OpenID, Facebook Connect, and the Neglected CardSpace

As a developer of GroupServer, which shares many features with social networking systems, the release of Facebook Connect caught my eye when it caused a buzz on the tech wires. This follows on from the noise whenever a major player — such as Google, Yahoo! or MySpace — announces an OpenID implementation. Unfortunately, I have more reasons to dislike Facebook Connect than OpenID, and I am not a fan of OpenID. All is not lost: CardSpace from Microsoft is an excellent federated identity and authentication system, which provides all the gains of OpenID with few of the drawbacks.

I have three issues with OpenID. The main issue is with usability: to log into one site (the service provider) you must go to another site (the identity provider). This mapping problem inherent in OpenID is a serious one; in my experience Remember me confuses many, so I hold out little hope for those users overcoming the mapping issue without extensive training. In addition, OpenID is not very open. While Google, Yahoo! and MySpace implement OpenID, they only implement the identity-provider side of the protocol — locking people into their systems using an open protocol. Finally, the use of a url as an identifier may confuse many, as they are not normally seen as user-identifiers.

Facebook Connect is little different to OpenID. It has a small advantage of using a Facebook ID rather than a url, but without the virtue of being an open system. Just like the OpenID implementations of Google, Yahoo! and MySpace, Facebook is the only identity provider.

In many ways, Microsoft CardSpace system is very similar to OpenID, except the identity provider is the browser rather than a site. This gets around the mapping problem, as the user is already using the browser. In addition the browser can provide a better user-experience as it has access to a rich desktop user-interface toolkit, and can gather existing data from external identity providers (think LDAP, Active Directory, or even OpenID). While Facebook and Yahoo! can claim millions of users, the number must pale in comparison to the number of people who use Windows and Active Directory. This gives a far more corporate feel to the entire system: imagine being able to add the workforce for an entire company to a site and not have to worry about user data or authentication. Instead the company can control all the identity and authentication, as they need to anyway.

For once, Microsoft are being very open about a protocol, providing extensive documentation. And do not let the Windows put you off, as The DigitalMe Project has an implementation of CardSpace for Firefox. Indeed, I suspect that Microsoft will have trouble locking the protocol down, as most of the service providers will be on non-Microsoft platforms, so anyone will be able to write a client.