Using email as OpenID

August 22, 2008

One of the most common comments/questions I get while talking about data portability is ‘The OpenID User Experience sucks – how do we make it more user friendly?’.

The problem is two fold. First, users do not understand why they need to provide a URI to log in. Second, users get confused by bouncing around to a 3rd party site.

I’ve given a lot of thought to this problem.

The only answer I’ve had so far is that while the OpenID user experience is difficult to explain to users who expect an email address and password log in, the data portability value proposition may help justify the added cognitive load for users and vendors.

It’s probably true – but it’s not a good enough answer.

More recently I’ve been thinking about another potential solution.

I believe the 3rd party site bounce is actually becoming common place. Passport, Facebook, Google use it and, as such, users are becoming more comfortable with it.

The question of using a URI as a ‘username’ however, is a more difficult pattern to explain to users at a login screen.

Mapping email addresses to OpenIDs

The purists among us will argue that identity should not be tied to messaging. That is, uniquely identifying people by email address is a bad idea. It encourages spam and other unhealthy activity.

Putting that aside for a moment, however, imagine this.

Rather than asking for a user’s OpenID, ask them for their email address:

chris.saad@gmail.com

Now imagine the application refactoring the address on the fly to something like this:

http://gmail.com/chris.saad

The point here is that we take everything before the @ and place it after a slash. Remove the @ and put HTTP:// at the start and you end up with a well formed URI.

Now imagine that Gmail provided OpenID functionality for each email account in this way.

There are a number of challenges to pulling this off. Not the least of which is getting major email providers to support OpenID, and get existing OpenID consumers to refactor email addresses (if provided) on the fly.

It’s certainly worth thinking about though.

23 Responses to “Using email as OpenID”

  1. vrypan Says:

    There may be many occasions where the transformation won’t be possible. Why not have each domain describe the transformation by itself using the same or similar mechanisms used to delegate OpenID (http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication)?

    Then an email provider, like gmail.com, could describe the transformation as http://gmail.com/$1 or http://openid.google.com/$1 or whatever.

    A bit more complicated, but the extra complexity is hidden from users, only admins and developers have to deal with it.

  2. vrypan Says:

    sorry, consider “1” (in the links above) as a regex match of the email part before “@”.


  3. Part of me wants to say that it’s only a matter of time before the current implementations of OpenID become familiar to the user. But. I also understand why you’re trying to come up with an alternate.

    I like the email refactoring idea. I especially like vrypan’s extension because I don’t like the idea of mapping out to gmail.com/user.name

  4. Kevin Marks Says:

    With OpenID 2.0, you can just use the top-level domain of the OpenID Provider, and then enter your site login on the OP site. The RP gets a unique user URL returned as part of the protocol exchange. Have a look at how Friend Connect handles Yahoo and AOL login for an example of this – try the example sites, or my blog to see the flow.

  5. Pfefferle Says:

    What about “Email Address to URL Translation” (http://eaut.org/) and “Email to ID” (http://emailtoid.net/)?

  6. Chris Saad Says:

    True Kevin – but putting in a URL, Username AND Password is not helpful.

    I’d rather the user only input two pieces of information. Email address -> Submit -> Password -> Done.


  7. This is a brilliant idea because it’s simple and easier for the user. I’m in tech and even I pause when using my OpenID.

    The id wouldn’t need to be a valid email address. My verisign OpenID, swhitley.pip.verisignlabs.com, could become swhitley@pip.verisignlabs.com. It’s a small change, but it makes the id seem much more comfortable and familiar.


  8. […] Saad suggested on his blog: “using email as OpenID” (published 22 Aug 2008). That’s a really good […]


  9. As Pfefferle said, we’ve already implemented this solution (called EAUT) and have developed a specification that email providers can implement in order to provide OpenIDs for their members. It takes advantage of directed identity in OpenID 2.0 and XRDS-Simple:

    http://eaut.org/specs/1.0/

    We have a mapper currently up at emailtoid.net. Take a look and let us know what you think.

    I also blogged about this in June:

    http://factoryjoe.com/blog/2008/06/22/announcing-emailtoid-mapping-email-addresses-to-openids/
    😉

  10. Chris Saad Says:

    Excellent Chris – has this been implemented anywhere? What’s holding it up do you think?


  11. Damn good that people are thinking down this path because it’s a pain in the backside to continually have to come up with IDs for every new site you sign up to.

    I have a clickpass account and it helps but I wish more people would start using OpenID!

    My other issue is I hate signing up to every new 2.0 site and leaving credentials in their care. They may not exist next week, what happens to all my info? It would be nice if there was a PayPal equivalent and you didn’t have to enter your identity all the time but these sites just intrisically trust the identifier.

  12. Luke Sontag Says:

    Very much agree that OpenID has usability issues that must be refined before its ready for mom. In line with that we’ve spun up labs.vidoop.com as a place to outline some of our thinking and deliver code to the community.

    As Chris M. mentioned EAUT and emailtoid.net are two projects from that group. Identity in the Browser (IDIB) is another that helps to solve the usability and security problems. It’s “tech preview” at this stage, but hopefully it gives folks something to think about.

    Watch for more soon.

    Cheers,

    -Luke

    labs.vidoop.com


  13. I’d also add that Ma.gnolia currently supports EAUT — which should be part of its M2 open source offering.


  14. It would be nice to see in the the specs a forced hostname…

    like..

    chris.saad@ANYTHING.com
    becomes
    http://eaut.anything.com/chris.saad

    or putting the name of the eaut server in the dns record like spf does

    i don’t like how the openid delegation can turn into a circle of searching. i’d like to do one search at most.


  15. […] the password box they’re used to. Using email addresses in place of URIs for OpenID is something Chris Saad talked about in […]


  16. […] for­ Ope­n­­I­D i­s some­t­hi­n­­g Chris Saad t­alk­e­d ab­o­ut­ in­ […]


  17. […] here is an interesting post about using email addresses as OpenID. When this happens, it might help bring in the […]


  18. […] though, we should be able to use our own/personal email address and have it resolve to an OpenID for true, federated and open addressable […]


  19. […] – webfinger. Το υιοθέτησε η Google. Στην αρχή μπερδεύτηκα ότι λένε για την υπηρεσία, αλλά τελικά μιλάνε για το protocol. Ενδιαφέρον. Χαίρομαι που γίνεται συζήτηση και για την δυνατότητα DNS Lookup -πιθανότατα να μπορώ να διεκδικήσω και την πατρότητα της συγκεκριμένης ιδέας… […]


  20. Its not actually my practice to post comments, but i thought i would say that this was really cool.
    I just wanted to drop you a comment to say keep up teh good work.


  21. Hi There
    My bro read a few of your other posts and wanted to know if you would be interested in exchanging blogroll links?
    Cu Soon

  22. Snat Says:

    Random comment after a few years has passed, but how is the OpenID scene these days and is there any news on OpenID adapting to the use of emails for logins?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: