We had a discussion on the subject with Chris Messina, Google’s Open Web advocate. Messina was there when the plan was revealed, and is rather knowledgeable in the subject of online identity (besides working for Google, he’s on the board of the OpenID Foundation, and has worked with Mozilla to produce a concept on implementing identity in the browser called "The Social Agent") , which is why we felt he would be a good person to share his views on the strategy.   

"As it stands, I can see why people are angry or confused, but, while vague, the NSTIC isn’t as bad as people seem to think — the fact that it’s being run out of commerce means that the government is looking for innovation and competition — not to own these identities," Messina tells WebProNews. "Of course I can’t say what this means about surveillance and security, but anyone who uses a cell phone or hosted email should already understand that they’re susceptible to government wiretaps and data seizure — oftentimes without needing to be informed (Twitter is the rare exception recently). Anyway — if you can pick an identity provider that’s certified to meet certain criteria and that you also trust — that seems win-win to me."

What the government has suggested appears to be the use of platforms like OpenID. " We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials," said Cybersecurity Coordinator and Special Assistant to President Obama, Howard A. Schmidt, upon the announcement of the plan. "For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge."

"The government’s NSTIC plan is designed to promote OpenID and other existing (and not-even-invented) initiatives," explains Messina. "In fact, the NSTIC was written with input from many of these groups including the OpenID Foundation. It went through an open comment period as well — so it’s not as if many of these concerns weren’t raised before. Since the final draft of the NSTIC hasn’t been released yet, I expect many of them will be reflected in the final draft."

"The NSTIC calls explicitly for the creation of an ‘identity ecosystem’ — fancy words for saying ‘we don’t want a system where there’s only one identity provider’ (least of all the government!),’ Messina continues. "Now, one of the challenges with creating an ‘ecosystem’ is that you end up with potentially non-interoperable solutions, leading to consumer confusion and frustration (think: ‘Sorry, we don’t accept American Express here’). So while the government intends to rely on private industry to develop the technologies and protocols — such as OpenID — that will enable this ecosystem, I believe that the government has a role in placing pressure on the industry to eventually select a set of standards we can all live with."

"I, for one, would prefer to avoid a government-developed identity standard at a time when industry is rapidly innovating in this space and wants to solve this problem as much as — if not more than — government does," he adds. "But I also know that there are a lot of vested interests that would love to have their pet protocol selected as the gold standard here (pun intended) and that’s going to require leadership, persistence, and an open process so that the best solution(s) to the problem eventually shake out from several years of competition and experimentation."

A common concern expressed by the public has been along the lines of: a single username and password for all sites is a bad idea, and is not secure, compared to having many usernames and passwords.

"The user’s concern is valid," says Messina. "One username and password for everything is actually very bad ‘security hygiene’, especially as you replay the same credentials across many different applications and contexts (your mobile phone, your computer, that seemingly harmless iMac at the Apple store, etc). However, nothing in NSTIC advocates for a particular solution to the identity challenge — least of all supporting or advocating for a single username and password per person."

"In reality, different applications requiring different levels of security, and different behaviors require different kinds of protections," he says. "As Howard A. Schmidt pointed out, for many people, you don’t necessarily want to use the same password that you use for Facebook that you do for your bank. For someone like me, however, where my social media presence is both very important and valuable to me, I want to protect all of my accounts — financial and social networking — equally. So there’s no one-size-fits-all solution, but that’s closer to the reality today — where I as a user often DON’T have a choice about how strong the security deployed to protect my accounts is — versus the future, where we’ll have an ecosystem of identity providers all offering different kinds of protections."

"To restate this point: when I sign up for an account today, why can’t I choose to login in everywhere with my Google account and then rely on Google’s anti-fraud and second factor authentication features to protect my account? Or, if I’d prefer to use someone other than Google, why can’t I use them instead, and rely on, say, their biometric security features?"

"Until a competitive marketplace and proper standards are adopted across industry, we actually continue to have fewer options in terms of how we secure our accounts than more," he says. "And that means that the majority of Americans will continue using the same set of credentials over and over again, increasing their risk and exposure to possible leaks (see: Gawker)."

In the comments section of our previous article, one reader asked who would be responsible "WHEN (not if)" the systems proposed get hacked. 

"Going back to my previous point, if we truly arrive at a user-centric ecosystem, then the party that you choose to represent you as your identity provider will be responsible should anything happen to your account," says Messina. "And I hope that people actually choose their identity provider carefully, and based on the steps that they take to secure your account and keep it safe."

"A user-centric model demands that users be in charge of selecting their identity provider, and that this free choice creates a competitive marketplace where identity providers compete for customers," he adds. "If one provider has lax security or onerous identity proofing requirements, the market will ideally reflect that situation by rewarding or punishing them economically, leading to user-positive improvements. Some of this does depend on users having some understanding of what’s at stake when it comes to their online identities and profiles, but just as people safeguard their cell phones today, I think people will feel similarly protective of their online accounts in the future (if they don’t already) and will look for ways to keep those accounts safe and secure."

As we reported before, there doesn’t appear to be anything in the NSTIC indicating that people will be required to use ID systems spawned by the initiative – a point that some people may have overlooked.  

"The last thing that I’ll add — which itself is controversial — is that this whole system, at least at the outset, will be voluntary and opt-in," Messina says. "That means that if you don’t want the convenience of not having to use passwords anymore, you won’t have to. If you’re okay rotating your passwords and maintaining numerous discreet accounts across the web, that’s cool too. I don’t think a mandatory system would succeed — at least not without proving its security, stability, convenience, and utility over several years."

"Furthermore, the fact that this initiative is being run out of the Commerce Department, which has an interest in stimulating growth, business, and innovation, means that we hopefully won’t end up with a set of technologies designed only by security wonks that are completely unusable by regular folks, but that the market will see the exploration of a number of different competitive solutions, and from them, a few will stand out as leading the way forward."

"I am hopeful that NSTIC, at the very least, is raising these issues at a critical time on the web — where the future of competition for who owns your identity online is in question," Messina concludes. "My hope is that we arrive at a place where people have a choice, and they can go it alone as steadfast libertarians might prefer, or they can choose to get some assistance from the Googles and Facebooks of the web in dealing with this increasingly important issue."

Speaking of Facebook, any system – existing or spawned from NSTIC – will have a hell of a time competing with Facebook for "owning" users’ online IDs. Facebook has nearly 600 million users worldwide, according to recent estimates, and has a pretty big competitive advantage with its Open Graph and Facebook Log-in features already implanted firmly across many sites around the web.

Comments welcome. 

"This feature will allow people to sign up for new Flickr accounts by using an existing Web account via OpenID, starting initially with Google as the first partner service.  Google users will be able to register by linking their accounts with Flickr and then will be able to use their Google ID every time they log-in to their Flickr account," a Flickr representative explained in an email to WebProNews.

And that’s plenty interesting.  Plenty smart, too, since it could convince a few more people to start playing with the site.  But there’s one other aspect of this development worth noting.

The representative added, "In 2008, Yahoo! became the largest provider of OpenIDs in the world when 100s of millions of Yahoo! users were first given the ability to use their trusted Yahoo! ID to log in to any site on the Web that accepted OpenIDs.  Now, with today’s announcement Yahoo! is for the first time becoming a ‘relying party’ . . ."

So it looks like Flickr and Yahoo are being accommodating in more ways than one.

Additional sign-in tweaks and improvements are supposed to be on the way, as well.

Google says that "a much larger number of people" complete the email verification process when OpenID is used. 

"Some websites use the OpenID standard so that users don’t even need to type a password to sign in," says Tzvika Barenholz of Google’s Internet Identity Team. "While Google does not yet support the usage of OpenID for replacing passwords on its own sites, we are involved in the OpenID community’s efforts to research how to best implement that type of support."

When a Yahoo users signs up, they will see the following page, and when they click the verification button, they will get the page under that from Yahoo. 

"Other websites that need to verify a user’s email address can also implement this technique using Yahoo!’s OpenID API," says Barenholz. "In addition, it can be used to verify the addresses of Gmail and Google Apps users because those email systems expose the necessary APIs for OpenID. For example, Plaxo is one of the many websites that takes advantage of this feature of Gmail and Yahoo! Mail."

Google is currently only offering the OpenID feature for Yahoo users, but it intends to expand support to other services.

"There are a couple different ways to look at this as a website owner," he told us. "If you already use a sharing service like AddToAny, ShareThis, or AddThis, you might not notice much difference. However, OExchange makes it easier for those service providers to support less well-known sharing services. As such, that means that site owners may see a boost in attention from a wider audience than before."

He said that "because this may give rise to a long-tail of sharing providers, it’s possible that content will be shared across a wider and more diverse audience than before."

OExchange is just one of handful of open protocols that are being harnessed to smooth out the social web, and make for a more seamless user experience from site to site. Others include OpenID, OAuth, Webfinger, ActivityStrea.ms, PubsubHubbub, and Salmon.

Google is playing a large role in the advocacy of of these open protocols. Google Buzz, for example, places a great deal of emphasis on the kind of openness they provide, and the kind of openness that is frankly lacking from the much more popular (at least in terms of user count) "Open" graph of Facebook – by far, the largest social network.

At Google I/O last month, WebProNews spoke with Joseph Smarr of Google’s technical staff about various open protocols and how they can help websites. He does a pretty good job of putting it into terms the non-techie can probably understand:

More WebProNews Videos

"If you’re a webmaster and you’ve got a new site and you want people to check it out, you want to limit that friction as much as possible, right? You want to make it super easy for people to come and find out about who you are," says Smarr.

"It’s going to be better for you, and it’s going to be better for you users, who are going to have a much more convenient time," he says.

Smarr also makes an interesting point about the web in general. "The web started with the right open standards. You know, HTML and HTTP, and then anybody could just stand up a new webserver, and anybody could link to it, and that’s what allowed that incredible innovation to happen. So we basically want to get that same set of building blocks right on the social web…"

As Messina told us upon the launch of OExchange, "the benefits of any open protocol or technology really only offers dividends when it becomes widely adopted by many providers."

We also have an interview from Google I/O with Messina we will be posting on our Video Blog before long.

"This is the first iteration of the implementation," a Facebook spokesperson tells WebProNews. "To start, new users can now register for Facebook with their Gmail accounts, and existing users can link their Facebook accounts with any OpenID provider to connect with friends and eliminate the need for multiple sign-ins."

Once a user links their account with a Gmail address or an OpenID URL, logs in to that account, then goes to Facebook, that user will already be logged in to Facebook.

Back in February Facebook joined the OpenID Foundation Board. The company also hosted the OpenID User Experience Summit around that time. At the event, they had product managers, user experience designers, and social web experts from companies like Google, Yahoo, MySpace, Plaxo, and SixApart.

A the summit, they shared lessons learned from developing the Facebook Connect authentication system. "We’re also concerned with account security," says Luke Shepard at the Facebook Developer Blog. "Again, we shared our experience developing Facebook Connect, where we eventually came up with a design that ensures that users would know that they were providing their login credentials to Facebook, and not some unscrupulous site."

Facebook says that according to tests it has run, first-time users who register for Facebook using OpenID are more likely to become active Facebook users. The company says more OpenID providers will be integrated into the registration and account linking process.

Google says since adding its Following feature on Blogger, it has been used by almost three million blogs, which breaks down to someone following a new blog every second.

The Google Social Web Blog provides more information." By building on Friend Connect technology, the Following feature can now tap into an open ecosystem. Visitors will be able to follow a blog using their Google, Yahoo, AIM, or OpenID account, just as they can on any other site with Friend Connect."

"These blogs will be listed in their profile alongside other sites they’ve joined. And it also leverages existing friend relationships, meaning they’ll be able to quickly see if their friends also follow the blog."

Blogs that are currently using the Following feature don’t have to do anything as they have been automatically migrated to Friend Connect.  Google says it plans to introduce an easy way to add OpenSocial gadgets via Blogger along with the integration of commenting features in the future.
 

"If you’ve already tried out our recently launched commenting service via TypePad Connect, you know that we built in very basic support for OpenID sign in from the start," explains Six Apart’s David Recordon. "We did this because we know that just as the future of traditional media wasn’t a small group of large publishers controlling all of the news, the future of the social web isn’t a small group of large social networks controlling everyone’s identity. Today we’ve made it even easier for anyone to sign in, leave a comment, and have a TypePad Profile (see mine) without having to know their OpenID URL or even what OpenID is."

Basically what this means, is that anytime you read a blog post on any blog (that supports Typepad Connect-powered comments), you can leave a comment using your identity from an account you already have. This is just one way the web is becoming more unified among varying services, and you can expect to see a lot more of this kind of thing in the future.

Recordon says that now any bloggers that are using Typepad Connect powered comments have over half a billion people who can sign in and comment instead of being anonymous. This could significantly reduce the amount of anonymity in the Blogosphere. Not entirely of course, but for all of the people who don’t want to take the time to sign up for an account just to leave a comment will be able to easily make themselves known in another way. This should be good news for people who like to utilize blog comments to increase brand exposure.

