We’ve just posted this week’s episode of The Social Web TV, “On location at Yahoo!” I chat with special guest, Allen Tom, Architect, Yahoo! Membership, about last week’s Y!OS rollout and this week’s historic OpenID/OAuth UX Summit.
And, in case you missed it, I did a guest post on the topic at TechCrunchIT, entitled, Facebook Connect and OpenID Relationship Status: “It’s Complicated”.
Oh, and Dare Obasanjo wrote a response to my post, entitled Some Thoughts on OpenID vs. Facebook Connect
I’m at Yahoo for the OpenID/OAuth UX Summit. The room is packed with 40 or so folks. Companies with representation include Yahoo, Google, Microsoft, Facebook, MySpace, Plaxo, AOL, SixApart, JanRain, Vidoop, Chi.mp, and Magnolia, and projects including Internet2 and DiSo. The Summit is a response to recent usability studies by Yahoo and Google that show the current state-of-affairs with OpenID and OAuth is quite poor, and we need together to find a user experience for the “open stack” that works for consumers.
I’ll be sharing observations over the course of the day.
First up: Facebook’s Julie Zhuo, sharing experience from Facebook Connect. Idea originated in 2006 with the Facebook API. Initial version didn’t have any flow back to Facebook. Clunkiness of UI. One question for the Facebook Connect UI: How much text is really needed? Showing evolution of the UI to address the fundamental question, “What is Facebook Connect?” Final version includes user’s profile photo (if user is logged in), and thumbnails for both Facebook and the site user wants to connect.
Good discussion about what usability revealed, about informed consent and user confusion, and about whether this passes EU privacy laws. (Answer: yes.) Facebook research showed that users had little or no understanding or savvy about phishing and URLs.
By the way, I have to say it — great to see not only is Facebook attending this “open stack” summit, but that they’ve got four people here (including Dave Morin, Josh Elman, and Mike Vernal) and leading the opening session! That’s awesome.
Now talking about the Connect Button. First version had tagline “Bring your friends,” but users didn’t know it was a button. Second version said “Register.” Third version said “Connect” and experimented with the user’s profile photo on the button. Final version is just the Facebook “f” and “Connect” or “Connect with Facebook”.
Discussing logout options: unified, per-site, hybrid. Unified is secure, but unintuitive. Per-site is intuitive, but not necessarily secure. Chose unified out of security. Question for the future, if Facebook Connect takes off, may be strange to log out from one site and be instantly logged out of Facebook and all other Connect sites. A good laugh, as Joseph Smarr suggests a slightly more complex alternative. Julie says, “But then you’d make the user have to think.” Joseph’s aside, “That’s spoken like a true mainstream consumer site.” Incredibly active session. Key takeways slide: streamlined login is important. Explain what is going on. Err on the side of security. Flexibility is important.
Next up: Max Engel of MySpace. “The Hybrid Login: OpenID and OAuth.” MySpace will support OpenID, OAuth, and a hybrid of the two. Will use a pop-up iframe. Allows the user to stay in context. Max is showing screens of the experience they are planning. Every MySpace user has a vanity URL, which will be their OpenID. Still trying to figure out whether to support logging with just “MySpace.com”. Key design elements will be similar to Facebook Connect.
Data types: content, address book, registration, profile, friends, activity. Big laugh as Max shows the original OAuth screen, that has so much fine print that it looks like it was designed by a lawyer! Lots of discussion about whether email address should be passed to the site. Why it matters: not just for communicating, but also to avoid duplicate account problem Plaxo has experienced as an OpenID Relying Party and Yahoo OpenID. Chris Messina advancing the idea of email address as OpenID, something under consideration for OpenID 2.1.
Max revisiting that MySpace Data Availability originally was to have zero cacheability of the data, which was not going to fly with anyone. Now planning a “portable profile” plus some cacheable MySpace-specific data. Allen Tom of Yahoo raises the point that the “cacheable” data is all on public pages already, so why not just mark it up with microformats and remove the caching restriction. “If Relying Parties don’t get the data they need, OpenID only creates complexity.” Max just mentioned Portable Contacts in his presentation. Drink!
