OpenID Foundation/CRC

The OpenID Foundation Customer Research Committee (CRC) reaches out to actual and potential adopters of OpenID. The objective is to learn what worked for them and what did not when adopting OpenID, and what the OpenID community needs to do in order:

• to get even broader adoption of OpenID by more parties, in particular sites accepting OpenIDs
• to make existing OpenID deployments more successful (e.g. higher OpenID transaction volume)

It is envisioned that the results of the research will be available to the membership of the OpenID Foundation. If you believe you have some interesting insights, we'd love to hear from you. We currently do not have a separate mailing list, so we encourage you to use the general list.

Members

CRC currently consists of:

• Johannes Ernst, NetMesh (chair)
• Brian Kissel, JanRain
• Scott Kveton, Vidoop
• Raj Mata, Yahoo!

Research Participants

We are interested in learning from:

1. Parties that already have implemented OpenID
2. Parties that consider implementing OpenID
3. Parties that considered and decided against implementing OpenID
4. Parties that aware of OpenID but have not considered planning to implement

Candidate Questions

(This is work in progress)

1. Problem Set
   1. What problems are you attempting to solve that seem to relate to OpenID?
      1. How big are these problems for you?
      2. What are the relative priorities of these problems?
      3. Do you think these problems are specific to your company? If not, who else has them?
      4. What specifically is it about OpenID that makes you look at OpenID for a solution?
      5. What other approaches are you aware of that might solve these problems instead? Have you investigated them? If so, what is the result of your investigation?
      6. How do you frame the problem internally? Is it:
         1. a security problem
         2. a compliance problem
         3. an e-business transaction problem (e.g. need to increase on-line transactions by making it easier for customers)
         4. a cost problem (e.g. password reset costs)
         5. an infrastructure problem (e.g. to enable new services that currently don't exist)
         6. Other?
   2. Is OpenID a complete solution for this set of problems?
      1. If not, what else do you need?
      2. If not, does a complete solution exist?
      3. If not, can you make business-relevant progress in the meantime?
      4. Does it appear viable to deliver the parts that are missing in your view? Who are you looking toward to deliver them?
      5. Can you proceed at your own pace, or do you need to wait for other parties to move at the same time?
   3. What problems do you wish OpenID could solve but (currently) doesn't?
   4. If you have deployed already:
      1. How satisfied are you with your deployment?
      2. Are you planning to broaden / deepen the deployment?
      3. Which metric are you using as a success criterion?
      4. Are the actual numbers satisfactory?
      5. If not, what could be done to make them more satisfactory?
   5. What degree of security/etc. is required to solve these problems?
      1. Username/Password
      2. Hardware tokens
      3. Client certificates
      4. Out-of-band validation (e.g. cell phone callback)
      5. Other
      6. Are you mainly looking towards reusing the existing authentication infrastructure that you have already with OpenID (e.g. deployed hardware tokens) or are you looking towards introducing new credential types as part of an OpenID initiative?
   6. Do you require legal agreements (e.g. liability for OPs)
2. OpenID General Awareness
   1. How did you learn about OpenIDs existence?
   2. How did you learn what OpenID is and how it works?
   3. How did you decide that OpenID applies to your business?
   4. Are you aware of the distinctions between being an OP and an RP?
      1. technically, including security / trust ramifications
      2. user experience
      3. business opportunities / ramifications
   5. Do you understand the components of the technology stack?
      1. URLs as identifiers for people
      2. Yadis discovery
      3. Authentication
      4. exchange of attribute information (SREG, AX)
      5. schemas
      6. related technologies, e.g. OAuth, FriendFeeds etc.
   6. Are you aware of the business benefits of supporting OpenID? e.g.
      1. reduced friction for customer to conduct commerce / engage with your site
      2. higher revenue (if so, how?), e.g.
         1. more of the same business
         2. new business
      3. lower cost (if so, how?) e.g.
         1. outsourcing function
         2. streamlining function
      4. lower business risk, e.g.
         1. "personal info that is not stored here cannot be stolen from us"
         2. potentially higher authentication quality
   7. Which market segments / product categories / demographics / etc. are ready to use OpenID in your view? Which ones are next? Which ones are last?
3. Market Segment / Vertical
   1. Whose adoption(s) of OpenID would signal to your market segment that adoption of OpenID is becoming safe and/or a must-have feature for you and your competitors?
   2. Which other segments do market participants in your segment generally reference prior to adoption of similar technologies in your segment?
   3. Do you see any parallels in adoption of OpenID in your segment with the successful (or not) adoption of other technologies before?
   4. Which organization(s) would be logical OPs for your segment? And why? E.g.:
      1. general-purpose e.g. AOL, Yahoo
      2. a neutral, segment-specific identity provider with its own brand
      3. the "top dog" in your segment
      4. all/most market participants
   5. Which organization(s) would be logical RPs for your segment? e.g.
      1. all market participants
      2. only large / medium / small participants
      3. "suppliers" into the top dogs' supply chains
   6. What is the business case for OpenID adoption in your segment? Are there one or several? Which one is most realistic in the shortest time for your vertical?
   7. If OpenID adoption was widespread in your segment, who would win and who would lose? Why? How much difference would it make to which metric?
   8. Do you see a strategic downside to adopting OpenID in your segment?
      1. can it be mitigated?
   9. Which devices / OSs / ... are relevant in your segment?
   10. What obstacles do you see for broad OpenID adoption and use in your segment?
       1. technically, e.g.
          1. security, non-repudiation, mapping to legacy systems/processes, ...
          2. need new features such as authenticated messaging, OP-initiated SSO, ...
       2. user experience, e.g.
          1. does expected user experience map to what your users can understand quickly and will do?
       3. branding
       4. business-wise, e.g.
          1. who pays for the assumption of risk?
          2. need (more) trusted technology / service providers
          3. insufficient value proposition
4. Company
   1. Where are you in the internal sales cycle? e.g.
      1. initial awareness of opportunity and evaluation
      2. business case made
      3. executive sponsorship
      4. project funded
      5. beta
      6. deployed
   2. Which obstacles have you overcome so far? Which do you still need to overcome? e.g.
      1. (better) understanding of the business opportunity
      2. (better) articulation of the business opportunity to decision makers
      3. technology/vendor selection
      4. project funding
      5. site owner buy-in
      6. prioritization viz-a-viz other initiatives
      7. executive sponsorship
      8. need other organizations to do something first, e.g.
         1. deploy vertical-specific OP
   3. Foundation membership?
      1. are you a foundation member?
         1. Why?
         2. Why not?
      2. What most important value should the foundation provide to you:
         1. industry-specific gatherings
      3. connecting vendors and buyers
      4. pursuing technical advancement
      5. OpenID marketing
         1. in general
         2. in your specific vertical (which?)