Getting OpenID Into the Browser

Google Chrome did a smart thing: Less. They unified the search box and address bar, since that’s what people do anyway. That gives us back precious pixels for the only thing that’s as important to an average web user as where they’re going: Who they are. Identity belongs in the browser. Don’t just believe me, just this week ReadWriteWeb talks about The End of Online Anonymity and TechCrunch on how Facebook Connect is the Biggest Battle Yet For Social Networks: You, Your Identity And Your Data On The Open Web.

As Web 2.0 took root, the ability to login to a site, store preferences and build a profile became ubiquitous. Beyond reading news or blogs, it’s fairly rare that you’re on a site where you’re either not logged in or don’t have the ability to login. The downside is that just about every site requires you to create a new account and have cookies to keep you logged in. Thus when your cookie disappears, you have to login again. Maybe your browser’s password manager eases this pain, but there are plenty of people that would be in a world of hurt if their browser every forgot all of their passwords (or they use a friend’s computer).

If we remove passwords from the equation and instead use OpenID, there’s the notion that upon visiting an OpenID enabled site (now numbering more than 25,000 across the web) you’ll most likely submit a form telling that site about your OpenID. I might go to MapQuest and login by typing in my OpenID “http://www.davidrecordon.com/” or Ma.gnolia and clicking a “Sign up with a Yahoo! ID” button. These interactions, with various tweaks around them, are very much the status quo today. If OpenID wishes to see true mainstream adoption, this will need to change.


Imagine if your web browser really knew who you were on the web. Just as you login to your computer, what if when you fired up your browser, it said “Hello Dave” and asked you to “unlock it” as well (Chris Messina was quite influential in my thinking about it this way). In doing so you become securely logged into your OpenID provider (or maybe more than one of them) and as you move around the web your browser takes care of automatically logging you into the sites that you want to be, asking you about others, and helping you register with new ones using your OpenID. Argue as much as you want about the details in making this happen, but I think it’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.

There are a lot of proposals around how current OpenID interactions will change – a great summit on OpenID usability was held a little over a month ago – and whether it be more one-click buttons, less buttons, bigger logos, or email addresses I think it’s also worth looking at what it will take to really get the browser involved. This certainly isn’t a new idea, every major browser has the ability to remember passwords and FireFox even has those pesky user profiles so that people could theoretically have different cookies, bookmarks and other settings.

In the internet identity space this isn’t a new idea either. Information Cards (more widely known by Microsoft’s CardSpace implementation in Windows) have credit card like rich desktop integration built using WS-* and SAML. Dick Hardt’s team up in Canada has built Sxipper for FireFox which helps with both OpenID and normal web forms as well. When I was working for VeriSign, we developed the OpenID Seatbelt which is also a FireFox extension designed to make OpenID easier and prevent phishing by detecting OpenID enabled sites and your provider.


Today, MySpace, Flock and Vidoop released a prototype of their implementation toward this vision with OpenID for Flock. All three of these browser plugins help you manage your OpenIDs, detect when you’re on an OpenID enabled site, and then make it easier to sign in. To me, what Sxipper aspires to enable feels the most useful for a mainstream user.

OpenID for Flock is an add-on that polishes previous attempts of putting OpenID into a browser. While the user experience and graphics are quite a bit better than what I helped build at VeriSign, it’s lacking the features that help prevent phishing (making sure you’re actually logging into your OpenID provider versus a phishing site that looks like it) which is a bit surprising given Vidoop’s involvement. That said, OpenID for Flock is Open Source as part of a project dubbed IDentity in the Browser (IDIB) which the same cannot be said for either Sxipper or VeriSign’s OpenID Seatbelt. Given that IDIB is Open Source and already written as a Flock add-on, I’d certainly expect to see it ported to FireFox and there be far more community support of it compared to the other add-ons.

So where do we go from here? I don’t know how to write great browser plugins so just doing it is out. It’s great to see Flock’s direct involvement in this Open Source effort as it shows browser vendors innovating and experimenting with how their own products must evolve to support identity. Maybe this will cause the other browser vendors to think seriously about what they too could be doing in future versions to help make identity management easer and more secure on the web.

In my mind, Gears can help us get there. While it started as a project by Google to evolve web browsers faster and add needed features like offline support, it’s grown beyond that with offline support now coming in HTML 5 and a new Geolocation API. Today Gears runs on half a dozen different browser/platform combinations including FireFox, Internet Explorer, Safari, Chrome and Android. If there was ever a developer platform to build an Open Source cross browser implementation of what OpenID support might look like, Gears seems like the place to do it. Not only does this mean that we’ll need to write less code to have it work in multiple browsers, but ideally if it became mature enough maybe the Gears team would choose to ship OpenID support as well? All of a sudden, the community could be down from a handful of browser plugins to one leading Open Source example.

What do you think? Do you agree that identity is becoming as essential to a browser as location? Should we content ourselves for issues like security to be relegated to a few dozen-pixel lock icon, or have Big-Red-Phishing-Warnings set a standard that important issues deserve significant real estate? Really though, should the browser become more actively involved in how you use the web on a daily basis?

tags: ,
  • Christopher Dale

    Totally agree, great article and great find!

  • ggw_bach

    the ultimate solution? assign everyone in the world with the equivalent of a Social Security Number. A unique identifier for logging into the net and confirming your identity.

    it could be initiated at the ISP level.

  • http://www.niallkennedy.com/ Niall Kennedy

    “Today Gears runs on half a dozen different browser/platform combinations with support seeming to be on the way for Chrome and Android”

    Gears shipped with both Chrome and Android. Fire up your G1, navigate to NiallKennedy.com, and you’ll see the Gears permission dialog.

  • http://www.david David Recordon

    Thanks Niall, I’ve edited the post!

  • http://tieguy.org/ luis

    The problem w/ gears for auth is that it is web-based. If you want an auth system that isn’t fishable, it has to look/feel like a distinct, native-only application, and not like a web-page/web-popup. (The various IdentityCard plugins do this; they bear playing with to see how this is done.)

    Gears, being pretty much a pure web tech (primarily about caching and manipulation of js/html), can’t provide that, at least not at the moment. I suppose you could make it part of the gears plugin, but I can’t see how it makes more sense to put it in gears than in any other popular browser plugin that has a ‘native’ component, like, say, flash.

    (I love gears, don’t get me wrong, but using it to solve this problem seems like a ‘I have a hammer so every problem is a nail’ situation.)

  • http://www.davidrecordon.com/ David Recordon

    @Luis, agreed that this must look like (and really be) part of the browser. Part of the phishing discussion is if you’re using passwords (or other shared secrets) to authenticate versus something which is either much harder or impossible to phish from a user.

    I lean toward Gears because it can create new chrome within the browser itself. For example, it drops an authorization screen from the top of a window when local storage is requested. Additionally, it already works across browsers so should be easier than writing individual add-ons for each browser.

    I’m much less familiar with using Flash to alter the browser’s chrome.

  • http://xri.net/=drummond.reed Drummond Reed

    +1 to IDIB. XRD(S) discovery can be essential to making this work. See Paul Trevithick’s post at http://www.incontextblog.com/?p=90 and mine at http://www.equalsdrummond.name/?p=172 for more on this.

    Let’s make it happen.

    =Drummond

  • Dylan Lee

    Great article and concept. Can’t wait for it. Forgive my multiple-negative confusion, but is this sentence conveying the opposite to what is intended?

    “it’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing”

  • http://www.davidrecordon.com/ David Recordon

    @Dylan, it’s a double negative, but I did have to think twice about it.

  • bowerbird

    i’m sure big brother loves all of these developments.

    -bowerbird

  • http://guyleech.net Guy Leech

    No no, I think Dylan has a point:

    “It’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.”

    You’ve got three negatives in there (one at the end), which messes up the meaning. An easier to understand equivalent is:

    “It’s easy to agree that making it easier for people to manage and use their identity (or identities) online is a bad thing.”

    Grammar aside, I’m entirely for anything that can make managing identities and loggin in / out of sites easier. However, I’m not sure I see a massive difference between remembering one URL (OpenID), and having the browser remember one URL. It doesn’t strike me as a massive difference, though it would save a little time.

  • zz_armadillo@hotmail.com

    I use a bunch of identities online. Some for comunicating with parties i trust some are for those (companies) that don’t need any real data on me. I take effort to keep these identities apart.

    Frankly, if you don’t you’re not just a danger to yourself but also to the rest of us.

  • Grammar Nazi

    @Guy Leech

    !hard == easy
    !disagree == agree

    “It’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a bad thing.” == “It’s easy to agree that making it easier for people to manage and use their identity (or identities) online is a bad thing.”

    Both sentences are wrong.

    “It’s hard to disagree that making it easier for people to manage and use their identity (or identities) online is a GOOD thing” is the intended meaning.

  • Jason White

    Or “it’s HARD to AGREE that…BAD thing”

    Anyway – this concept of bringing ID/OpenID into browser is key/necessary/inevitable. One of the missing pieces that no one is talking about is a white list of trustworthy sites that the browser can rely on to determine whether users info can/should be shared.

