OpenID Middlemans

Apparently the invite-only OpenID meetup at Facebook took place tonight. The fact that it was held at Facebook points to a shift taking place in the OpenID world. What’s coming is obvious: somehow retrofit Facebook Connect into OpenID architecture. Repeat after me. Yes, we can.

Facebook Connect can become a OpenID middleman, serving attribute-enriched OpenID to consumer sites that selected Facebook as its OpenID supplier. OpenID middlemans solve two key OpenID usability issues as well as opening up the potential to solve some privacy issues.

The first usability issue the middleman solves is the need to type in OpenID URL by replacing the URL input box with a button saying Signin with OpenID or a branded version like Facebook Connect button.

The second usability issue is users forgetting which OpenID they’ve used at a OpenID consumer site. Site can save that in a cookie but that opens up privacy and taste issues, particularly since consumer sites will be less trusted than OpenID supplier services like Facebook and Google.

The middleman can also support anonymous personas for users to minimize privacy issues but, to do so, they’ll have to provide bridging service between the sites and the real identity to meet the needs of consumer sites.

Who will be the players? Facebook and Google, of course. Throw in MySpace, Yahoo, Microsoft, and AOL as well. I reckon security, payment, and infrastructure companies to come in too, late of course. Now, they are all OpenID providers but, to act as middlemans, they’ll have to also act like OpenID consumers to either pass on third-party OpenID identity or return a proxy identity. IMHO, it’s a very small price to pay IMHO since only oddball users will choose to do so.

Yes, it’s going to be a party night and, when the dawn comes, small OpenID providers will just fade away like old soldiers, taking the name with it too and leaving behind only big name portals and social networks wrapped in brand names.

Sex and Status: Twitter and Facebook

For the past six months, I’ve been thinking about sex. Not the sweaty kind, you perv — wink wink, nudge nudge — but about perspective differences between sexes and what that means to the Web at large. I am drawn to the differences to identify new business opportunities instead of trying to save the world or make it a better place or anything but I’ll take the bonus points if it’s on the way.

Fred Wilson asked rhetorically Hasn’t It Always Been About Status? in his post about Facebook opening up their status update API more. My answer from the sex-difference perspective is: Yes, for guys, not as much for girls.

I think status updates offer two things:

  • Awareness
  • Presence


Back when we had more hair than brain, awareness had direct impact on survival, resulting in the need to be aware carved into our veins. As civilizations advanced, focus of awareness expanded from elements and beasts to include awareness of what others are doing, moving from dodging predators and bashing skulls to keeping an eye on strangers and smelling whiffs of wars in distand lands.

The twin brother of Need is Fear. Even while drowning in constant avalanche of information, modern man fears not knowing enough soon enough.


Whether it’s simply brushing shoulders or social status, men feel the need to be acknowledged and, if given a chance, respected. I don’t think it’s pride but more to do with the dog brain part of us, wolfpack mindset.

My current thinking is that men’s need for awareness and presence are far greater than women. For women, I think things like order and intimacy are more important which could mean that:

  • Twitter is more useful to men than women.
  • Facebook has more general appeal.

Right or wrong, I use this kinds of thoughts like I would a bottle-opener and would like the readers to do the same.

Facebook Disconnect

Launch of Facebook Connect is a perfect example of how amazingly forgetful tech media can be. Despite regular appearance of phishing related news, there is no alarm being raised about glaring phishing vulnerability in Facebook Connect, just the usual armchair-general’s strategy bravos and hypes.

First, there is zero phishing protection in Facebook Connect as it is implemented now. What they need, at the very least, is something like Bank of America’s SiteKey.

Second, overall security of Facebook Connect sites depend on each and every one of them being secure. Is TechCrunch secure? Maybe. What about others? Is perpetual security audit a requirement for Facebook Connect?

Third, I don’t buy “there is nothing to phish for in Facebook” argument. Not until Facebook makes it clear to all Facebook users, developers, and partner sites aware of the dangers.

Disclaimer: I worked on the technology behind SiteKey while at PassMark which was acquired later by RSA/EMC and rebranded as Adaptive Authentication (AA). The core of the team that built SiteKey/AA now works at SafePage, company I co-founded a year ago.