In this interview we talk with Brian, Larry, and Michael. In specific, we talk about:
- OpenID’s offerings for decentralized online identity management
- Securing online identity: technology and beyond
- Aggregating identity information for multiple resources
- Spurring adoption by developers, service providers, and web sites
- Responding to objections about centralized identity management
- Closed source versus open source credibility
- The future of online identity management
Sean Campbell: To get us started, could each of you introduce yourself and tell us about your current role as it relates to OpenID and JanRain?
Larry Drebes: I am in engineering, and these days, I spend most of my day thinking about our software and how it relates to the market needs.
I was one of the co-founders of Four11, which produced a product called RocketMail, the underlying platform for what became Yahoo! Mail. Yahoo! bought RocketMail back in 1997, shortly after Microsoft bought Hotmail.
After that, I co-founded a company called Desktop.com, which was earlier than Google Docs, but similar in concept. Most of my background is with large-scale software, in software as a service deployments.
Mike Graves: I’m the CTO. I’ve been here a little over a year; I was previously at VeriSign, where I was CTO of one of their two divisions. I arrived at VeriSign in 2000 as the founder of a dot-com-era startup company called Signio. It became the merchant-payment processing system for VeriSign until they sold to eBay last year.
I took a little time off and came back to VeriSign to help lead the charge into new markets where I first became familiar with OpenID, and eventually ended up here at JanRain where we’re exclusively focusing on OpenID.
Brian Kissel: I’m Brian Kissel, the CEO. I joined the company in January of this year at the point when the team felt like OpenID was really starting to reach an inflection point of market adoption. The OpenID V2.0 specification had been recently finalized, large corporate sponsors like IBM, Google, Microsoft, Yahoo, and Verisign were announcing their support, website adoption growth was accelerating, etc.
We wanted to take advantage of the extensive development work that the team here had accomplished over the last couple of years in creating next generation platforms and technologies for user-centric identity and authentication management via OpenID.
Scott Swigart: Thanks. Give us a little bit of a description of OpenID, and what you as a company do around the technology.
Brian: OpenID is the equivalent of single sign-on that you would get inside an enterprise. If you log in at the beginning of the day via Exchange or something like that, there’s an abstraction layer that also logs you into backend systems like CRM, ERP, HR, Accounting, and so forth. You only have to log in once.
You may be familiar with Microsoft’s Passport and InfoCard technologies, which is the idea that you have one user name and password that you can use on any enabled web site.
That’s really the same concept behind OpenID–it’s for users on the open Internet to have just one or a few identities that they can use to access all web sites that are OpenID-enabled.
Scott: And in terms of your company, what are some of the things that you do around OpenID?
Brian: Our goal is to be the platform provider of choice for OpenID implementations, for the end user, the OpenID provider, and the web sites that are accepting OpenIDs for registration and login.
In OpenID parlance, there are two kinds of contributors to the OpenID ecosystem that benefit the end user. One type is called the relying parties (RPs), which are web sites that accept OpenID for authentication. The other type is the OpenID providers (OPs), which are organizations that issue OpenIDs to consumers, employees, or members to use on the web sites.
We have a property called MyOpenID.com, which is a hosted ASP service where you can come and get an OpenID. We also offer services to web site operators to enable their web sites for OpenID and to create better, more intuitive login user experiences.
And then we have solutions that we offer to OpenID providers who want to issue OpenIDs to their employees, their partners, or their customers with their own brand.
Scott: Obviously, people who are building sites that may accept OpenID are using a variety of technologies. What kinds of technologies do you support, in terms of the components that you provide and things like that?
Brian: There are open source OpenID libraries for about eight different platforms out there, including four or five major platforms.
Larry: We currently support three of those; we used to support six. Very early in the design process, we created open source reference implementations in a variety of languages. For OpenID V1, we wrote Ruby, Perl, Python, PHP, Java, and C# libraries, all with a common API, and tried to seed the market to get OpenID into the hands of developers.
Since that stage, we’ve brought a lot of companies into the fold, and it’s no longer necessary for us to support some of the more niche platforms. Right now, we provide open source libraries for OpenID V2 in Ruby, Python, and PHP.
OpenID fits together between the end user, the provider (which is often us), and the web sites through common web protocols.
Scott: As you mentioned, the idea behind OpenID is similar to what Microsoft was trying to accomplish with Passport. What are the advantages of OpenID versus a Passport implementation?
Mike: The crucial factor is that there are a lot of technical things inside of Passport that are very nice architecturally, but politically and socially, it’s just not an option.