So many tough questions about complexity and confusion vs. simplicity but lack of clear, informed consent. Good discussion about whether participating sites can use the profile data they pull in to do targeting (including ad targeting). Facebook team says that they allow the site to use the data for targeting on the site, but not to redistribute the data (to an ad network, for example). Makes sense.
Max says that the sell to major websites is much stronger for combination of OpenID, OAuth, XRDS-Simple, Portable Contacts, and OpenSocial. Question from the back of the room, “What do you call all of that?” Answer popping up from Max, Joseph, Chris Messina, and me, “The ‘Open Stack’!”
Rising chorus for coming together to develop a common UI spec for OpenID. A call for five volunteers. Hands raised include Chris Messina (Vidoop), Joseph Smarr (Plaxo), Eric Sachs (Google), Max Engel (MySpace), and, drumroll, Julie Zhuo (Facebook). That’s great!
LUNCH BREAK
Next up: Allen Tom of Yahoo. Over 300 million users have an OpenID from Yahoo. Question shouted, “How many have used it?” Answer: “It has exceeded our expectations.” 😉 But, yes, we’re all here because we know we need to improve the user exerience.
Launched BBAuth in 2006. Showing “Find Friends” on Facebook and LinkedIn, using BBAuth. BBAuth and OAuth is to grant long-lived credentials to third-party sites. “Cannot allow weaker credentials to be used to mint stronger credentials.” Talking about various security considerations. Login screen must never be framed. Anti-phishing sign-in seal must always be displayed.
Allen now showing the “scary screen” which users are shown to approve access via BBAuth. *Lots* of small print legaleze. “Based on the feedback on BBAuth, we changed our approach on OAuth, which is what we’ll be using going forward.” Now, been spending a lot of time looking at and talking through the OAuth permissions screen.
Allen now showing and talking about Yahoo’s implementation of OpenID. It is *much* improved over the version they went out the door with (shrinking 14 steps to two). Allen shares that “machine-generated” OpenID URLs have proven *way* more popular than user-selected. Surprised reactions.
Talking now about Plaxo’s experience as an OpenID Relying Party. The business rationale, the philosophical view, and the admission that OpenID experience is not yet today a clear net positive to the key metrics. But Plaxo remains optimistic that the situation can improve dramatically with what’s being discussed here today.
Next up, Magnolia’s Larry Halfft. They’ve used OpenID as a key part of their strategy to reduce spam accounts and have been generally pleased with the results.
Now, Eric Sachs of Google, who just showed what I think is the first public demo of Google as an OpenID Provider. Giving context: SaaS vendors get asked to be a SAML RP for enterprise IDPs. In parallel, Google Checkout folks had questions/issues with login. Giving examples of login on Buy.com and Amazon.com, as an inspiration for a new/better? login experience for OpenID/OAuth. Now the challenge of desktop apps and OAuth. Seems like “No, help me sign in” is the key verbiage of this new “LSO” login model Eric is advocating. Now Google Accounts vs. accounts for Google AppsForYourDomain. Downside to this LSO login approach is that it does not work well for IDPs who are not email providers.
Lots of good-natured joking as we try to do a demo, that requires a Windows computer with .Net and IE as the default browser. Not easy to find in this crowd!
It’s 3:00pm. We’ve now finished the formal agenda and are discussing how folks would like to organize the last two hours.
It’s almost 4:00pm. Joseph Smarr of Plaxo is demoing the “Open Stack” end-to-end stuff that was developed by JanRain for the Portable Contacts Summit. OpenID, OAuth, XRDS-Simple, and Portable Contacts working together to enable simple and secure sign-up with access to user’s profile and address book. Good discussion underway. Joseph now explaining XRDS-Simple and answering a lot of questions.
Chris Messina now leading a discussion about the proposal to extend the OpenID spec to allow email addresses as OpenIDs. Mike Jones of Microsoft asserts this creates a major security vulnerability. Discussion underway.
Some discussion of how to handle if the Provider site is down. Mike Vernal of Facebook responding to that question vis-a-vis Facebook Connect. Good response.
5:15. That’s a wrap. What a great day. The UX working group got a bit larger at the end, which is good. Eager to see what they come up with!
