Comments for The Dam Just Broke: Facebook Opens Up to OpenID

The Dam Just Broke: Facebook Opens Up to OpenID

2009-05-18T20:22:45Z

In a few minutes Facebook will become the biggest example of a social network that allows users to log-in with OpenID credentials granted to them by other companies' websites. Major networks have said for months that their ID could be used as OpenID, but becoming "relying parties" that accepted OpenID from elsewhere was the step everyone was waiting for. The dam has broken.

It's ironic that it's Facebook that did it. Facebook is probably the most closed of all the major social networks (other than LinkedIn) and is so far ahead of everyone else in market share that traditional logic would argue that they have no interest in this kind of interoperability. This is the kind of step that was expected from networks more open and, frankly, far behind Facebook. Nevertheless, it has happened and it's big news.

]]> New Facebook users will now be able to create Facebook accounts using their Gmail credentials and existing users will be able to associate and thus log in with Gmail or any other OpenID account that supports "automatic login."

That means fewer passwords to remember. Just log in with your favorite OpenID supporting account and don't worry about one just for Facebook. Single sign on is just the simplest benefit though.

Presumably, the friends you bring with you in your OpenID account will be searched for automatically on Facebook. "In tests we've run," the company said today, "we've noticed that first-time users who register on the site with OpenID are more likely to become active Facebook users. They get up and running after registering even faster than before, find their friends easily, and quickly engage on the site."

Contact lists are the second simplest benefit of this kind of data portability, but other payloads are possible and that's when it gets even more exciting. We'll see what Facebook does to move the ball even further up the court.

Nothing is live yet and we haven't been able to test out usability (we just got a press release about the forthcoming announcement at 1:30 PM PST, which is ~~late~~here.), but Facebook is very good about things like that and has been working with the OpenID community on usability (its biggest challenge) for months.

Expect MySpace, Digg, Twitter and maybe some Yahoo sites to start accepting OpenID from other companies by the end of this summer at the latest. It's only a matter of time now that Facebook has.

Note: Jason Kincaid at TechCrunch argues otherwise:

"Facebook has really been a relying party since its inception - there's never been a "Facebook ID" because you've always used your university Email (or more recently, your personal Email) to log in. So the site isn't really sacrificing anything by enabling OpenID support. The likes of Google and Microsoft have built many services tied to their own proprietary accounts, and they're going to be far more hesitant to give those up."

We can see some strong logic here, but we also suspect there will be additional factors that emerge, like an increasing number of websites deciding to become OpenID providers so their user data can be used in Facebook, that will keep the current flowing in this direction.

Comment from Ruby Sinreich on 2009-05-18

2009-05-18T20:48:21Z

Great news! It's about time.

Now I will really start worrying about keeping my OpenID account (I use http://claimID.com) and contacts up to date.

Comment from Chris Saad on 2009-05-18

2009-05-18T20:48:38Z

As usual though, Facbeook has gone the route of open standards IN but not OUT. They are happy to suck in as much data in as many formats as possible - but not provide simple things like RSS feeds from the news feed or OpenID+Oauth+Portable Contacts OUT.

Comment from Sardar Mohkim Khan on 2009-05-18

2009-05-18T20:53:27Z

Just when we needed this. I appreciate Facebook accepting the OpenID, something I thought it would never do

Comment from s on 2009-05-18

2009-05-18T21:14:29Z

This doesn't matter.

Not enough people use OpenID anyways.

Sad reality.

Comment from Chris Saad on 2009-05-18

2009-05-18T21:20:43Z

@s - everyone uses openID - if you have a gmail account you have OpenID - that's the point of this.

OpenID is like HTTP - no one has one but everyone uses it.

Comment from Matt on 2009-05-18

2009-05-18T21:21:16Z

Worthless to their existing 200+ million users.

This would be big news if they were an "identity provider".

Comment from Ian on 2009-05-18

2009-05-18T22:06:58Z

This is fascinating news. OpenID stands the greatest chance of all of becoming a single sign on to the web at large — exceeding what Microsoft ever managed with Passport (now Windows Live ID in essence) and what Facebook was ever likely to achieve pushing Facebook Connect as a proprietary solution — but it could still be a lot more usable. Though maybe truly widespread support will motivate providers to make it more friendly to the non-techie.

Either way, and whoever wins out, single sign on is coming and will be a big benefit for everyone. We’ll be adding support for OpenID, Facebook, Google, Windows Live, Twitter and Wordpress based authentication to our site next month. It’s not that tough to do.

Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz

Comment from Matt Sherman on 2009-05-18

2009-05-18T22:23:33Z

One less password is good, no doubt. But did they have to ask for access to your contacts?

http://clipperhouse.com/blog/post/Facebooks-OpenID-another-contacts-grab.aspx

Comment from Kaliya Hamlin on 2009-05-18

2009-05-18T22:33:00Z

Yes this is great news. Lots of conversation going on here today at the Internet Identity Workshop regarding how OpenID can be more usable along with conversations about how all the standards and protocols for user-control of identity information can be managed and supported. Lots of fun - it is amazing really to see all the collaboration happening here between Google, Yahoo!, MSFT, Apple, AOL, Plaxo, MySpace, Facebook, PayPal and so many others.

Comment from Marshall Kirkpatrick on 2009-05-18

2009-05-18T22:39:06Z

Matt, you're right. Alowing people to opt out of exposing contacts would have been good. It's pretty in charecter though, FB is ultimately as an organization just an opportunistic bully worshipping at the altar of soulless marketing crap. In the mean time they do a lot of good social networking and this Open ID news is good though, eh?

Comment from Meryn Stol on 2009-05-18

2009-05-18T22:42:23Z

Wow, this is major. My congratulations to the whole OpenID community.

Comment from Meryn Stol on 2009-05-18

2009-05-18T22:52:26Z

I actually can't see how to log in with openid (or Google account). There's only a username/password option.

Comment from Drew Lucas on 2009-05-18

2009-05-18T22:56:40Z

It's about time!! Good on ya OpenID.

Comment from Meryn Stol on 2009-05-18

2009-05-18T22:57:42Z

Otherwise, I think that nowadays, the question of identity pales with the question of data portability, and especially the real-time exchange between networks. Singular identity is just a tiny, tiny bit of it all. And given Facebook's "legacy" with privacy settings (and privacy demands from users), I don't think they can truly open up any time. Twitter and FriendFeed, while neither one of them are accepting openid, can open up "all the way" in the future. They can go where Facebook can't.

Comment from Matt Sherman on 2009-05-18

2009-05-18T23:13:05Z

Marshall, agreed, on net this is good. I like Facebook. If a little opportunism is the cost of reducing the identity problem, I'll survive.

Comment from Brandon Mendelson on 2009-05-18

2009-05-18T23:18:13Z

Marshall,

Great article, and I like that you argued a point made on another tech blog. I can't remember the last time I saw that done (well).

Comment from Jonno on 2009-05-18

2009-05-19T01:24:01Z

Can anyone figure out how I sign up with my open ID account?

People say how openID is a security hole. That is just not true. If you are truly worried about your privacy and security you can easily setup your own openID server. It is not much harder than setup a wordpress blog and there are a few that run on any PHP enabled hosting service.

Comment from Bill Rawlinson on 2009-05-18

2009-05-19T02:02:53Z

VEry very sweet.. Can't wait till I see it on my acct... well I can see it but it seems to be a bit buggy. If you go to "Settings -> Account Settings -> Linked Accounts" you can hook up your open id provider. So far I haven't gotten it to work with either my claimid one or my chi.mp one. I only tried the chi.mp one becuase my primary (claimid) wasn't being recognized by facebook. If someone gets this to work please let me know!

Comment from rs powerleveling on 2009-05-18

2009-05-19T03:30:04Z

Not enough people use OpenID anyways.

Sad reality.

Comment from Tom on 2009-05-18

2009-05-19T04:43:35Z

I'll be more impressed when Facebook becomes an outy versus an inny. Good move though. I score it a "meh +"

Comment from Ferodynamics on 2009-05-18

2009-05-19T06:37:26Z

Go ahead, use a single sign-on for your email, house, cars, medical records, it's so secure! What a joke.

Comment from arty on 2009-05-19

2009-05-19T07:33:16Z

has anyone actually logged in facebook using openid? there's no such form on the site :( you can only link your account, but not use it for login

Comment from Federico Viticci on 2009-05-19

2009-05-19T09:37:31Z

pretty weird, I thought that Facebook WAS Open ID.

Comment from Kevin Gregg on 2009-05-19

2009-05-19T10:03:10Z

This isn't just about a social networking "Web 2.0" company doing the right thing, this is about Microsoft saving face. I don't think it has been mentioned that Microsoft (probably for data analytics and BI, wouldn't it stand to reason?) has a 10% stake in Facebook. [if not more by now, I haven't checked]. Microsoft knows it has to evolve or die, and this seems like a swell opportunity to do the right thing for possibly the first time since they were writing BASIC in the 70's and programming on the Altair.

One can hope,

Kevin Gregg
Network Security Research Analyst
Infination Technology Research
kevin@infination.com
662.497.2890
http://infination.info/contacts

Comment from KG on 2009-05-19

2009-05-19T10:10:50Z

But let's look at the dark side of OpenID for a second. If a cracker wants to penetrate and compromise an OpenID or whatever he or she (or the group) desires, they will. There is no stopping a strong will with a healthy skill set and a thirst for illegal adventure. If everything goes to one ID, and that ID is taken, there goes your ENTIRE identity across the ENTIRE web. It's simply not a well-thought out plan.