The ecosystem will resist any company owning that space in that way, no matter how good the technology is. No one wants to be locked into a silo at that level of the stack.
One extremely valuable thing that OpenID offers is its decentralized nature. The trust and provider infrastructures are decentralized, so anyone can spin up their own OpenID server.
That doesn’t mean they have to be trusted or that anybody is going to trust them. But the trust circles and trust relationships arise organically out of that, meaning that if you use OpenID, you have portability and the ability to avoid lock-in. You can move to another provider using the same technology, and let them compete against each other in terms of serving the user.
That’s not the only difference, but it’s crucial that no one owns this, and the turf is not proprietary at the lowest level.
Scott: So since there are a variety of OpenID providers, people develop trust in specific ones, and the providers work to build their reputations.
Mike: Right. A lot of factors go into the decision of which provider you want to go with, and those factors can change over time. With OpenID, however you decide, you’re not tied into that provider.
With OpenID, if you read a headline that gets you concerned that your data is being disseminated somehow that you don’t approve of, or violates the EULA as you read it, etc., you have more options.
That doesn’t mean that it’s not a headache, but the architecture of the system is such that you can migrate to a new provider that abides by the policies or values that you demand in that relationship.
Sean: Would you say that what you are trying to do by federating identity is somewhat similar to the experience somebody gets when they can look at Debian versus Ubuntu?
That is, Ubuntu is Debian with some chrome and obvious other technical differences, but they come from the same lineage, and if I don’t like what Ubuntu is doing, I can go back to Debian, or CentOS, or elsewhere. Do you feel like OpenID shares some philosophical relationships to that approach?
Mike: Yeah. We understand that it gets away from the end-user retail-consumer mentality, but at its core, that ethos is very much the same as what drives the open source philosophy of OSs.
Linux is a very good analogy to use, because for instance, even if there are things you don’t like in a Debian architecture, many users can’t help themselves, but it’s always available. If you really need to change things, you have a path if you want to marshal the resources and effort to change and accommodate your interests, even on your own.
OpenID is similar, in the sense that it’s a roll-your-own architecture. If you’re sufficiently motivated and equipped, you can roll your own to provide biometrics support, or requirements for attribute exchanges that are very stringent or that otherwise meet your needs. And you aren’t beholden to anybody’s particular implementation.
Sean: What do you think the natural evolution of OpenID is down toward the desktop? Do you see people eventually weaving it into desktop scenarios to secure data in home and business settings, or do you think it’s predominately going to stay with service providers and data storage that you access in the cloud?
Mike: My personal view is that part of OpenID’s value is that it’s fairly narrowly cloud centric, and that’s the way it should be, even long term. There are lots of great existing desktop identity management and security solutions. OpenID’s primary design intent was for open Internet identity and access control.
We see OpenID as part of a mosaic or a stack that provides user-centric identity and the security and privacy around that, but I don’t think OpenID has the charter to try and reach from the cloud into the desktop.
We want to tailor things into a modular concept, where OpenID meets its goals very well and in a very lightweight, flexible way, and it defers to other tools that can be plugged in and out, depending on the context, to work with it.
I think it’s far beyond what OpenID needs to address in terms of desktop integration, because as you said, the Linux desktop is going to have a different set of tools than the Microsoft one. As you know, InfoCard is actually a pretty nice solution in this area, but it’s Microsoft-centric. And despite the difficulties of getting beyond Microsoft on the desktop, that’s going to be a sweet spot for the long term.
Sean: Let me ask you a question in a different area. How do you address the man in the middle question? Obviously, it’s a tough potential problem for any identity system, even if it depends on factors that are very hard to spoof, like biometric data.
Larry: As you know, there are general security issues with the web, and to some extent, the world has survived with those security issues. For instance, if I’ve been phished and I think I’m on Amazon but I’m not really on Amazon, bad things could happen.
Certainly, OpenID is living within the web framework, and we can’t do anything to remove existing global security issues, but we can add additional features onto the normal intercourse of the web that provide additional protection.
With our product, we’ve added security measures as options for the user. For instance, the user can use a client side cert.
We have an out-of-band, second-factor authentication solution,”Called VerifID,” which actually uses your cell phone in conjunction with a password to verify your identity. Every time you input your password, you get a phone call at that number, and you must hit a number on the keypad in order to continue.
We also allow InfoCard to be used, which is a sample-based public key encryption protocol. So all those options can provide additional layers of protection. Of course, we have to strike a balance between inconveniencing the user and securing their web transactions.
This is really the same story everyone can tell you–Amazon is making the tradeoff of just using a password versus a more secure option, which might cause more friction against people filling up their carts and checking out.
