tlrobinson.net / blog

What’s wrong with Yahoo’s OpenID implementation

Today Yahoo launched support for OpenID. On the surface this seems great for OpenID. Unfortunately there are a number of problems with it.

For those unfamiliar with OpenID, it is a single sign-on system, which allows users to remember a single username and password for signing in to any site which supports OpenID . There are two basic parts to the OpenID system: sites which wish to allow users to sign in using an OpenID (the “relying party”), and sites which host your OpenID (the “OpenID provider”). Yahoo has chosen to be the latter, an OpenID provider.

Most OpenID providers give their users a simple, easy to remember OpenID like “username.livejournal.com” or “username.wordpress.com”. However, by default Yahoo provides their users with an obscure OpenID like “me.yahoo.com/a/1bjkvd893414lka09i23″, impossible for any normal person to remember. Why not use “me.yahoo.com/username” like most other OpenID providers, you ask? Simple: so Yahoo can force other sites (the “relying parties”) into placing “Sign in using Yahoo” buttons on their login pages. If a site wants to allow millions of Yahoo users to easily sign in, they must include this button. Free advertising for Yahoo.

If other OpenID providers follow this trend we’ll soon end up with login pages covered with dozens of “Sign in using ________” buttons. This is definitely not then intention of OpenID. Any user with any OpenID provider should be able to type their OpenID into any site which supports OpenID, and it should just work.

Additionally, Yahoo has chosen not to be a relying party themselves. This means that users who have OpenIDs from any number of other providers can’t sign into Yahoo using their existing OpenID. They’re basically saying “Yeah we support OpenID… as long as WE’RE in control”.

To become an acceptable OpenID provider, Yahoo should:

give users https://me.yahoo.com/username by DEFAULT, not as an option buried somewhere in the settings.
educate users to type either me.yahoo.com/username or yahoo.com into OpenID login pages, NOT have Yahoo-specific buttons.
become an OpenID relying party, i.e. allow other people to log into Yahoo using their OWN OpenIDs.

In the meantime, I suggest getting an OpenID from an another provider such as myopenid.com. If you have a personal website or blog, you can easily use it’s URL as your OpenID via delegation. Sam Ruby has an excellent overview of various OpenID options.

This entry was posted on Wednesday, January 30th, 2008 at 5:07 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Shreyas Doshi

Becoming an RP is certainly extremely valuable from a business standpoint - its a great user acquisition strategy. I would definitely not say that we are unlikely to become an RP. We had to start somewhere and we decided to start by allowing websites to be able to engage our large user base via OpenID.

guest

I agree with tom and shreyas, You are wrong! your solution has indirectly opened doors for spammers on Yahoo Mail!

Shreyas Doshi

It turns out that Yahoo! is not in as unique a position with being a major email provider and an OpenID provider (OP) as it may appear. AOL, Orange/French Telecom - which are already OPs - Google, Microsoft, other large international portals - which may eventually become OPs - are in a similar situation. I hope these prospective OPs will handle this in a similar way that we have and not by default reveal the users' email address in the OpenID URL.

Regarding the Yahoo!-specific button, its really up to a Relying Party to determine whats the right experience for its users. If the button doesn't work for their website and target audience, they don't have to install it. We've actually got good initial feedback from some Relying Parties about the buttons.

Finally, user education has been a paramount consideration for us and you will see that reflected all across the product. I believe we do a better job of educating users about the proper use of OpenID than just about any OP today.

Tom

Shreyas: Thank you for your response. That does make sense. Yahoo is in the fairly unique position of being a major email provider and OpenID provider, I didn't consider that.

However, I still don't like the solution of a Yahoo-specific login button on 3rd party sites. Allowing users to type in "yahoo.com" is great, but I doubt most users will be aware of that feature.

The biggest problem with OpenID is educating the users. I do think it's great that Yahoo is trying to make it easy for average users to use OpenID, but it will only be effective if users understand that OpenID is bigger than just Yahoo and a few sites that have "Sign in using Yahoo" buttons.

Now, the real question I have is does Yahoo plan on being a relying party so I can log in with my own OpenID? I'm guessing that's unlikely...

Shreyas Doshi

Hi Tom:
I am the product manager responsible for Yahoo!'s OpenID service. Unlike what you state in your blog post and the comment above, there is absolutely no "conspiracy" with the auto-generated URLs. In fact, websites don't have to use the "Sign in through Yahoo!" buttons at all if they don't want to - users can simply type yahoo.com in the OpenID textbox (for any website - like Plaxo - that supports OpenID 2.0) to initiate the sign in process. Users don't have to remember their OpenID URL or type it in, whether its auto-generated, or picked by the user. Wouldn't that be easier even for a tech-savvy user? Just type in yahoo.com and you are on your way!

Now, the reason we chose the auto-generated URL by default, and not the Yahoo! ID, is to protect the user's email address from getting revealed by default on OpenID websites. Imagine a world where OpenID is used by every web user - if their OpenID URLs are being left all over the place (eg: while reviewing a restaurant), this can become a contextual spam target (as a spammer, I would know that you are interested in restaurants and I would spam you about restaurants by just parsing your OpenID URL and mapping that to your email/IM address). This is not possible with our auto-generated URLs, and hence, thats the default choice. This was discussed at length at a session I led at the Internet Identity Workshop 2007b and the general consensus in the group was that the user's OpenID URL should not, by default, reveal the user's email/IM address. You can find session notes here:

http://iiw.idcommons.net/index.php/OpenIDForLargeProviders

Our primary objective is to make OpenID easy to use for non-tech savvy users. Forcing all users on the web (i.e. all 1+ billion of them) to understand the concepts of URLs as identity endpoints is a non-starter in this respect. If, on the other hand, you do understand URLs as identifiers, and want to customize your URL, we do provide that ability, including allowing you to create a cool Flickr-based OpenID URL.

I hope this clears your confusion. If you have any other questions, feel free to send them over.

Tom

Carsten:

That's correct, but my issue is that the URL is obscure by default and most average users won't know that they can select an easy to remember OpenID, thus they won't be getting a "true" OpenID experience. As a result, for a site to allow those users to log in via OpenID they must provide a Yahoo-specific button.

I don't understand Yahoo's decision to not use easy to remember OpenID URLs by default.

Carsten Pötter

You're not quite right about Yahoo!'s OpenID implementation, I think.

1) The OpenID URL can be anything you wish. It can be your Flickr URL (if you have an account there, of course) or anything else. Yahoo! makes some suggestions. When signing in to a relying party it's sufficient to type in yahoo.com; everything else works in the background.

2) Relying parties are not required to use the Yahoo! sign-in buttons. You can also used the familiar OpenID sign-in boxes.

What’s wrong with Yahoo’s OpenID implementation

Search

Categories

Archives