    Jason White

  • http://interactivemedias.blogspot.com Minneapolis Blogger desaraev

    It will be nice when we only have to remember one id and one password for all our online needs, and be able to change it when necessary. That will be the day.

  • http://hughisaacs2.googlepages.com Hugh Isaacs II

    I agree with this and have thought about this just on a different subject (on enabling OpenID within desktop applications and having the application call another app for authentication) but the only issue is security.

    Only because something like this is very vulnerable not to phishing attacks but to malware and virus attacks, imagine getting an OpenID centered virus on your computer that hijacks your account, changes the password and then proceeds to send/post spam on every site you’ve accessed (and maybe even log into some new ones), it would be hell to clean this up.

    But I guess there’s alot of ways to fix this (I already have one idea).

  • http://scott.blomqui.st Scott Blomquist

    @David, we definitely would have included all of the Seatbelt functionality in this alpha release if Seatbelt source was made available to the community. As it was (“Copyright VeriSign Inc., All Rights Reserved.”), we decided to prioritize producing a UI model to discuss above replicating effort already put forth by others.

  • bignose

    @zz_armadillo

    > I use a bunch of identities online. Some for comunicating with parties i trust some are for those (companies) that don’t need any real data on me. I take effort to keep these identities apart.

    So do I, which is why I love OpenID. I am free to use exactly as many identities online as I wish, and am not forced to create more identities than I want.

  • http://www.crypt.co.za/ Twylite

    OpenID is broken. It is not secure, it never has been secure, and even if DNS it fixed OpenID will still be broken. Read http://www.idcorner.org/?p=161 .

    Rather than using OpenID, keep your list of usernames and passwords on your web site. It’s easier to use, and no less secure than OpenID. Better yet, just use the same username & password everyone – still no less secure than OpenID.

    OpenID specifically solves the problem of a common identity across multiple sites. It does not solve the problem of common authentication (with or without common identity), because it is insecure.

  • http://www.ticketpoint.de Flüge

    Great post. Well, I think most people know now that they aren’t anonymously clicking through the www, but there’s certainly a big group that just don’t care about it.On the other hand I have to agree totally with luis. As long as it is web-based there’s no security at all, just a matter of time to be hacked.

  • http://www.davidrecordon.com/ David Recordon

    @Twylite I’m sorry, but while there certainly are some valid security criticisms of OpenID, I believe that post you’re linking to is primarily FUD. More on my blog at http://daveman692.livejournal.com/310578.html and Dave Kearns at http://vquill.com/2007/08/brands-as-medicine-man.html.

  • http://www.FloatingBones.com FloatingBones

    I’d be a much bigger fan of things like OpenID of they offered a challenge/response option for verifying my ID for the session.

    (As an aside, I’d be far happier with the credit card industry if they offered a challenge/response option for approving transactions.)

  • http://rodrigolj.wordpress.com Rodrigo Jaroszewski

    You know what would really make me feel more comfortable with OpenID. If I could actually tell all my other OpenIDs that they’re owned by the same guy! At this moment I must have tons of OpenIDs, but I still have to remember which one I used in what place before I can log in to it.

    If I missed the way to solve this issue, I’d like to know.

  • http://commented.org Hans Granqvist

    Dave, I think you’re bringing up some valid points here. The browser should be our trust point when we navigate the web. Your Seatbelt extension was a good first step.

    However, I find the process of logging into website so… archaic. Going to a web site, select credentials, log in, go to next, log in, rinse and repeat. It gets tedious.

    This repetition can easily be handled by the browser continuously authenticating you to any and all sites. Any site that understands whatever protocol used can then automatically log you in. User experience becomes improved. All websites are immediately personified.

    I wrote more about how to do this with OpenID back at http://commented.org/blog/2008/1/3/continuous-openid.html Curious to hear what you think.

  • http://www.wallacewilson.net Wallace Wilson

    Completely agree. But it seems we could go even further. I want the browser to know who I am, even when I’m not on my computer. I touched on it here: http://blog.wallacewilson.net/2008/12/i-want-google-chrome-to-do-this.html

  • Dave

    For me, this is stupid.

    On some sites I want to be professional, and use my full name and work email address, but on other sites I want to use a nick-name, and use a private email address. Last thing I want is for the two to get mixed.

  • http://jonmulholland.com Jon Mulholland

    @Dave – it’s not stupid at all. There’s no reason why you couldn’t use multiple OpenID’s and be logged into both at the same time. Matter of fact this approach should make managing multiple online identities easier. Instead of remembering whether you had used your private or personal username, email address etc at each site being permanently logged in with a professional and personal OpenID would remember and ‘delegate’ this information for you.

