OpenID - the Webmaster's tale

OpenID seems to be the single sign in method that is taking the web world by storm because it allows the user to have one user name and one password for all the websites they visit but what's the advantage from the web owner's point of view?



OpenID seems to be the single sign-in method that is taking the web world by storm because it allows the user to have one user name and one password for all the websites they visit but what's the advantage from the web owner's point of view?

If you run any sort of website then the chances are that you want users to sign in. Superficially the reason for signing in to anything is to provide security - but of course this isn't the main reason why website owners ask users to sign in. They simply want a point of contact that can be used as part of traffic building. If I have a user's email address as part of the sign-in then I can send them a newsletter and other marketing material. As long as you get them to tick a box you can even use the address list to generate revenue by selling it to third parties.

Of course these are the very reasons that users really don't want to give a valid email address - they perceive any attempt to get their identity as reprehensible and spamming. The fact that they have just had useful, and perhaps enjoyable, material presented for free doesn't seem to redress the balance at all. Hence website publishers are very familiar with a range of interesting email addresses including aaaa@xxxx.yyy and so on. Users will even go to the trouble of registering temporary email addresses that works for a few minutes just to avoid getting your useful emails in the future.

Even the user enthusiastic to receive your newsletters and other info can be put off registering because it generally means another user name and another password. Also most sites don't do a good job of making their registration page easy to use. The user has to guess if their user name has already been taken and invent something like "john1265a", not to mention retyping the password correctly twice and getting their email address correct. If you also include Captcha then they also have to guess what the over distorted letters are and then after registering they have to respond to the email you send them to activate their account.

When they return to your site do you think they will remember "john1265a" and the password they thought up? No of course not. But remember that if your main aim was to get their email address the lack of a return visit may not be of much worry to you. However the whole thing is messy and doesn't reflect well on the site concerned.

Now compare this to working with OpenID. The user simply has to sign up once with an OpenID provider, establish a password an identity and from this point on they can log in to any website that supports OpenIdD. There are a lot of these and they are growing in number and importance everyday.

If you add OpenID to your website, which is fairly easy using the standard libraries, a user no longer has to register with you to access premium content. They no longer have to invent a unique user name and password for your site and it's all so quick and easy. There are some minor disadvantages - in particular the user is directed away to the OpenID provider site to log in and then back to yours - but most users get used to this relatively quickly and you can always arrange that once they have logged in they stay logged in on that machine.

But there is a bigger problem. Remember the reason why we need the user to sign in? It's not always for security reasons - it's all about the email address stupid! If you can't get the email address, and perhaps even other personal data, then there is little point in restricting access to premium content and the need to get users to log on vanishes.

This is where the OpenID method gets a little murky. In most cases allowing a site access to your OpenID identiy also means that the site can have your email address. Notice that this is mostly likely going to be a real email address and not something made up on the spot. In principle the user can decline to share their email address but currently most OpenID providers either don't make this available or just fail to make it obvious.

The user can always deny you the email address when signing on to the site, but then they don't get access to the site unless you allow them to. The whole thing gets even more interesting when you realise that some OpenID providers are collecting even more data than just an email - name, date of birth, location, gender and so on. And as long as the user doesn't block it these too will be available on request to a site that they are signing up to.

Put simply OpenID is a golden opportunity to collect real email addresses and perhaps even more from users when they login to the site. As long as no-one is silly enough to point out that OpenID has these properties then it could all turn out for the best for the user and the web publisher....


Read More from:






Last Updated ( Thursday, 11 February 2010 )