Flock worked with MySpace and Vidoop to develop OpenID in the browser. Flock says that it now offers the most comprehensive discovery and management capabilities for OpenID currently available.

OpenID for Flock is now available to all Flock 2.0 users as an alpha extension. It’s available for download at https://extensions.flock.com and http://vidoop.com/labs/.

"We are three companies dedicated to helping people better share their content and experiences online, and we saw an opportunity to collaborate to quickly create a way for users to more easily manage their online identity," said Max Engel, product lead for the MySpace Data Availability Platform. 

"Our goal was to eliminate some of the work involved in jumping between social experiences on the Web. The extension we jointly developed will give the community an easier way to seamlessly carry their identity and preferences in their browser."

OpenID for Flock senses when a user visits a site that will accept an OpenID login. Users are able to choose which of their OpenIDs they want to login for each site and view the login history.

MySpace’s role in working with Flock to develop OpenID is part of its strategy to compete with rival social network Facebook, which recently launched Facebook Connect that allows users to sign into accounts on a variety of partner sites with Facebook Ids.
 

IDIB OpenID for Flock from phatbuddhaz on Vimeo.

The main idea, as explained by Erich Sachs on the Google Code Blog: "Websites can now allow Google Account users to login to their website by using the OpenID protocol."  Plaxo and Zoho are two of the first sites to do so.

Unfortunately, like Yahoo (and more than a couple of other companies) before it, Google hasn’t become what OpenID organizers call a relying party.  This means that the idea of a universal login becomes more of a one-way street, with Google not acknowledging OpenIDs created elsewhere on the Web.

Admittedly, this roadblock keeps the security problems from getting too big.  But that’s more of a positive side effect than any sort of goal.

Google may get around to addressing this issue, anyway.  The blog post states, "We hope the continued evolution of both the technical features of OpenID, as well as the improvements in user experience . . . will lead to a solution that can be widely deployed for federated login."

First off, if you’re unfamiliar with OpenID, it’s basically a service that lets you create a user name and password that can be used all across the Internet at participating sites (view OpenID’s directory of sites here). Providers include Yahoo, AOL, BBC, Google, IBM, Microsoft, MySpace, Orange, VeriSign. Yahoo’s service allows you to use your Yahoo! ID and password at other sites.

Yahoo conducted a usability study of Yahoo OpenID, in which several "experienced Yahoo Users" (representative of Yahoo’s mainstream audience) tried to use the service to sign into a product review site. The biggest problem that Yahoo found from this usability test was just that – usability.

Apart from never hearing of OpenID before, none of the participants even noticed the sign-in box. Allen explains:

Eventually, we coached the test subjects to use the site’s OpenID Selector, and they still had some problems with the selector’s Yahoo! option. In most cases, the users were confused by the "http://yahoo.com" autofilled in the OpenID sign-in box, and continued to look for for a form in which to enter their Yahoo ID and password…

After a bit more coaching, the users managed to get to the Yahoo! OP where a lot of them got lost. (OP is jargon for an openID provider.) First time Yahoo OpenID users must navigate through a few screens, where they have to solve a CAPTCHA, and agree to a TOS. They are given opportunities to learn more about OpenID, set up a custom OpenID identifier, set up an anti-phishing sign-in seal for their Yahoo login screen, or view a directory of OpenID RPs. ((RP is jargon for relying party.) In many cases, users were overwhelmed by all these options, and failed to return to the RP because they were sidetracked.

After even more coaching and filling out a registration form, users eventually got to where they needed to be. Clearly usability is a problem when so much coaching is required. In the real world, users are not going to have Yahoo employees guiding them along, and are very likely to just give up on OpenID, based on the annoying user-experience.

"The key takeaway here is probably that even if OpenID is ready for the mainstream, the mainstream doesn’t seem to be ready for OpenID," says Josh Catone at Sitepoint. "It could definitely benefit from being simplified (in terms of both signing up and signing in), but the main thing that needs to happen for average users to begin to adopt OpenID is that it needs to be pitched in a completely different way."

That’s probably one thing, but it sounds like some kinks could be worked out as well. Yahoo OpenID is still in beta, so there’s time for that. Perhaps once it graduates from that stage, it will be better pitched.