A good quote I heard: "You can try to make your security idiot-proof, but there's always one idiot out there more inventive than you are."

KG
Infination Technology

Comment from factoryjoe.com on 2009-05-19

2009-05-19T13:18:20Z

@Marshall: What's up with the spam in your comments? It's starting to look like TechCrunch around here! ;)

Seriously though, in response to your comment in #10, Facebook actually doesn't really have control over that step (that is, making importing contacts *optional* as part of the sign in flow). That's Google's decision, by design.

Now, it is true that Facebook could decide not to ask for a token to access the contact information at all, but trying to get a token later when they could just do it all once seems somewhat reasonable, since you can always shut off Facebook from within your Google account later.

@KG (#29): As long as you make the same argument about based on email addresses, you're right. If I hack your email address, not only can I reset all your other passwords that are keyed to your email address, but I can prevent you from having access to one mechanism for gaining back control over those compromised accounts.

OpenID certainly isn't perfect, but from a convenience standpoint, it's very useful — especially if one considers the benefits of creating LESS passwords and entering FEWER passwords across the web. That alone makes it more secure than the email approach common today.

Furthermore, securing your OpenID is outside the scope of the protocol, so if you wanted to authenticate your OpenID using some combination of password, biometrics, SMS confirmation, etc, you could... whereas the username/password scenario requires you to trust that the site you're logging in to won't be hacked or otherwise leak your password. If you're unlike 99% of people and use a different password for every site, you might be in better shape; but for those use the same password everywhere (or cycle through 1-3 passwords), all it takes is one of those sites to make a mistake or get broken in to to expose your credentials. The worst thing about it is that changing your password on all the sites across the web then becomes a HUGE time waster, not to mention really hard to do!

Would be curious if you think today's situation with regards to accounts is better than the one with OpenID *as a choice*?

Comment from Chaz6 on 2009-05-19

2009-05-19T17:53:42Z

It is good that OpenID is supported at last. Unfortunately they only seem to support the older v1 spec. I was not able to associated my i-name (OpenID v2) with my Facebook account.

Comment from direwolff on 2009-05-19

2009-05-19T17:55:05Z

"That means fewer passwords to remember"

otherwise said, greater loss of identity an less protection in the event of a well planned/launched fishing expedition ;)

Comment from Josh Patterson on 2009-05-19

2009-05-19T19:11:02Z

This is pretty good news, I believe openID will lead to the adoption and evolution of more linking and discovery tech like OAuth and LRDD being employed.

That being said, what about the status of facebook connect around the web? Why not turn that into an openID provider so that when facebook users log into say another service that takes openID, they can use their facebook account without the other service having to implement facebook connect?

Comment from texasleaguer on 2009-05-19

2009-05-19T20:50:29Z

This is good news as it relates to interoperability and SSO. However, I personally don't consider this a huge step towards FB opening its doors. After all, it's merely user authentication and not much more. I have no data to back this up but my guess is that FB was nudged in this direction as the growth in new users has probably steadied and this lowers the barrier to new user participation. Which makes it a good move in that regard.

Comment from David Sanger on 2009-05-19

2009-05-19T23:16:51Z

This may be covered elsewhere but I'm curious:

If you already have an account at site xxx with your favorite password pppppp and then decide to change and start signing on with your OpenID account, what is a sensible strategy for disabling the direct logon and erasing the stored password on site xxx ?

How to cleanup the mess of scattered account/passwords?

Comment from chrisofspades on 2009-05-19

2009-05-19T23:30:58Z

Meryn and arty, I noticed the same thing. I was able to link my openid account, but what's the point if I can't login with it? nor is there the ability to register using openid. did they just make the announcement w/o rolling out functionality?

Comment from missing the point on 2009-05-19

2009-05-20T02:29:23Z

openid is an industry inititive disigned to make it easier for customers to share their identity and demographic data with website owners - simply put your giving away valuble data for free. Open ID is a scheme to divorce consumers from their data under the guise of single signon and to create dependency that makes maintaining anonymity harder

Comment from virtual worlds online for kids on 2009-05-20

2009-05-20T11:06:09Z

That is great news! But the downside of openID is that once a hacker hacks into one of your account, he/she will be able to hack into every other account of yours.

Comment from KG on 2009-05-21

2009-05-21T12:46:37Z

yo joe,

personally? I think a better idea than being lazy and trusting softare and/or electronics with your memory would be to remember your passwords, make them very complex, have an algorithm created in your head and change that algorithm often. Is there suddenly a run on memory capacity, or do you think exercising your brain and not having a computer do all the thinking for you just might be naturally, fundamentally wise?

