Nathan Bell recently argued that OpenID is too obtrusive for users and, while I agree, I don’t think this is the primary obstacle that OpenID faces. Before I go further, a disclaimer: I am not a techie and will therefore approach this as an MBA (boo, hiss).

Huh? What’s OpenID? OpenID is basically a single login (think username and password, though these are not the only ones) that works across a variety of sites. Unlike other previous attempts to standardize logins, OpenID does not rely on a single central server beholden to a single firm. Instead, it is a decentralized network allowing users to choose from several different identity providers. Further basic information can be found here, courtesy of Wikipedia (though I am sure many techies could nitpick the details on this description.)

What did Nathan Bell suggest? Bell suggests integrating the login as a browser utility. When visiting an OpenID-enabled site, the browser would ask you to confirm that you want to use your OpenID identity. Bell also notes that you would probably need to login to your identity provider once per session.

Sounds good… What’s wrong? While making OpenID easier to use is certainly a laudable goal, the real obstacle facing OpenID is the lack of perceived market need. Having gone through the stress and jumped through the hoops to get my own OpenID identity, I think it is a very useful tool. However, I believe the average internet user does not perceive a need for this tool

OpenID supporters tend to tout two major selling points for OpenID:

1. Decentralized providers (you choose which one you trust most).
2. Single login for many sites.

The average internet user, inasmuch as such a person exists, does not care about the ethical arguments regarding a centralized identity provider versus a decentralized one. They are busy people (as are we all) and simply want a solution to remove the irritation caused by trying to remember all the different usernames and passwords he or she uses.

Many of these users have found such a solution; Mac OSX’s Keychain utility and/or the built-in password memory on many browsers. From a security standpoint, these are less than ideal. Keychain-type solutions pool your collection of passwords on a single computer but are not easily shareable across your desktop, laptop, work computer, library terminal, etc. Browser password memory functions are dangerous because they allow anyone using your computer to log into your sites. Finally, both of these solutions store passwords locally (usually considered a security no-no.)

So what do you suggest? I believe that in order to grow the OpenID userbase, OpenID providers need to offer a seamless product with a coordinated message that appeals to potential users.  In other words, show them something that can be explained in a single phrase that immediately improves their lives.  For example:

1. Add a keychain function that stores passwords for all their sites (not just OpenID enabled ones).  This plugin should store the passwords in a protected file with their OpenID provider.
2. Allow users to access this keychain from any computer they use via their OpenID identity.
3. “One login to rule them all” or, less ominously, “Login once. Use everywhere.”

This avoids the problems associated with network externalities.  It provides users an immediate gain rather than one that really only takes effect once OpenID is supported by the corporate internet.  The corporations aren’t going to replace their proprietary login systems with OpenID for a number of reasons.  So bypass them and let them keep their systems; OpenID shouldn’t play the same us-or-the-highway game as the corporate giants (Google, Yahoo, MSN, etc.).  Instead, make logins easier for the users because, at the end of the day, they’ll decide who wins.

And Bell’s idea? Use it as the first step. It makes sense to incorporate the login into a browser utility or plugin.  But it should go further; have that plugin collect (by asking, of course) username/password combinations for non-OpenID sites and store them with the identity provider.

I think the winning combination will be a two-way browser plugin that confirms the user identity once per session then collects and distributes the necessary identity credentials to each site, regardless of whether they are OpenID-enabled or not.