely unidetifiable to the relying party (i.e. the website you are signing in to). I gave it a whirl with Plaxo but was shocked to find that upon clicking the Clickpass button I was taken to a page on clickpass.com which asked me for my Plaxo username and password!
Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought:
There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.
A comment on that post from Clickpass boss Peter Nixey goes some way to explaining why they chose to do it that way:
We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server - they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.
It’s true that the form goes direct to the server of the relying party (it is used to send them the randomly generated OpenID URL) but how is anyone to know that? Half the point of OpenID is avoiding sharing passwords between sites. Most users probably wouldn’t think twice about entering their private login details into a third-party site (especially when presented as part of a login process) but that is exactly the kind if blind trust that we, as conciencious web developers, should be educating against.
Ultimately though I think Clickpass’s biggest problem will be getting sites to implement their special button. There are few enough sites that accept standard OpenIDs.
Here at Plusnet we're always trying to use clever open source things to make our lives easier. Sometimes we write our own and make other people's lives easier too!
We sell broadband, phone, VoIP and more to homes and businesses in the UK. Winner of 9 out of 11 Categories in the 2008 USwitch survey. Winner of "Best Consumer ISP" at 2008 ISPA awards. Voted number 1 in the Broadband Choices 2008 survey.
© Plusnet plc All Rights Reserved. E&OE
Community Site News is powered by WordPress
