OpenID User Experience Summit at Sears

We're excited to be participating in the third OpenID User Experience Summit being co-hosted by Sears and the OpenID Foundation later this month at Sears' headquarters in Chicago. As you may recall there have been OpenID UX summits at Yahoo and Facebook in the past, but this is the first event in the Midwest and hosted by a major retailer.

You can read more about the event on the OpenID wiki.

We're especially excited that there will be nearly 50 participants in this event from organizations including:

Sears, Universal Music Group, NPR, PBS, Fox News, Tribune, Kodak, Meredith, MTV, AARP, OpenTable, Scout24/Deutsche Telekom, Whitepages.com, Republican National Committee, TwitterFeed, Yahoo, Google, Microsoft, PayPal, Facebook, MySpace, JanRain, WetPaint, Pluck, Viewpoints, Rainbow Media, NRI, Verisign, ExactTarget, Kantara ULX WG, Echo & Data Portability Project, and others.

As with prior events, the topics being discussed were determined by the participants, so we hope this will prove to be an interesting and informative session. Here's a summary of what will be covered:

• Update from major Identity Providers on OpenID plans for 2010: Joseph Smarr (Google), Allen Tom (Yahoo), Monica Keller (MySpace), Andrew Nash (PayPal), Angus Logan (Microsoft), David Recordon (Facebook). Tentative: George Fletcher (AOL), Nico Popp (Verisign)
• How to drive adoption & usage of OpenID and the resulting business & end user benefits: Brian Ellin (JanRain) - lessons learned over the past three years implementing OpenID
• Input from Website Operators on how UX should evolve and goals behind those suggested enhancements: Rob Harles (Sears) & Daniel Jacobson (NPR) will facilitate a discussion and generate feedback from participating RPs to the OpenID Foundation and OPs.
• User experience flows for "OpenID Connect," lessons learned from Facebook – David Recordon (Facebook)
• OpenID best practices including account recovery/reset, attaching multiple identifiers, mobile authentication, using WebFinger, etc. – Allen Tom (Yahoo)
• Data Management: update on SREG, AX, OAuth, WRAP, Portable Contacts, and Activity Streams – Joseph Smarr (formerly CTO of Plaxo, now at Google)
• Update from participating Website Operators on OpenID plans for 2010 – All RPs present who want to share some future thoughts and plans

We look forward to the feedback and insights from this event, and will be providing our summary of the take away messages on this blog, so please stay tuned...

LinkedIn Added to RPX

We are excited to announce today that LinkedIn has been added as a supported identity provider in RPX. You can check out LinkUp for an example site that has added LinkedIn as a sign in option. LinkUp is a fast-growing job search engine that easily configured its sign in widget to support LinkedIn:



LinkedIn has an active member base of over 50 million business professionals, and further integration with their platform is on the way for RPX. In the coming weeks, users on your website will be able to import their LinkedIn contacts, and publish their activities from your site to their LinkedIn status.

Here are a few other recent feature updates to RPX:

• Updated Sign in Widget - We have updated the look and feel, as well as the functionality of the RPX widget. In addition, the sign in experience now occurs in a friendly pop-up browser window for all 17 identity providers supported by RPX.

• Facebook Email Support - Facebook now allows users to approve sending their email address to your website during authentication. This feature can be easily enabled from within the dashboard of your RPX application.

• New Dashboard and Setup Guide - The RPX dashboard and setup guide have been redesigned to display more information in an improved format. A simpler wizard flow has been designed to make it easier to configure your widget and select identity providers.
  

• Downloadable Reports - For RPX Pro customers, we now offer the ability to download sign in analytics in a .csv file. If RPX is deployed is deployed on multiple domains, customers can also see which of those domains has had the most sign in activity. The reports are accessible from within the Analytics tab of the RPX dashboard.
  

NY Times Article on Passwords - Further Thoughts

Following up on my earlier post, here are some other thoughts to consider.

In addition to making login as easy as a single click, UMID can simplify the process of setting up an online account on a new website. This process is generally referred to as "registration." When you register on a website, you typically provide a name, email address, and maybe some of the following - nickname, gender, age, zip code, preferred language, time zone, etc. These "demographic" data elements allow the website operator to serve you better since they know a bit more about you.

As a registered user you can "personalize" your experiences on the website by setting preferences, saving activities, customizing the look and feel of the site, etc. It also then allows you to interact with the website operator and other people on the site via social functions like blogs, wikis, discussion groups, surveys, etc.

But here's the rub, you have to re-enter a bunch of redundant information about yourself (name, email address, gender, age, language, zip code, etc.) on every website - tedious, error prone, and time consuming. So what if that same IDP (Google, Yahoo, AOL, Facebook, etc.) would let you, with your explicit permission, share that data with each website so you didn't have to re-enter it at each new site? Well they can, its all part of the UMID service. And in some specific cases you might even want to share some pictures, a list of friends, your address book, your music/TV/news interests and preferences. That's possible as well, but always and only with your explicit permission.

And the great thing is you can have all these benefits while at the same time reducing the risks of having someone hack your password, because you're only sharing your password with your IDP, who is in the business of, among other things, protecting that ID. Companies like Yahoo, Google, Microsoft, AOL, PayPal, Microsoft, etc. are using sophisticated technology and procedures like the ones banks are using to prevent credit card fraud.

That's not to say that every website isn't doing the best that they can to protect your account. They are, but they don't all have nearly the infrastructure that the major IDPs have, and you're not sharing your password across hundreds, if not thousands of websites. For example, if you use your daughter's middle name as your password on fifty websites, if someone figures it out on a local car dealer or newspaper's website, they'll then likely try that same password or something close to it on other websites that they think you might use. So your password is only as safe as the "weakest link" in the websites that you use.

And the problem is only getting worse. More companies, entertainment websites, non-profit organizations, government agencies, etc. are recognizing that the web is often both the most effective and inexpensive way to serve their customers/members/users. Individuals, especially in the younger generations, are also demanding faster, more comprehensive services 7X24 that can be best delivered via the internet. And in order to serve you better, each one of these sites is going to want you to register and login. So if nothing changes, you're going to end up with more usernames and passwords, not less, as time progresses. This approach just doesn't "scale" as they say in software development. Consumers need a better way to traverse the "authenticated web." Companies have already figured this out with SSO solutions for their employees on their intranets, it seems logical that this should be happening on the open internet as well.

So now is the time to become familiar with UMID. Try it on some websites when you see it as an option. And if you become a fan, request it from the websites that you use. As more websites begin to deploy UMID options, and as more internet users demand it, we'll achieve the momentum necessary to make this a standard part of everyone's web experience.

NY Times Article on Managing Passwords - Implications for User Managed Identity (UMID)

Last week, the NY Times published an article entitled "If Your Password Is 123456, Just Make It HackMe." There were a number of great points in the article, and in the follow on posts by readers.

• One out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data
• That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
• Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks? Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age. “Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council.

This article solicited over 140 comments from all over the world before the NY Times closed the article to comments in just several hours. The most popular responses gave suggestions on how to make your password management more intuitive and secure.

There were some great suggestions for how people can manage site specific passwords, but the bigger question is why should you need to have a unique username and password for every website that you visit? Most corporations have deployed an approach called single sign-on (SSO) to eliminate this problem for their employees. Once you login to your corporate intranet, you can instantly access sales, marketing, supply chain logistics, accounting, payroll, benefits, travel, 401K services, and a host of disparate web-based services via your corporate SSO identity - no unique usernames and passwords for each service.

Wouldn't that be a great solution for people trying to access all their services on the web? Do you really need to have a separate username and password for your newspapers, magazines, phone company, utilities, airlines, college alumni websites, cable operators, hardware and software vendors, federal/state/local government agencies, car dealers, hotels, insurance companies, online retailers, etc.?

If you only had one or a few identities, it would be much easier and more practical to implement some of the article's recommendations like picking a complex password or resetting it periodically. And what if someone was managing that password for you by proactively monitoring it to assure that it wasn't being misused - using sophisticated technology and procedures like banks are using to prevent credit card fraud. Then imagine that you only have to login with that trusted password management service and your logins on all the websites you use are managed for you by one trusted partner. As a result, your password is never shared with other websites nor distributed across the web. Imagine being able to show up at the websites you use and just click on a button to login. No user name or password to remember for all those websites.

Well that solution is available today on over 9 million websites. The leading solution is based on an open source technology called OpenID which is being supported by Google, Yahoo, AOL, Microsoft, PayPal, IBM, Verisign, France Telecom, Telecom Italia, MySpace, Facebook, NEC, Mixi, and many others. There are also other vendor specific solutions by Microsoft, Twitter, and Facebook that provide similar functionality. The combination of these technologies is generally referred to as "user managed identity" (UMID). The general approach is that individuals create and manage their online identities by choosing one or more "identity providers" (IDP) like Google, Yahoo, Microsoft, PayPal, or Facebook to serve as their trusted agent for registering and logging into websites. You can read an earlier post summarizing recent developments in OpenID and UMID here.