These are the same kinds of things technology has brought us. A lazy, easy-to-hack technology-centric world. I have had these same thoughts over the touch tone phone.

Don't throw away your brain! Or your phonograph! They're better!! :)

Comment from Keith on 2009-05-23

2009-05-23T15:26:19Z

Have a look at my thoughts on this: http://keithmclachlan.com/index.php?option=com_content&task=view&id=170&Itemid=1

Comment from Susannah on 2009-05-30

2009-05-30T11:21:04Z

I find myself wondering about the Facebook applications, in particular the online games, that are being attacked repeatedly by hackers using the various hacking softwares available free of charge on the internet. These games are compromising us all of the time - especially as many of them allow us to log in using an open id. They compromise every open id whether or not supported by a confirmed email address. It is no longer safe to rely on an electronic memory in any form. It is by far safer to go back to the old system of keeping all your information and passwords outside the computer now that these hackers can access everything you have in your computer (including passwords) simply by getting hold of your ip address. There are by far more pressing challenges on the way. Most of y'all reading this are not even aware that hackers can trace your ip even from this system. Once they have our ip addresses. I guess I don't really understand see how this so-called breakthrough at this current time is a breakthrough. It will be interesting to hear about the cons of Open ID.

Comment from yuii on 2009-06-02

2009-06-02T08:22:34Z

@KG #25
I, like a surprising number of other people keep far too much info in my e-mail inbox. If anyone could guess my yahoo password...every account I have on the internet could be compromised almost as easily.

Comment from green-tea on 2009-06-25

2009-06-26T04:30:00Z

has anyone tried to login into facebook using openID?
not sure how this will result for facebook

Comment from Pelle Krøgholt on 2009-06-28

2009-06-28T09:56:32Z

@green-tea I just tried to use my open id for Facebook it worked like a charm...

Comment from Ramesh on 2009-08-17

2009-08-17T11:55:15Z

hi myself ramesh sen. i've been suffering in opening the facebook. it's been quite tought to open my id in facebook. could plz solve the problem. thank you.

Comment from Markweee on 2009-09-07

2009-09-08T05:18:38Z

Smashing work..Coming from a fellow student, this will certainly help me move up the ranks
doctorate degree business AND computer school

Comment from Permanent Magnets on 2009-09-08

2009-09-09T06:30:21Z

Congratulations to the whole OpenID community.

Comment from ed hardy on 2009-09-09

2009-09-09T09:39:27Z

This is the kind of step that was expected from networks more open and, frankly, far behind Facebook. Nevertheless, it has happened and it's big news.

Comment from MIKE LEE on 2009-09-17

2009-09-17T12:17:58Z

From:Mr.Mike lee Operational Manager
Credit Suisse Bank
One Cabot Square
London E14 4QJ - United Kingdom.
Email:mikelee02@gmail.com

I am Mr.steve albert a British citizen and I work with Credit
Suisse Bank London UK.
I am the accounting officer of Mr.William Wise who died on the recent bomb
blast which occurred in London on the 7th of July 2005.
Mr.William Wise who is our Client left the sum of fiften Million five
hundred thousand Dollars ($15,500.000.00) for deposit, this
Amount is yet to be credited in his favour before he died on the recent
bomb blast in London. I want you to open an account with my Bank or send
your bank information so that I can credit this amount to you while you
shall receive 40% of the fund I and my
colleague will have 60%.
If you are interested in this transaction please fill the form below
and get back to me immediatly.
Please,provide me the following: as we have 5 days to run it through.
this is very very URGENT PLEASE.
:PERSONAL INFORMATION:

FULL NAMES:________________________________________
GENDER____________________________________________
DATE OF BIRTH:_____________________________________
NATIONALITY:_______________________________________
COUNTRY OF RESIDENCE:___________________________
MARITAL STATUS:__________________________________
HOME ADDRESS:____________________________________
OFFICE ADDRESS:___________________________________
TELEPHONE NUMBER:________________________________
FAX NUMBER:________________________________________
OCCUPATION:________________________________________
POSITIONHELD:______________________________________
EMAIL ADDRESS:_____________________________________
NEXT OF KIN:___________________________________

All relevant information will be given to you, when you contact me on my
private Email: mike02lee@gmail.com
Treat with utmost confidentiality.
Yours sincerely,
Mr. Mike lee

Comment from Dr Ratings on 2009-10-01

2009-10-01T18:45:19Z

I tried implementing it on my blog, but it was rather complex. I heard that an easier tool is available without the need of a developer.

Comment from furcoo on 2009-11-11

2009-11-11T09:23:05Z

Congratulations to the whole OpenID community.