We are participating with other members of the community, since it’s not at all a unique problem to us, and we’re giving users tools so that they can secure their identity themselves, if they choose to.
Mike: A lot of this is anthropology, as you know. We have to be realistic about how much of this technology actually can solve. There are social relationships and social trust issues that play a major role. I worked at VeriSign for a long time, and they’re heavy into the mediating technology for trust relationships.
But even for a big, badass security company like that, they understand that, at some point, it happens above the technology layer. That being said, it doesn’t mean we’re not cognizant of it, but because we’re cognizant of it, we know that that’s not something that can be solved with just bits.
Scott: Another topic that tends to come up a lot when we discuss identity management is that there are a couple of choices about aggregating that information, and they both have issues associated with them. One option is to have a different password for every single place you go, and nobody really likes that. On the other hand, there’s obvious danger to having one password for everything–if it gets compromised, that’s really bad.
But as I understand it, I can have more than one OpenID, so I might have different identities for different purposes.
Brian: You may have one or you may have many. It’s up to you, and you’ll have different reasons why you’re using different identities, whether it’s a work identity, or a home identity, or an affinity group identity with your college, or some other interest area that you have. It could be an AARP identity. It could be an American Express identity.
The tradeoff with one or a few identities is that you can be a lot more vigilant and mindful of how you manage your identity. You may have 50 different username password combos out there on the open Internet, and most people do something which is called password reuse.
Your password is only as secure as the weakest place it’s used on the Internet, and if it gets phished at Billy Bob’s Phish and Tackle Shop, then it’s compromised, and it’s good anywhere else you’ve reused that password.
On the other hand, in the OpenID model you only share your password once, and that’s with your OpenID provider. And you can make sure that you trust that your OpenID provider is doing infrastructural things to protect it, and that you’re creating and managing strong passwords.
You can be reminded to reset your password with a given frequency, and you can be encouraged to implement multifactor authentication protocols–whether that’s an SSL certificate, an InfoCard, anti phishing site verification tools, out of band authentication with cell phones, or an RSA token. With this approach, you get to choose how much security you’re willing to layer on top of your authentication process, to balance between convenience and security.
That’s what it will always boil down to. Unless every device and every opportunity uses biometrics, and it’s your retinal scan or your thumbprint scan on every device where you would ever authenticate, then there’s going to be some inconvenience to you to do something more than username and password.
Actually, though, it turns out that if you have a good relationship with your OpenID provider, you get very easy login on any OpenID-enabled site – single click with no text entry required in many cases. You maintain a very trust-driven relationship with your OpenID provider, and that OpenID provider can manage all that infrastructure across one account as opposed to many.
If every web site had to implement the same multiple layers of protection for your identity that an OpenID provider did, I would posit that the whole ecosystem would not adopt the same level. But if you have a handful of OpenID providers who are really focused on managing your identity and providing multiple layers of protection, then you’re more likely to have a more secure experience.
Sean: What about the challenges of educating developers? Some technologies are just flat out sexier than others. That’s nothing against anybody in particular, but Scott and I have had the experience of educating people about some pretty dry stuff, and we appreciate how difficult it can be to engage people on it.
What do you do to evangelize to the broader open and closed source development communities about the importance of identity?
What are you trying to bring to market to make it easier for them? I have to imagine that, on one hand, everybody understands it’s important, but on the other hand, it might not be the thing that they want to pay as much attention to right out of the gate.
Brian: The OpenID Foundation along with the member companies are doing outreach and education on the features and benefits of OpenID. We run a web site called OpenIDEnabled.com that hosts resources for the development community. Additionally, we provide tools like ID Selector (www.idselector.com) to enable website operators to adopt and deploy “best demonstrated practice” implementations of OpenID login. We’re also working on white papers for OpenID providers, web site operators, and end users on how to get the most out of OpenID.
In addition to outreach and education to the development community, we’re providing more “turn key” solutions for OpenID providers, website operators, and end users. Just like Sugar CRM, VA Linux, RedHat, MySQL and other open source initiatives, you can get the open source libraries or you can get professionally managed services using the technology. We provide the widest range of innovative, fully featured solutions on the market.
Scott: Where are you seeing OpenID being most widely adopted? Who do you see as being the early adopters, and maybe the second wave of adoption? Who’s using it?
Larry: At the user-created points of the web, like blogs and wikis, it’s gaining tremendous ground and is actually a sort of thought leadership. It’s the right way to do things, and it’s thought of as very cool in lots of circles.
Beyond what you might call the technical early adopter part of the web, if you will, you have large players like Yahoo!, Microsoft, AOL, Google, MySpace, and VeriSign all coming out in support of OpenID. So really, the adoption is expanding. So the top end of the market has already either announced support or delivered production support.
It’s that middle of the Web that our eyes are really on, at this point, and it’s a large middle. That’s where future adoption is going to come from.
Scott: What do adopters point to as being advantages of the technology, to validate their decision to go that way?
Brian: As Larry mentioned, the early adopters have been either the large portals or the user generated content sites, like blogs, discussion groups, wiki’s, social networks, and sites like that, where the primary objective is to get registered users on their site as frictionlessly and as quickly as possible.
If users can show up at a site with an identity that they can sign in with, it’s much more likely that they’re going to become active participants. The big benefit to website operators is that the more people they have active on their sites, the better they can do with personalization, advertising, promotion, and cross selling. Also, for sites that sell advertising, they can get higher CPMs for profiled users than generic site visitors.
So the first measure of success is probably the conversion rate from “site visitors” to “registered users,” followed by the activity level on the site.
Back to your earlier question, I think that the next categories we will likely see come online will be content sites other than user generated content sites. They’ll be media properties, like newspapers, radio stations, TV stations, magazine sites, sports sites, gaming sites, and some affinity groups–organizations where they don’t control the members, so they can’t manage single sign on from an enterprise perspective, but they have members where they do want to provide access.
Alumni associations, community organizations, little league teams, AARP, Boy Scouts, and organizations like that are not necessarily transacting business, and they’re not asking for credit card numbers, but they do want to have registered users.
Another category would be all the customer supported sales and customer self help resources on product web sites, where they have blogs, discussion groups, or wikis to allow people to ask and answer questions and help each other.
If you go to one of those sites and you have to register to participate, and you’ve already got 50 user names and passwords, the likelihood you’re going to participate is lower than if it would accept an OpenID that you already have.
That’s the primary initial benefit for the web site operator–ease of registration and login, and ease of registration is important as well from the standpoint of being quick and error free.
OpenID has with it the ability to transfer personal data at the user’s discretion. Right now in simple registration, there are 10 demographic data fields, but it’s extensible (and we think longer term it will go that way) with a component of OpenID, which is called Attribute Exchange where you can share as many data attributes as you’re willing to publish about yourself. And you can share that information with a web site at registration.
So instead of having to fill out all those data fields, you just pass them to the web site operator in a machine readable format and pre-populate your application. As OpenID evolves, we’re going to get to the point where we’re going to get single-click login.
And that’s something our solutions actually support, so when you show up at a web site, you don’t even have to type in anything. It just remembers who you are, you click to authenticate, and it goes back to your OpenID provider to authenticate you seamlessly, and it comes back and logs you into the web site. So from a user’s perspective, the ability to register quickly and login easily is important.
Longer term, managing that data is going to be important. If you changed your phone number or email address and you had to go back to 50 different web sites and update your web site profile with that information, it would be a very tedious process.
If you have one digital identity, or maybe a handful that remember what sites are using that identity, and you can choose to pass that updated information to the site, that’s a benefit to you, and it’s a benefit to the site operator.
Scott: What are some of the misconceptions or common objections that you run into when you’re talking to people about using OpenID?
Brian: It tends to fall into one of three buckets.
The first is that they don’t know whether their customers want it or need it. The second is that they wonder how long and how much effort it’s going to take them to implement. And the third is that they want to know who among their peers and competitors are using it, because they may not want to be first, and they have to consider how this ranks among their other priorities.
We’re actually trying to systematically address each of those concerns with products and services that we’re offering to make it easier (a) for web sites to implement OpenID, (b) for them to be aware of the number of users who would like to use an OpenID on their web site, and (c) to get a few testimonial accounts in any given category to adopt OpenID.
You can envision the scenario that as soon a few major college alumni associations adopt it, others will follow. As soon as you get the Boy Scouts, you’ll get the Girl Scouts and the Campfire Girls and 4H and everybody else. As soon as you get United Airlines, you’ll get Delta and Northwest. And as soon as you get Hertz, you’ll get Avis and National and Enterprise.
So I think part of the challenge for us is getting those early adopters who see the benefit and want to be perceived as thought leaders. As soon as that happens, the others will follow.
Right now, of the 18,000 OpenID enabled web sites, a majority of them are in that “user generated content” category. Some blogging sites, web sites, and discussion group web sites that are just going live now are choosing to go entirely OpenID.
Some are retroactively going OpenID and converting all their users to OpenID. So in that category, the benefits are compelling, in terms of ease of adoption and deployment. Reduction in customer care costs is another thing we should talk about.
