Getting OpenID Into the Browser

Google Chrome did a smart thing: Less. They unified the search box and address bar, since that’s what people do anyway. That gives us back precious pixels for the only thing that’s as important to an average web user as where they’re going: Who they are. Identity belongs in the browser. Don’t just believe me, just this week ReadWriteWeb talks about The End of Online Anonymity and TechCrunch on how Facebook Connect is the Biggest Battle Yet For Social Networks: You, Your Identity And Your Data On The Open Web.

As Web 2.0 took root, the ability to login to a site, store preferences and build a profile became ubiquitous. Beyond reading news or blogs, it’s fairly rare that you’re on a site where you’re either not logged in or don’t have the ability to login. The downside is that just about every site requires you to create a new account and have cookies to keep you logged in. Thus when your cookie disappears, you have to login again. Maybe your browser’s password manager eases this pain, but there are plenty of people that would be in a world of hurt if their browser every forgot all of their passwords (or they use a friend’s computer).

If we remove passwords from the equation and instead use OpenID, there’s the notion that upon visiting an OpenID enabled site (now numbering more than 25,000 across the web) you’ll most likely submit a form telling that site about your OpenID. I might go to MapQuest and login by typing in my OpenID “http://www.davidrecordon.com/” or Ma.gnolia and clicking a “Sign up with a Yahoo! ID” button. These interactions, with various tweaks around them, are very much the status quo today. If OpenID wishes to see true mainstream adoption, this will need to change.


Imagine if your web browser really knew who you were on the web. Just as you login to your computer, what if when you fired up your browser, it said “Hello Dave” and asked you to “unlock it” as well (Chris Messina was quite influential in my thinking about it this way). In doing so you become securely logged into your OpenID provider (or maybe more than one of them) and as you move around the web your browser takes care of automatically logging you into the sites that you want to be, asking you about others, and helping you register with new ones using your OpenID. Argue as much as you want about the details in making this happen, but I think it’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.

There are a lot of proposals around how current OpenID interactions will change – a great summit on OpenID usability was held a little over a month ago – and whether it be more one-click buttons, less buttons, bigger logos, or email addresses I think it’s also worth looking at what it will take to really get the browser involved. This certainly isn’t a new idea, every major browser has the ability to remember passwords and FireFox even has those pesky user profiles so that people could theoretically have different cookies, bookmarks and other settings.

In the internet identity space this isn’t a new idea either. Information Cards (more widely known by Microsoft’s CardSpace implementation in Windows) have credit card like rich desktop integration built using WS-* and SAML. Dick Hardt’s team up in Canada has built Sxipper for FireFox which helps with both OpenID and normal web forms as well. When I was working for VeriSign, we developed the OpenID Seatbelt which is also a FireFox extension designed to make OpenID easier and prevent phishing by detecting OpenID enabled sites and your provider.


Today, MySpace, Flock and Vidoop released a prototype of their implementation toward this vision with OpenID for Flock. All three of these browser plugins help you manage your OpenIDs, detect when you’re on an OpenID enabled site, and then make it easier to sign in. To me, what Sxipper aspires to enable feels the most useful for a mainstream user.

OpenID for Flock is an add-on that polishes previous attempts of putting OpenID into a browser. While the user experience and graphics are quite a bit better than what I helped build at VeriSign, it’s lacking the features that help prevent phishing (making sure you’re actually logging into your OpenID provider versus a phishing site that looks like it) which is a bit surprising given Vidoop’s involvement. That said, OpenID for Flock is Open Source as part of a project dubbed IDentity in the Browser (IDIB) which the same cannot be said for either Sxipper or VeriSign’s OpenID Seatbelt. Given that IDIB is Open Source and already written as a Flock add-on, I’d certainly expect to see it ported to FireFox and there be far more community support of it compared to the other add-ons.

So where do we go from here? I don’t know how to write great browser plugins so just doing it is out. It’s great to see Flock’s direct involvement in this Open Source effort as it shows browser vendors innovating and experimenting with how their own products must evolve to support identity. Maybe this will cause the other browser vendors to think seriously about what they too could be doing in future versions to help make identity management easer and more secure on the web.

In my mind, Gears can help us get there. While it started as a project by Google to evolve web browsers faster and add needed features like offline support, it’s grown beyond that with offline support now coming in HTML 5 and a new Geolocation API. Today Gears runs on half a dozen different browser/platform combinations including FireFox, Internet Explorer, Safari, Chrome and Android. If there was ever a developer platform to build an Open Source cross browser implementation of what OpenID support might look like, Gears seems like the place to do it. Not only does this mean that we’ll need to write less code to have it work in multiple browsers, but ideally if it became mature enough maybe the Gears team would choose to ship OpenID support as well? All of a sudden, the community could be down from a handful of browser plugins to one leading Open Source example.

What do you think? Do you agree that identity is becoming as essential to a browser as location? Should we content ourselves for issues like security to be relegated to a few dozen-pixel lock icon, or have Big-Red-Phishing-Warnings set a standard that important issues deserve significant real estate? Really though, should the browser become more actively involved in how you use the web on a daily basis?

tags: ,