OpenID Foundation Customer Research CommitteeNovember 11, 2008

• 18 Organizations• 8 OpenID Providers (OPs), 8 Relying Parties (RPs)

Ranking Areas of Interest

Positive Feedback OpenID is viewed positively: open, lightweight, extensible, etc.

OpenID addresses an important market need, OpenID (or something like it) will have broad adoption sooner rather than later

Strong market adoption from net savvy technologists, people with early adopter values, user-generated content websites and small Web 2.0 companies

Market drivers Move to open web, interoperable framework Growing on-line activity levels (research, e-commerce, social networks, etc.) Increasingly web savvy consumers Move to user-centricity, growth of user-generated content

Positive Feedback (cont.) Technology enablers

Acceptance of open source software, software as a service (SaaS) Matured web technologies

Business benefits cited Allow consumer users to move from website to website easily and seamlessly, manage their web

identity in one place, get personalized info in a “trusted” way Provide SSO federation across multiple web properties within a ‘family’ of sites (“internal”) Provide federated SSO with partner sites (“external”) Holy Grail: Consumers will be able to move seamlessly across all sites on the web in an

authenticated session Streamline registration, reduce drop-off rate of potential visitors at registration, increase

conversion rates of site visitors to registered users Reduce customer care costs associated with password maintenance Provide a higher-quality brand experience; get consumers more easily engaged and interacting;

retain them better, longer Learn more about consumer users via “user-centric identity tools” (SREG, AX, OAuth, MySpace

Data Availability, Portable Contacts, etc.) Enable revenue-sharing arrangements between OPs and RPs

Areas for Improvement User Experience

“Over complicated” user experience UI design, sign-on flow, attributes, URL as identifier, inconsistent user experience across OPs and RPs,

reconciliation of multiple user accounts, sign-off, etc. Lack of consumer understanding of OpenID

Data Many large OPs not sending SREG data today, email is most requested field Lack of a flexible international data scheme with ability to adapt it to local customs, business

models, etc.

Business/Legal Not all business managers fully understand the business benefits of OpenID Legal and regulatory frameworks not fully developed Security/Trust/Privacy issues require further development Possible need for some kind of OP certification program

Adoption Few large companies have implemented it broadly yet OpenID supporters and Foundation Board members appear to be more focused on the

technology than the business applications and needs

Initiatives Underway UX

Yahoo, Google, AOL, Microsoft, MySpace, Facebook, JanRain, Vidoop, Plaxo and others met at Yahoo for a user experience (UX) summit to discuss ways to improve the OpenID user experience between OPs and RPs.

Yahoo streamlined their OP login process, Google LSO initiative, JanRain RPX

Data Google is providing verified email via AX, Yahoo and AOL evaluating SREG deployment,

MySpace to provide profile and friends data, Plaxo supporting Portable Contacts

Legal Framework Yahoo and Google are developing templates for legal and business agreements governing

OP/RP interchanges NRI leading on Trusted Data Exchange (TX) extension

Security The PAPE authentication security standards have been officially submitted for public review

and final ratification OIDF Security Committee has been formed, chaired by Tony Nadalin of IBM