Blog

Category
  • Where should the OpenID Foundation go in 2011?

    In December of 2008, I ran for and was elected to a two-year term as a community representative on the board of the OpenID Foundation. That two year term expires this month. By the end the day today (November 29, 2010), I must decide whether I want to run for another term in the forthcoming board election, and if so, be nominated as a candidate and seconded by three other OpenID board members.

    This post outlines my current thinking about what's happened with OpenID over the past two years, touches on what's next, and ends with consideration about whether I should offer myself as a candidate for the 2011 board.


    To begin with, I think OpenID is in a good position today. Not great — but good. Is it in a better position now than when I joined the board in 2008? In some respects, it is. In many others — particularly ones that I care about — perhaps not. When I think about where OpenID should go in 2011 and 2012, I think back to the original aspirations that I had in 2008 and think about how few of them were achieved. It really makes me wonder whether there's enough soul left in the dwindling community to make things happen — especially the right things.

    The thing that I regret the most about my last two years on the board is how internalized and secretive the workings of the OpenID Foundation have become. I take partial blame for that — insomuch as I served as the secretary on the executive committee — but I also think that the timbre of the individuals changed since I started my involvement in the community. It's become more corporate. And the result was more backdoor politicking and much less consultation or coordination with the community. I mean, you can visibly see the change in the activity on the OpenID general mailing list, which ironically saw the height of participation (as measure in kilobytes) around the 2008 election:

    This has to do with our shift towards — as Executive Director Don Thibeau puts it — "The Mother of All Use Cases" — that is, the use of OpenID by the United States federal government. By switching our focus from more immediate consumer-facing applications of OpenID, we dropped the thread on use cases that offer the most universal appeal to smaller businesses and individuals — the very folks who had begun to invest in and benefit from the convenience that OpenID promised. And so, during the six to eight months that we spent on launching the Open Identity Exchange with the Information Card Foundation (a valuable contribution created before its time, natch) OAuth-based technologies (Facebook and Twitter Connect specifically) entered the marketplace and seized much of the momentum that OpenID had built up.

    As a result, most of the successful consumer-facing identity solutions today (including those from Facebook, Twitter, LinkedIn, and Foursquare) rely on OAuth rather than the OpenID protocol. As these examples are likely the ones that consumers are most likely to become acquainted with over the next several years (especially in mobile contexts), it will be OAuth — rather than OpenID — that developers will seek out for identity-related applications. And this makes all the difference in the world.

    Why?

    Simple: OAuth is destined to exist as a simple enabling technology — a part of the plumbing that no one ever sees, but that everyone benefits from. OpenID, in contrast, is a brand masquerading as a technology. If the OpenID board focused on building the OpenID brand — using whatever underlying technology the market demanded — it could encapsulate so much more, from freedom to choice to usability and, yes, security. But that's not what the board — 2010's board — has focused on.

    By underinvesting in the foundation's primary asset (the power of its brand!), the foundation risks obsolescence or — worse still — irrelevance.

    But OpenID still means something to me (it's just a matter of convincing more people to buy into that vision).

    I see OpenID as enabling personal choice. I see OpenID as key to promoting freedom on the web. I see OpenID making it easier for people to connect and engage with friends and brands across the web. And I see it enhancing web security by reducing the number of credentials that any one person needs to manage and maintain. If we could just communicate those messages consistently and thoroughly to the marketplace — and make good on those promises — OpenID would be in a great position in 2011 (and beyond).

    Indeed, when I announced my candidacy for the board in 2008, my top three issues were:

    • establishing OpenID as a strong consumer brand
    • improving the user experience and ease-of-use of OpenID
    • enhancing the value of adopting OpenID for individuals, businesses, and organizations

    Not for lack of trying, but as an organization we've failed at all three of them.

    The market, meanwhile, validated the value of federated identity, improved the usability of single sign-on and federated login (with a single button that removes choice from the equation altogether), and delivered value to brands as diverse as Lady Gaga and Sears. Yes, some of these results can be attributed to the foundation, but certainly not all of them. And it may well be that most of them would have happened without the foundation at all.

    ...which bears directly on contemplating what comes next. After all, if we consider where we've found success previously (in ways that are unique to the foundation) where should we double down? While we deserve credit for convening a series of productive summits — how else do we quantify the impact of the last two years, especially in light of the opportunity that we had in front of us?

    I mean, think: if you could influence the future of online identity — the key driver of the next generation of social technologies — what would you do? Where would you begin? And what would you do next?

    This is the opportunity and the questions that dangle in the face of the board of the OpenID Foundation and that need to be directly addressed in 2011.

    If it were up to me, I'd argue that browsers and devices need to be altered to accomodate internet-based "connected" identities. To that end, I spent three months last year working with Mozilla to develop some designs for how that might look. And I've since socialized those concepts at Google and elsewhere. And now I'm working with Eric Sachs and others at Google to design what may become the next iteration of Google's sign-in UI (not a trivial task!) to support OpenID functionality. I've also been heavily involved in conceptualizing, branding, and socializing OpenID Connect (the next generation of OpenID built upon OAuth). And I've been an ardent defender and advocate for OpenID for the last three years. But maybe it's time for me to focus on shipping product, and on helping to turn Google into the best identity provider there is — relying on standards where they exist, and innovating on them where they don't. Maybe it's still early and maybe there's still a chance for OpenID Connect — or *Connect? — to grow legs without the help of a dedicated (albeit semi-dysfunctional) foundation?

     

    The good news is that people are starting to come around to the need for a technology like OpenID. But with that realization comes the bitterness of encountering how today's OpenID falls short. And it is those shortcomings that need to be addressed in 2011.

    I'm just not at all confident that the OpenID Foundation is the right vehicle to bring those changes about when I feel like I can have a greater impact in how Google approaches (and rolls out solutions for) internet identity — without having to spend time helping maintain a foundation that seems to have gone astray.