    @Dave(Recordan). This is a great idea, and your thoughts on using Gears are both interesting and pragmatic. On a separate note, I’ve been paying a lot with ubiquity recently and there’s something at the back of my mind about how the ubiquity extension subscribes to commands via rel=”commands” that might be an alternative approach. I’ll keep thinking about it…

  • http://www.marybranscombe.com Mary Branscombe

    The browser identity integrations are going to need the richness of letting you pick whether you want to sign into every site you visit, with the same OpenID; or whether you want to pick and choose when to sign in and with what. Making that a consistent experience and remembering user choices are better than making it hidden.

    But I disagree that Gears is the best place to do this. I’m uncomfortable with the Gears privacy model – if Gears is going to access my GPS, I want to control which sites it reveals mu location to and ditto with Gears accessing files on a USB drive. I’m sure those concerns can be addressed, but until they are Gears isn’t going to be installed by default in every browser. And I think identity is too important to tie it into something else that has blockers of its own: it’s like putting tax breaks in a military funding bill. Make it a simple, trusted component that the browsers can carry along the way they do Flash and there’s only one argument to win.

  • http://hocteto.com nunes

    I’d say that in the long term, I will add two features to this idea.

    First and as long as the system is secure, I think this feature is better to be integrated at a Desktop level not the browser. Once you log on the system, you are already authenticated, there’s no need to log in the browser again.

    I agree, that in any case the user must have control over the accepted sites for authentication and the OpenID account to be used in each site.

    I also think, that a service in this way should no only provide authentication, but also the social graph, if the application is allowed to access it.

    For example, if i create a new e-mail account in gmail authenticated with OpenID, why not import automatically my contacts from Facebook using the same OpenID (after I give my permission to do so)?

  • http://tinyurl.com/dfbu9u Spile

    I don’t like this ideea. Maybe I want to have a different personality on some sites. How do you manage that?

  • http://blog.webdistortion.com Paul

    Great article. On a side note I personally think that identity is one of the greatest problems needing solved on the web today.

    Authentication within the browser / desktop might not even solve the underlying identity problem, which is that we are still all identified with an IP address, and even that doesn’t translate to a static fixed geographic position.

    How great would it be – if ever single user on the web could authenticate and prove, that the email address they are using corresponds to a physical person or name and address?

    It really came to the fore recently with the mainstream adoption of services like Twitter, and when so called celebs became accessible to the average Joe.

    The result, was that Twitter was awash with users impersonating celebs, and people crying “prove you are who you say you are”. Perhaps fingerprint readers are the future, and a service which auths your email and your fingerprint is tied to OpenID.

  • http://www.sapdanismani.com Sap fi Danismani

    It is good for bloggers and who have its own domain, because it shows your name as a link to your blog which increases backlinks and prevents spams. I like that idea and always use openid.

  • http://www.moveisonline.pt/ Moveis

    very good

  • http://www.chatsiteleri.net bedava chat

    Very cool app. Can you tell me where to download the Help files? Apparently they didn’t make it during the install process, so it won’t load them. Thanks!

  • http://www.hild-tuning.de/shop/Auspuff-Universalteile/Hitzeschutzband hitzeschutz

    Thats still a great plugin, thank you.

  • http://www.sohbetatesi.net sohbet

    Full-Sized Wireless Guitar Hero Controller Seven pages

  • http://www.driverindir.gen.tr driver indir

    Full-Sized Wireless Guitar Hero Controller Seven pages..

  • http://www.hairstylescut.net/ hairstyles

    very good

  • http://www.dantelorguoya.gen.tr/ dantel örnekleri

    thank you

  • http://www.yemekpastatarifleri.com/ pasta tarifleri

    It is good for bloggers and who have its own domain, because it shows your name as a link to your blog which increases backlinks and prevents spams. I like that idea and always use openid.

  • http://www.ahmetmaranki.us ahmet maranki

    Apparently they didn’t make it during the install process, so it won’t load them. Thanks!

  • http://www.mobilyadekorasyon.gen.tr mobilya dekorasyon

    Authentication within the browser / desktop might not even solve the underlying identity problem, which is that we are still all identified with an IP address, and even that doesn’t translate to a static fixed geographic position

  • http://mp3net.blogcu.com mp3 dinle

    Thats still a great plugin, thank you

  • http://www.sac-bakimi.net/ saç bakımı

    Great article and concept.

