OpenID market researchFinding out customers expectations on openid and strategic focus areas

for OIDF 2011 and beyondKick Willemse February 2011

Main target groups OpenID

• Consumers using an OpenID• Service Providers OPENing up for external ID’s (RP)• Service Providers OPENing up their existing ID’s (IDP)• OEM – Tech Partners offering “OpenID inside”• Interestgroups

So what do they expect from OpenID – OIDF?

We just don’t get the

accountlinkingI see people

dropping OpenID

support?

How do we promote our

existing accounts to become

openid’s

Where can we provide input

for future developments & improvements?

I just implemented OpenID and now

there is Xauth, Hybrid, Connect???

What activities OIDF is planning There is no info

on website, news, social?

Will I get additional (verified)

attributes?

Digital Identity is high priority on the EU Digital

Agenda

Do you have any succes data on

3rd party login to convince my

board?

Membership Value?

Organisational structure and roles of OIDF?

Collecting reactions and observations in an OpenID analysis

• Strength and weaknesses for the internal situation

• Opportunities and treats from an outside analysis

• TOWS matrix to recognize strategic elements and map with existing focus areas

Strength OpenID Weaknesses OpenID

•Strong technical skills Highly experienced identity experts are members of OIDF.

•Install Base: Large number of libraries, plug-ins, software, applications support OpenID 1.0/ 2.0, ease of implementation at 50 K sites, 1 billion ID’s

•Strong 3rd party login affiliation OpenID represents the central idea of 3rd party consumer login re-using existing accounts. RP’s bandwagon the Re-Use of existing consumer accounts of large national or global participating IDP’s (Google, FaceBook, Microsoft, others)

•Strong alliances Close relation to OIX , OAUTH, InfoCard community.

•OpenID URL login box: Consumer does not understand login username is a URL, Users are NOT educated to enter personal account info on other sites. RP’s and IDP prefer recognizable brand promotion for target group of 3rd login (Selector) Results in a scattered OpenID Brand proposition.

•Eat your own dog food. Community is cynical about the OIDF members implementing OpenID in their own RP operational processes

•Complex, Scattered and slow development protocol: Current protocol version three years old (2007), Fragmented working groups introducing new features as pop corks, Hard to follow up from (international) RP perspective

•International outreach No strong (international) foundation member engagement . Communication of progress “inner circle” No structured feedback on progress of OIDF,

•Education: Little information IDP and RP on guidelines or best practices 3rd party login.

Opportunities OpenID Threaths OpenID

•Growing demand re-using ID’s, End User registration fatigue, Gawker Hack, 2-factor auth, sharing data, services integration (SAAS)

Governments explore the opportunities to re-use ID’s of the private sector.

•Mobile first: Enormous growth of mobile presence driving a development for your mobile as ID and login support on mobile services (registration threshold)

•Risk Differentiation, Understanding of RP’s that not every transaction needs the same risk profile, Distinct trust scheme’s from technical protocols

•Do not track (Privacy) Do not track features installed in browsers, users want to own and control data.. Share attributes and grant permissions

•Bad user experience of third party login. Fuzzy implementations 3rd party login at RP or IDP makes the OpenID experience a bad experience. RP’s fail to understand account linking and online services get inaccessible.

•Disappearance of OpenID login box. Due to the fact that RP’s like to implement IDP recognizable brands (Buttons) and not the OpenID box. It will feel as if OpenID is failing

•Stuck in the middle: OpenID will try to serve to many different use cases. Alternative protocols will be implemented by a simpel vendor specific protocol because OpenID is to complex and does not fit their competitive advantage, other standards like Oauth will be used because of the additional authorization benefits

TOWS matrix to recognize strategic elements and map with existing focus areas

Strength•Strong technical skills •Install base •Strong 3rd party login affiliation •Strong alliances

Weaknesses•OpenID URL login box•Eat your own dog food. •Scattered and slow development protocol•International outreach •Education

Opportunities•Growing demand re-using ID’s•Governements•Mobile first•Risk Differentiation•Do not track (Privacy)

Create a new version of the OpenID protocol that cherish existing install base and is the primarily protocol for consent 3rd party login with a multichannel focus and standardized set of attributes

Quickly release a simple protocol that is officially released (transparent and globally available, no inner circle features) promoting the potential benefits and educating based upon member implementations and related best practices.

Threaths•Bad user experience•Dissaperance of OpenID loginbox •Stuck in the middle

Position OpenID as the brand for “opening up ID’s” accept or enable 3rd party account login. Rebrand the OpenID login box as the alternative OpenID IDP selector . Keep flexibility to support competitive use cases.

Make a clear (joint) proposition of the differences between OIX, Oauth (authorization) and OpenID (Authentication) Strongly cooperate to have a fluid implementation of authenticating and sharing a verified attribute under user consent

Strategic outcomes fit with Proposed Foundation Focus Areas 2011

• Facilitate development of needed protocol and user experience specifications to achieve vision– Within OpenID working groups– And in cooperation with other organizations

• Continue OpenID Summits– Including internationally

• Advocacy and Education– Continue sharing what’s possible now and what we are working

to enable• Streamlining and housecleaning. For instance:

– E-signing for IPR contribution agreements– Better working group administration support

• Safeguard IPR

Some additional considerations• RP’s will use branded login buttons for preferred IDP’s, alternative IDP’s

can be used with OpenID login box as IDP selector. Delegation by typing or select IDP (ie. @IDP, IDP.com)

• Clear marketing and communication activity plan to increase transparent and up-to-date communication on OIDF website as primarily channel also for Spec work, and additionally using social media

• Create best practice for main target groups on 3rd party login– Consumer, How to use and choose an OpenID– RP, How to connect to OpenID– IDP, How to be a good OpenID provider

• Make sure to leverage existing install base, include mobile and not to loose user consent flow, when new simple protocol versions are released

• Define a clear set of standardized attributes extending SREG-AX to leverage the strength of easy data exchange for RP’s

• Make sure OpenID ABC is implemented by OIDF member RP’s• Create clear membership proposition and cover different interest during

Summits. Position Summit to industry events like Mobile, Online retail,• Work with OIX and Oauth community to have a clear positioning paper

…or select your preferred OpenID provider