So now is the time to become familiar with UMID. Try it on some websites when you see it as an option. And if you become a fan, request it from the other websites that you use. As more websites begin to deploy UMID options, and as more internet users demand it, we'll achieve the momentum necessary to make this a standard part of everyone's web experience.

See further comments here.

Data on Industry Trends in Social Media Platforms

We recently analyzed data from the second half of 2009 and identified several consistent trends within the social media space. The data reveals differences in user behavior regarding their preferred identity providers for signing in to websites that accept login with third party accounts, in this case through an implementation of JanRain's RPX solution.

Among users signing in to the 173,000+ websites currently using RPX, the breakdown of preferred identity providers is as follows:


We also analyzed data on sign in preferences for a sampling of major US media companies. It's important to note that not all media companies sampled chose to enable each identity provider. Thus, the following is a snapshot of the popularity of each provider only when that particular provider is enabled as a sign in choice.

We found that Facebook and Yahoo! are the two most popular identity providers in this vertical:



What accounts for the preference of users to sign in to media websites with Facebook or Yahoo! identities? Many web users visit news and media websites with the intention of sharing content with their friends. If one reads an interesting article or watches a video on a media site, they may be compelled to share that content with their friends, family or colleagues. Since both Facebook and Yahoo! allow users to publish content or activity from a website back to their friends and contacts on each network, it is not surprising that these providers are more popular on media websites.

Our analysis also includes an examination of technology platforms (comprising customer feedback/support tools as well as white-label social network/community platforms) to see which identity providers are most popular. While Facebook is the most popular choice (at 41%), Google is a strong second, and not surprisingly, Twitter proves that it is a more prevalent sign in option on technology websites. Again, this data provides a snapshot of user preferences only when a particular provider has been enabled by the website as a sign in choice:


It's also important to note that user preferences vary by geography, demographics and over time as certain identity providers gain popularity and add features and capabilities. For example, six months ago, Twitter hardly registered but now accounts for up to 25% of sign ins on some websites. For some websites in east Asia, greater than 60% of logins are via Yahoo!.

At JanRain, we strongly believe that organizations derive the most benefit by providing their users with choice, and this data reinforces the point that organizations can better engage with users by supporting a range of identity providers for authentication.

OpenID Foundation Board Update - Expanded Representation

The voting results are in and the OpenID Foundation announced its 2010 Board today. In addition to a strong group of returning members, we're glad to see four new members who will bring tremendous value and new perspectives.

• Marc Frons, CTO of the New York Times
• Daniel Jacobson, Director of Application Development at NPR
• John Bradley, who has been focused on government adoption of OpenID
• Dick Hardt, well known Open Identity innovator and entrepreneur

It is an exciting step in the Foundation’s evolution to have the voices of major website operators joining the conversation.

Returning to previously held positions are Brian Kissel, CEO of JanRain; Allen Tom, Principal Software Architect at Yahoo!; and Joseph Smarr, former CTO of Plaxo and soon to be leading Google’s company-wide focus on the social web.

LexisNexis has also joined the board as a new sustaining corporate member and will be represented by Dermot O’Mahony, the Senior Director of Marketing Planning and Strategy at LexisNexis.

It’s shaping up to be a year full of tremendous potential. Some priorities for the coming year include:

• Driving adoption and usage by website operators and end users through improvements in user experience, deployability, data management, and identity provider certification programs
• Encouraging and supporting offerings by more identity providers including Facebook, Microsoft, PayPal, and AOL migration to OpenID 2.0
• Expanding into new application areas including government and commerce with enhancements to OpenID including identity provider certification and the Contract Exchange extension.
• Getting even broader representation on the OIDF board. As more corporate members join, we have the potential to add Robert Harles from Sears (commerce), Jonathan Coffman from PBS (broadcasting) and Bjorn Woltermann from Scout24/Deutsche Telecom (online media, international).

We at JanRain look forward to continuing our work with the OpenID Foundation and look forward to your continued input and feedback. Best wishes for a great new year in 2010.

2009 OpenID Year in Review

This has been a great year for OpenID, and 2010 looks to be even more promising. I recently posed a summary of the accomplishments at the OpenID Foundation website here. A few key excerpts from that posting:

There are over 1 billion OpenID enabled accounts from the following identity providers worldwide:

• US: AOL, Blogger, Flickr, Google, LiveJournal, MySpace, Verisign, WordPress, and Yahoo!.
• Europe: France Telecom, GMX/Web.de, Hyves, Netlog, and Telecom Italia.
• Japan: Livedoor, Mixi, NEC Biglobe, Rakuten, and Yahoo! Japan.