  • http://www.sac-modeli.gen.tr saç modelleri

    No no, I think Dylan has a point…

  • http://www.3gfiyati.com 3g fiyatı

    thank you very much

  • http://glueckwunschkarten.net/ Croni

    thank you for the excellent article and concept.

  • http://www.freedomplanet.ru Freedom

    If to speak about convenience-it it is very convenient. Safety in doubt. And so then the data may fall into the hands of spammers

  • http://www.kaffeevollautomaten-24.de/ Kaffeevollautomaten

    I agree with the last comment. Spammers are the most dangerous part in this ..

  • Lowrance

    Its a great article, thank you.

  • http://www.georgebaily.com/ George

    Great article and here we are a year on with no real solution to this so far.

  • http://www.trends4mens.de Jacques Britt

    Really great and helpful article. I think openId is a really great feature and i love to work with it in the future

  • http://mmohut.com Mmorpg

    I agree with this and have thought about this just on a different subject (on enabling OpenID within desktop applications and having the application call another app for authentication) but the only issue is security.

  • Desarae A. Veit AKA @DesaraeV

    It looks like we may be closer and closer to that one id to rule them all. Facebook open id may end up being that solution and I’m sure it would thrill Facebook to no end. That or Twitter/LinkedIn. I love Twitter don’t get me wrong, but it doesn’t have as much of our personal data to be able to auto form fill. The only reason I include linkedin is because some of the older crowds (and in all fairness some of the younger) refuse to join Twitter or Facebook. Instead they find LinkedIn to be like a familiar safe zone because it gives the allure of control, false sense of security, seems to be only professional and looks like/acts like a resume.

    I’m excited to see where this ends up.

    –Desarae A. Veit
    http://desaraeveit.com

  • http://www.haarpunkt.com Haarentfernung

    Great article, very interetsing and useful for me.

  • http://www.6i6.de/pkv.html Pkv

    I don’t like this ideea. Maybe I want to have a different personality on some sites. How do you manage that?

  • http://www.bookofradeluxe.com Book of Ra

    Best plugin ever I guess :-)
    Pretty cool!

  • http://www.novolinespielen.org Novoline

    As always pretty FAT article… OpenID is one of the best browser improvements you might get!

  • http://www.bellacasa-travel.com Ferienhaus Gardasee

    Its a nice way to save your browser. I often saw this in internet cafes. If you want to browse you have to pay first.

  • http://www.wurzelimperium.de/ mike-browsergamer

    Yeah.. that´s realy the best plugin ever… I love it! I wish to use it for more browsergames! :)

  • http://www.easybill.de Rechnung schreiben

    Great plugin, very interesting. I like it.

  • http://www.onlinespielenautomaten.com Novo Spielen

    I definitely do not agree with the browser knowing my identity. Its too easy to steal data online and as much as any company thinks they can secure it, there will always be security vulnerabilities. If there ever was a full proof security then we would not hear of anymore hacks but we still hear of big companies getting hacked till today with all these advancments in technology. Google, Facebook and even Nasa have been hacked and will also get hacked again.

    At least now we’re realizing that these people who manage to infiltrate these areas are being realized for their capabilities more then their crimes and being offered good employment (although im not condoning that hacking is something good).

  • http://www.novoline24.de Dennis

    I find it frightening and truly out of date, which is so not true. very good article keep it up

  • http://www.novoline-spiele.info Marco

    Greate article thanks!

  • http://www.7of.de Marion Kramer

    Excellent article!

  • http://www.bookofratricks.com/book-of-ra-online-spielen Book of Ra

    Verry nice…look for more :)

  • http://www.bookofratricks.com/ Book of Ra online

    Please continue…this is really amazing:)

  • http://www.browsergamesliste.com Browsergame Fan

    To be honest I would be a much bigger fan of things like OpenID of they offered a challenge/response option for verifying my ID for the session.

  • http://dr-gott.com/ Ajeet Khurana

    “Google Chrome did a smart thing: Less”

    Interesting observation. Goes back to the original: “Less is more.” The real problem is that the likes of Microsoft who have amazingly bulky legacy software cannot go about removing” functionality. So they will collapse under their own weight.

  • http://www.giocacasino.com Marco

    Good article, but keeping it all secure should be the main purpose, ensuring that web properties are not misused

  • https://www.aget24.de Albanien

    Quote: “Imagine if your web browser really knew who you were on the web. Just as you login to your computer”

    What about the people who dont like this?
    I mean there are enough people who dont want to share the websites thej visited.

    Personlally i prefer email registration before open id login with facebook.Facebook knows to much :(

  • http://merkurspieleonline.blogworld.at/category/allgemein/ Merkur

    Definitely interesting. Thank ya :)