If you only have one or two user name passwords to memorize and maintain, the likelihood that you’re going to forget it on a site that you go to less frequently goes down dramatically.
And it turns out, according to Forrester and Gardner and Meta, forgotten passwords account for 30 to 50 percent of customer care support calls. So if you can drive that cost down dramatically, you drive the customer frustration down about going to a site that they’re only going to less frequently.
Scott: I guess the other advantage for the site operator is that it’s not their problem anymore, right? They just basically shuffle you off to your OpenID provider who handles all of that lost password, password reset kind of stuff.
Brian: There are actually a couple of benefits there. One, you do outsource that customer care cost to your OpenID provider. The other is you don’t need to maintain the passwords, so you don’t have liability in the event that a password is compromised.
Scott: I think there’s an interesting dynamic there, in terms of how the Internet has changed. I think originally, site operators saw it as a purely positive proposition to collect information on their users.
In the last couple of years, they have really started thinking about the fact that there’s liability associated with that data.
I know as a user, I really wonder when I go to a site whether they are really qualified to store my credit card information. Are they really competent to safeguard this information? And if they give me a check box that says: “We can forget your credit card and you have to enter it every time,” I always check that box.
Brian: That’s one of the reasons why PayPal has become compelling on smaller sites where you might not have that trust factor. There’s a way for you to abstract away your proprietary account information.
Sean: What do you think about the ability of something like OpenID to be born from a single closed source company or even a small gaggle of them, whether it was Google, who has tremendous credibility, or Apple, who’s also closed source but has a lot of positive brand equity?
Do you think something like this has to be created by an open source type of community?
Mike: I think that this could’ve been pushed out by one of the big companies. Google, or Yahoo!, or Microsoft has the girth and user footprint to push something like this out.
But the technology has to have some genetic features that those companies typically wouldn’t provide–namely, the ability to easily migrate right off that particular silo into another.
It’s practically achievable for someone like a Google or Microsoft or Yahoo! or AOL, but disruptive to their community base. One of the things that we’ve seen happen is that Yahoo!, for example, has been very proactive with OpenID, relative to some of the other big companies.
But there was a time not long ago that they hadn’t warmed to this idea any more than Facebook or some of the other more closed companies, because they wanted to preserve their proprietary silo. One of the things that OpenID or similar technologies will do is to flatten the namespace and make it easy to move things around and facilitate portable user-managed identity. Momentum for that paradigm is expanding beyond OpenID in areas such as OpenSocial, OAuth, Data Portability, Portable Contacts, etc.
Scott: We’re drawing near our time limit, so I’d like to ask whether there’s anything that we didn’t ask about that would be interesting in this space to discuss.
Brian: One area that we think longer term is going to be interesting as OpenID becomes more prevalent is the notion of consolidating and aggregating and more intelligently managing all the content and communication that happens on the Internet today.
Right now, you have silos like email, chat, discussion groups, blogs, and wikis, with different people, groups, and topics that you’re trying to manage in a more disaggregated way.
Imagine a time in the future when all of your communications and all of your content sites are OpenID enabled, so you can pull them all together in a more consolidated way. You could keep track of various discussion topics, blog entries, emails, and chats in the context of topics that are of interest to you from people and groups that are of interest to you. It would let you prioritize and organize information in ways that make sense to you, based on your stated priorities or what the technology can infer from your actions.
That’s something we think that in the longer term, OpenID will enable that no other solution or approach has done to date. So we’re excited about what it can do for registration and sign on today. We’re more excited about what it can do with digital identity, reputation, and content management long term.
Mike: One of the things that JanRain has to balance is the immediate, practical needs of equipping the industry to provide practical solutions, with the long range opportunity, which is huge. Once OpenID proliferates in a broad way, they will become the effective end points for all sorts of things. Communications is an obvious one, but commerce and trust and the things that spring from them are going to increasingly become factors, in terms of the basic building blocks that are OpenID end points.
For us, that’s an enormously motivating horizon to keep looking at, even if it’s not proper to talk about in this quarter or next, or even next year. But as time goes on, this is going to unleash a huge number of disruptive opportunities for new communication tools, new workflows for collaboration around content, new e-commerce trust mitigation, and e commerce payment flows, all using OpenIDs as the atoms building into molecules and organisms in a way that hasn’t happened before.
Scott: This has been a good conversation, and thanks for taking the time to chat with us. Identity and personal data are central to the work that lots of people are doing, and so it’s really nice to get your perspective on how OpenID fits in.