The latest episode of The Social Web TV has just been released, hosted by Chris Messina and me, and with special guest Clay Loveless, Mashery’s chief architect. Mashery is the company powering new APIs from the New York Times, Netflix, Best Buy, and MTV, among others. The fact that a company can make a good business out of building and supporting APIs for mainstream companies is another good sign that the Social Web is opening up, big time.
Head on over to The Social Web TV to watch and get the supporting links, or click on the embed below:
Congratulations to the team at Yahoo! Today, they rolled out the first phase of Y!OS, the bold strategy to transform the Internet’s top destination into a social hub that richly interacts with the web at large. Great coverage at TechCrunch and CNET. I won’t wade in with a product review just yet, as I haven’t had a chance to deeply interact with all the new features or trick out my profile. I will try to give a little bit of context to this historic moment, one that Yahoo marked with a gigantic banner decked out with logos of the most important open building blocks, including OpenSocial, OpenID, and OAuth. Alas, we haven’t yet picked a logo for Portable Contacts. ;^(
What we’re seeing here is a major proof point that we are, as I have predicted, about to ride one of Silicon Valley’s “big waves” — those major disruptive changes that open not just new markets, but whole new business ecosystems. Those wave come once every 15 years or so (PCs in the late ’70’s and the Web in ’93, exactly 15 years ago). This big wave is the “Social Web,” and it will change the Internet as we know it, bringing the missing “people layer” to everything. And we’re all building it on a common “open stack”:
The Open Stack was a major topic of discussion at FOWA in London last week, with sessions and talks on it by David Recordon and Chris Messina, and a pointed question about why Facebook has not embraced it directed to Mark Zuckerberg in the “fireside chat.’
For a good overview of Y!OS, check out Cody Simms of Yahoo as a special guest recently on The Social Web TV:
And don’t miss Dare Obasanjo’s “The New Yahoo! Profile and Doing Data Portability the Right Way.”
Oh, yeah, and one last pic. Joseph Smarr and I were so proud and excited to see this day, that we had to dash over and take our picture with the gigantic “open” banner!
Must watch TV. Chris Messina at FOWA (Future of Web Apps) in London. “How Oauth and Portable Data can revolutionize your web app.” Good overview of much of the open stack, including OpenID, OAuth, XRDS-simple, and Portable Contacts. Check it out.
Update: I have *no* idea what is going on, but the FOWA team has screwed with all the URLs. I’m still looking for the link to Chris’s talk. If you find it, please comment it up. Apologies in the meantime.
This week, influential blogger (and Microsoft employee) Dare Obasanjo kicked up a little controversy with a post he did on Portable Contacts, entitled The Portable Contacts API: Killing the Password Anti-Pattern Once and For All. It is a largely positive piece, making the case for why Portable Contacts makes sense:
The…problem…is that each site that provides an address book or social graph API is reinventing the wheel both with regards to the delegated auth model they implement and the actual API for retrieving a user’s contacts. This means that social networking sites that want to implement a contact import feature have to support a different API and delegated authorization model for each service they want to talk to even though each API and delegated auth model effectively does the same thing.
However, the piece closes with a critique of the process by which Portable Contacts and other open-spec building block are coming into existence:
If anything, I’m concerned by the growing number of interdependent specs that seem poised to have a significant impact on the Web and yet are being defined outside of formal standards bodies in closed processes funded by big companies. For example, about half of the references in the Portable Contacts API specs are to IETF RFCs while the other half are to specs primarily authored by Google and Yahoo! employees outside of any standards body (OpenSocial, OAuth, OpenSearch, XRDS-Simple, etc).
The Gillmor Gang responded by having Chris Messina, one of the key players in the open-spec movement, on as a special guest.
Not surprisingly, we waded in, too, on our weekly show, The Social Web TV. We brought on special guest, Kaliya Hamlin, a.k.a. “Identity Woman,” a facilitator of the open process and key events, like the upcoming Internet Identity Workshop. In the episode, we make sure to point out the positive involvement of Microsoft in the open process to develop the Portable Contacts API. Check it out:
In this week’s episode of The Social Web TV, we discuss the new Netflix API with Michael Hart, director of community engineering for Netflix. If you’re interested in this topic, you should also check out Joseph Smarr’s “Step-by-Step Guide to Using the Netflix API“. This is all part of an important trend of mainstream sites opening up via APIs, and we discuss Mashery a bit, a company that’s making a business out of helping sites roll out APIs.
