Only one week after PayPal joined the board of the OpenID Foundation as a sustaining corporate member, Facebook followed suit yesterday. It is the first social network to become a board member.

By joining the board Facebook hopes

that we can take the success of Facebook Connect and work together with the community to build easy-to-use, safe, open and secure distributed identity frameworks for use across the Web.

While it is excting to see a popular brand like Facebook joining the board of the OpenID Foundation, it has not made any announcement if it will implement OpenID in any way. So if you hoped to login to the social network with your OpenID already, you will be disappointed. Though it would be awesome if it was possible someday, of course. In the meantime Facebook’s experiences with Facebook Connect and user experience could help OpenID become more user friendly. It seems this is what the OpenID Foundation is hoping for as well:

Given the popularity and positive user experience of Facebook Connect, we look forward to Facebook working within the community to improve OpenID’s usability and reach.

Anyway, we definitely hope Facebook’s contribution to OpenID will further its success.

Today the OpenID Foundation announced that PayPal joined the board of the OpenID Foundation as the sixth sustaining corporate member. This is certainly a very remarkable addition to the board as PayPal is a well-established brand all over the world and represents an industry that is not part of the board yet and which deals with very critical data, i.e. personal and financial data. So the addition of PayPal might be a signal for other companies and industries to try and implement OpenID.

However it is still unknown if and how PayPal will implement or support OpenID. There is no press release by the company so far, at least none that I am aware of. Will it become an OpenID Provider or a Reyling Party? Or maybe both? I’d like to see PayPal becoming a Relying Party which makes use of the recently finalized and approved Provider Authentication Policy Extension. I think this could be a real test for the extension and it forced more providers to push their security efforts. Though currently, this is just speculation.

Just in time before year’s end the Provider Authentication Policy Extension (PAPE) was approved as an OpenID specification by votes of members of the OpenID Foundation.

PAPE will help making OpenID more secure. To quote from our Technical Terms page:

This extension (it can be used with OpenID 1.1 and 2.0) allows Relying Parties to request that certain authentication policies are used by OpenID Providers when authenticating users. So it is possible that a Relying Party only lets users log in with an OpenID if they have been authenticated by multi-factor authentication (e.g. by a password and a certificate).

In addition Relying Parties can request to which NIST (National Institute of Standards and Technology) levels the authentication adheres to. NIST is a US standards laboratory which also runs a computer security resource center. In 2006 it released an Electronic Authentication Guideline which describes four levels of authentication assurance. The levels range from rather simple authentication methods like passwords at level one to very strong methods like hardware cryptographic tokens at level four. If you like to learn more about NIST levels you should read the 64-page PDF.

Yesterday JanRain, the company running the well-known OpenID Provider MyOpenID.com, published its Relying Party statistics. According to those statistics there were 31,185 unique websites by the end of 2008 which support OpenID as a Relying Party. As you can see from the chart below, adoption of OpenID is growing steadily. Of course, those are only JanRain’s figures but I think they are representative as MyOpenID.com is one of the bigger dedicated OpenID Providers and therefore is able to monitor most Relying Parties.

Some of the bigger new Relying Parties are video sharing site Dailymotion, AOL’s MapQuest and Universal Music’s subsidiary Interscope Records.

It’s interesting to see the different OpenID login screens of those three sites:

Dailymotion

The OpenID login screen is available by a link at the end of the usual registration form. It’s good to see that the benefits of OpenID are mentioned directly at the login screen. Also five different providers are mentioned if users don’t have an OpenID yet.

MapQuest

At MapQuest users have to decide first if they want to login with an AOL screen name or with an OpenID. Then the screen below is displayed where some better known (mostly) dedicated OpenID Providers are pre-selected. On Dailymotion mostly consumer brands are pre-selected:

Interscope Records

Interscope Records utilizes JanRain’s RPX service. RPX allows logins with OpenID, Facebook, MySpace, Yahoo!, AOL and Google accounts. The login screen is directly available from the frontpage and mentions all supported login methods already via the respective logos. The login screen itself looks like this:

Three different Relying Parties, three different approaches to login screens. I think we will see more variations of login screens in 2009 as usability and user experience will become crucial for OpenID.

On December 24 the first election for OpenID Foundation community board members ended. It was the first time members of the OpenID Foundation could actually vote. Foundation members could nominate themselves and by the end of the nomination phase 17 people ran for seven community seats.

Elected for 2-year terms are Snorri Giorgetti, Nat Sakimura, Chris Messina, and David Recordon. Elected for a 1-year term are Eric Sachs, Scott Kveton, and Brian Kissel. Congratulations to all of them! The community board members are taking office today. In addition to the community board members there are five corporate board members: Google, Yahoo!, Microsoft, VeriSign, and IBM.

While the majority of former community board members were nominated, it is interesting to note that only two of them were actually re-elected: David Recordon and Scott Kveton. I guess, that doesn’t necessarily mean the old board did a bad job but it certainly means that many Foundation members think it’s time to change a few things. In my opinion, a focus of the new board has to be on marketing. The OpenID Foundation has to illustrate the benefits of OpenID to both users and companies. There have to be more people who actually use their OpenID and there have to be more companies and services which offer logins with OpenID. The new board has good chances to accomplish this as it is more diverse now. It’s not only a North American board anymore but an international one – Snorri is French and Nat is Japanese – and people have a more diverse background, I think.

There is a lot of work ahead and I wish the new board good luck! If you want to support the work of the OpenID Foundation you can become a member. The membership fee has been reduced from $100/year to $25/year for individuals.