Pyramid Registration

Lately I’ve been getting real excited about OpenID. It’s not a new thing, and it’s not a new concept, but at this point I’m convinced that it does everything right, and that it’s hit the point where it will become totally mainstream within the next few years. Also, let me preface this by saying this is not a techy-only post, this is relevant to anybody who’s ever created a username and password.

OpenID lets you have one user account that you can use anywhere [that supports OpenID]. And if you have an AIM or Flickr account, you already have one. If you don’t, you can get one somewhere else, like myOpenID. This is because OpenID isn’t a service, but a protocol, not tied to any one organization. If you have one, then logging in to a site that supports OpenID means entering only your OpenID. In other words, no password. As long as you are logged in to your OpenID-providing account, it’ll log you right in. If you’re not logged in to your OpenID-providing account, then you’ll be redirected there to sign in, then redirected back right where you left off when you’re done.

This is awesome.

Having no password is awesome enough, but there’s a subtler benefit, not widely used now, but that I predict will eventually become the most widely known fact about OpenID, and will profoundly impact the Web. You may have a favorite username, but there’s no guarantee to you, or anyone else, that you’re the person behind that username everywhere. There’s a chance someone else may have it on any given site, no matter how original it is. With OpenID, since your name is a URL, no one else will have it. This means that any place you sign up with your OpenID at, knows what your OpenID will be at any other place. Right now, 37signals’ Basecamp, Highrise, and Backpack all take advantage of this. If you log into your Basecamp account with your OpenID, you are also logged in to any Highrise, Backpack, or other Basecamp accounts that you have, and can switch seamlessly between them.

Your URL doesn’t have to be long or weird, like “bob.myopenid.com”, or “flickr.com/photos/david”. If you have your own domain name, use it! My OpenID is this website, “mill-industries.com”. If you View Source on this page, you’ll see a couple of <link> tags near the top of the code that turn klondike.myopenid.com into mill-industries.com. It’s that easy.

Now let’s look into the future and pretend that a lot of services you use all support OpenID, and you’re using one. Gmail could let you instantly post a photo attachment to your Flickr account, because when you log into Gmail, you are also logged in to Flickr, to Blogger, to Ebay, to Wikipedia, and whatever else you’re using OpenID with (in the future). This might sound horribly insecure to anyone thinking about XSS attacks, but I don’t think it presents a new situation for the security community to deal with. People are logged into multiple services at once all the time; this just increases the chances and scope of that situation.

But one serious concern you may have about OpenID is: doesn’t this mean that if someone finds out my OpenID password, they’ve gained access to every site I use with my OpenID? That’s true, and this is something OpenID and the public should think about very seriously. But the fact of life right now is that most people use 1 or 2 passwords for everything anyway. I bet you don’t have more than 3, unless you use a password manager program or browser plugin, in which case you have a master password for that. I grant you that this is not “good password practice”, but it is how people work. Instead of futilely yelling at people to create unique, random-seeming passwords for every system they use, which is not going to happen, let’s embrace and support human nature.

It’s my opinion that OpenID is going to succeed. It’s already doing very well: providers include Yahoo, Flickr (through Yahoo), Verisign, AIM, and a lot more. Sites which let you use OpenID to log in include Livejournal, Blogger, and 37signals’ products (Basecamp, Highrise, Backpack). Microsoft has expressed its support for OpenID and is beginning to support it in its products. Most promisingly, Google, Microsoft, IBM, Yahoo, and Verisign have all joined the OpenID Foundation’s board of directors.

If you don’t have an OpenID, go over to myOpenID and get one. Then, well, you probably won’t use it much…for now. But you will have a glorious place in the future.