There are over 9 million websites utilizing OpenID for registration and login on some portion of their websites across a wide range of organizations including Sears, Kmart, Universal Music Group (200+ Interscope, Geffen, A&M labels and artists), FoxNews, EMI Music, TwitterFeed, RedPlum, Savings.com, DC Shoes, CitySearch, Zappos, Nike, Microsoft, Mint, Nokia, Random House, Sony BMG, Café Press, TweetDeck, ViewPoints, Qype, Scout24 (Deutsche Telecom), Avro, Associated Northcliffe Digital, Smart.fm, Hokkaido Television Broadcasting, OnGen, 2-han.net, Nikko Hotels, ClipCast, Facebook etc.

Microsoft, NTT Docomo, PBS, and PayPal have also announced plans to OpenID-enable their users adding hundreds of millions of additional OpenID enabled accounts.

Several organizations are using OpenID internally for federated ID management: Amazon, Japan Airlines International, National 4-H, SAP, Sun Microsystems, and PBS.

The US federal government has announced its intention to deploy OpenID on federal websites. During two separate meetings with Vivek Kundra, the Federal CIO, he explained that a major priority for the federal government is transparency and “citizen engagement.” Accordingly, the government is aggressively pursuing open standard technologies that enable and support these objectives. At the Gov 2.0 Summit in Washington DC, the General Services Administration and several government agencies announced their plans to adopt OpenID as part of the White House’s Open Government Initiative. This announcement followed several months of research and discussion between the OpenID Foundation, OIDF member companies, the GSA, NIST, OMB, the InfoCard Foundation, and various government agencies.

The Identity, Credential, and Access Management (ICAM) committee of the GSA published its Identity Scheme Adoption Process, Trust Framework Provider Adoption Process, and OpenID 2.0 Government Profile documents over the last several months. Initial identity providers include Yahoo, Google, AOL, Verisign, and PayPal who are undergoing certification processes defined in the TFPAP. The first wave of federal websites to accept these identity providers will include the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and related agencies.

Shibboleth, an identity management system used by thousands of research institutions has announced that Shibboleth V2.X will integrate OpenID support. The U.S. deployment of Shibboleth, InCommon, is a community of more than 4 million researchers, students, staff, and faculty across more than 180 institutions. The OpenID Foundation worked closely with InCommon/ Shibboleth in developing trust frameworks for the US Government OpenID deployment. Another example of how the OpenID Foundation and members are collaborating with a number of identity initiatives.

Even the FCC has gotten into the act and is asking for input on how OpenID can accelerate the use and benefits of more broadly available high speed bandwidth access. You can see our response to the FCC request for comment here. The FCC specifically asked:

"What impact do developments in identity management, such as OpenID, have with respect to broadband deployment, adoption, and use?"

"OpenID is potentially well suited to facilitate and accelerate the utilization and citizen benefits of broadband deployment. As lower cost broadband services reach a higher percentage of our population, government and private sector service providers will increasingly leverage this channel to offer richer, more personalized, and more cost effective offerings to their citizens and customers, respectively.

However, in order to provide the best services, citizens and customers will need to authenticate themselves for many applications to set preferences, to customize their experiences, and for more interactive transactions. As more organizations drive to engage their stakeholders through the internet, and as consumers respond by utilizing faster, better, and cheaper services over the internet, the scalability of username/password authentication will become a constraint. This is exactly the use case that OpenID was designed to address - more scalable, convenient, and secure authentication across the open internet."

In addition to the progress that has been made in OpenID, user managed identity and social publishing in a broader context has also made significant progress.

• Microsoft, Facebook, and Twitter are also providing identity services for over 700 million users. While they are not currently OpenID-enabled services, they are publicly documented services that we've integrated into RPX, bringing over 1.7 billion identity accounts ot the registration and login processes for our clients. LinkedIn has announced that they will also be providing identity services that we also plan to integrate into RPX.
  

• Additionally, we've seen tremendous interest in our Social Publishing functionality that allows users to share their activities (blogs, surveys, reviews, purchases, downloads, views/listens, etc.) with their friends on the social networks including Facebook, Yahoo, Twitter, and MySpace. You can see a demo of how this works here.
  

And based on input and feedback from our customers, we've got an exciting pipeline of new capabilities coming in 2010. So thanks to everyone who has been following us, providing input, and using our services. We're excited about the tremendous market momentum around user managed identity and social publishing, and look forward to providing even greater solutions for our customers in the coming months.

____

Brian Kissel
CEO, JanRain