Yesterday, I learned in a piece by Marshall Kirkpatrick at ReadWriteWeb that Netflix would be opening up an API today. According to Marshall:
the API will allow access to data for 100,000 movie and TV episode titles on DVD as well as Netflix account access on a user’s behalf.
So I checked this morning, and indeed the company has taken the password restriction off of a new Netflix Developer Network site.
This is a great move for Netflix, and it fits in a broader “opening up” trend, in which sites of all sites are making social mashups a central part of their strategies for growth. The Netflix API and site were developed by Mashery, a company that has been making some great moves lately. As covered by Brad Stone of the New York Times, Mashery was also behind the recently launched APIs for Best Buy and for MTV. Great to see the new API uses OAuth for secure access to the data!
Here’s the official blogpost from Netflix. It includes this great section on why they did it:
Why are we doing this? Because we have limited resources and we can only work on so many items at once. We hope that by opening up our APIs we will enable the creative desires of other developers to make a variety of wonderful applications. We expect to see different movie finding approaches, queue management tools, mobile phone applications, social network applications, the integration of Netflix information and capabilities into a variety of other applications, and more. And that, in the end, will further delight our members and other movie watchers in their quest to find and watch movies they’ll love.
Chatting with my colleague and co-host, Joseph Smarr, Plaxo’s chief platform architect, I asked him for his thoughts on the new API. He said, “This is a truly awesome API release. It shows that Netflix is genuinely committed to giving their users full control over their data, and doing it with open standards like OAuth and a familiar REST interface with JSON and ATOM output. Developers couldn’t ask for more, and I’m sure we’ll see incredible uses of this API popping up very soon. We’ll certainly be using it at Plaxo!”
The tech landscape is changing more rapidly now than at any time since this crazy Web thing came along in about 1994. The walled garden model has been under attack for much of the past year, and all of a sudden, the walls are crumbling. And not just for traditional social networks, like Facebook and MySpace, who are transforming themselves into hubs that help their users interact with the rest of the web through initiatives like Facebook Connect (see great piece just posted by Jesse Stay on allfacebook on developing for Facebook Connect) and MySpace Data Availability. The walls are crumbling for the traditional Internet portals, as well, as seen in Yahoo’s big opening up via Y!OS, and now also for the mobile phone space, via the entry first of Apple, and more significantly, Google, with its open source mobile OS, Android and its completely open developer program and app market.
My co-stars were not available this week, but with so much going on, the show had to go on! I cover Facebook Connect spotted in the wild, Google’s Android launch, and a visualization of the “new open stack.” Check it out:
Joseph Smarr, Plaxo’s chief platform architect, and de facto leader of the Portable Contacts initiative, gave a talk today at the Web 2.0 conference in New York. Entitled “Tying it all together; Implementing the Open Web,” it was a rallying cry for developers to jump in and get working on the new “open stack” of OpenID, OAuth, OpenSocial, XRDS-Simple, and Portable Contacts. See converage from attendees Kris Jordan and Steve Kuhn (who quips about Joseph, “Dude talks fast”)!
Joseph asserted that the industry has now come together around a common vision for the future of the Social Web — a vision that abandons the walled garden model in favor of a new services layer that interconnects social hubs with the rest of the web. The service layer is comprised of Identity Providers, Social Graph Providers, and Content Aggregators:
And, indeed, that is the vision behind the strategies we see from Google (with Friend Connect; which launched for real today), Plaxo (with Pulse), MySpace (with Data Availability), Yahoo (with Y!OS), and, yes, even Facebook, too (with Connect).
Joseph goes on to observe that there are two pathways to that vision, one built on Facebook’s proprietary stack and the pathway chosen by MySpace, Google, Yahoo, Plaxo, and many others, built on the new open stack:
The Real McCrea 