Home > business, smugmug, web 2.0 > Why OpenID at SmugMug?

Why OpenID at SmugMug?

February 27, 2007

We announced OpenID support last week. I then responded to some comments asking us why we were a provider first, rather than a consumer. Now, I’m answering some more comments basically asking why they should care about OpenID and how it helps SmugMug customers.

Honestly, I had no idea it wouldn’t be obvious how great this is. To me, the picture seems perfectly clear. There are no dastardly designs or secret agendas – to me, it just makes sense. Here’s are a few reasons why:

We are a pay site. Every SmugMug customer pays for the right to share their photos here. They get what they pay for. That comes with both pluses and minuses where identity is concerned, though. On the one hand, we have a much much stronger relationship with our customers than somewhere free like Hotmail, for example. On the other, we have no good mechanism to interact with viewers, who don’t and shouldn’t have to pay (or even sign up) to see their friends’ photos.

Let’s talk about the pluses first. There’s a much higher level of trust and respect between the customer and SmugMug than a free email provider. They feel secure in knowing that we treat their data carefully and with respect. They consider SmugMug to be their home (or at least a major part of their home) online. They strongly identify with the brand and even more strongly identify with the fact that their memories are stored and shared from our servers. They identify with us.

Do you see where I’m going with this? While everyone has multiple identities online, from email to IM, blogs to photo sharing, the ones where there is a volume of priceless content, such as their photo-sharing site or blog, are the ones our customers identify with the most. Email addresses are “less permanent” since they’re free, easy to forward, etc. Ask your typical passionate Flickr or SmugMug customer, though, and they’ll tell you about their passion for their photos and the pain and anguish it would cause them to move or if the service died. Note that not everyone falls into this category – but those passionate about photo sharing *do* fall into this category, and that describes every SmugMug customer.

Further, I believe the customer should get to choose which site they identify with most. I’d hate to limit them to only their email provider if they happen to hate their email provider. Just like everyone resonates with different brands of cars, jeans, computers, music, etc, they also resonate with different sites. Leave the power in the hands of the customer – let them choose their own identity.

Now, let’s talk minuses. Since there are no free accounts at SmugMug, we can’t interact as well with our viewers. They’re allergic to setting up “yet another account,” something I resonate with, or even passing over their email address. I completely get that – it really really sucks when you go to view someone’s photos at KodakGallery or Shutterfly and they demand your email address so you can get spammed till the end of days. It also sucks when you want to leave a comment at Flickr but can’t without signing up for a Yahoo account. What a pain.

OpenID goes a long way towards solving some of these problems. Comments can now be far more spam-free since identity can be verified, yet the commenter doesn’t have to go through the hassle of signing up for yet-another-account. Access controls to photos and galleries can be specified by the owner of the photos in such a way that sensitive data (like email addresses or passwords) no longer has to be exchanged. Even if we wanted to, SmugMug couldn’t spam someone using their OpenID to leave a comment or view a photo. That’s big – I hate giving my email address out to sites because so many of them *do* spam, you’re never sure which ones are the “good guys” like we are.

OpenID isn’t perfect. There’s no trust here – just identification. There’s still no complete single sign-on. There are issues with dangling stale IDs being left around. Consumer education is going to be interesting. But it’s still a huge step in the right direction. Just verifying that someone has an identity somewhere online gives you the ability to make your apps richer, regulate abuse more easily, and generally improve the user experience.

What’s not to love?

Categories: business, smugmug, web 2.0
  1. February 27, 2007 at 12:55 pm

    Hm. I appreciate you writing this entry, but I’m still not seeing it. All I see is *more* administration headaches as soon as you become an OpenID consumer.

    Right now (if you restrict comments to registered users), you need only to check against user IDs.

    With OpenID, you’ll need to differentiate between spam IDs and spam ID servers. More or less, you’re hand-coding a trust system on the server side. On the upside, it’s probably easier to establish trust with an OpenID server than a user – but that spoils the idea behind OID that everybody can run their own authentication server.

    I’ll probably try it out soon anyways – just because 😉

  2. February 27, 2007 at 1:07 pm

    @Robert ‘Groby’ Blum:

    But I want millions of people to be able to comment on photos at SmugMug. (Our customers want this, too). And SmugMug doesn’t have millions of customers.

    See my dilemma?

    Now imagine you’re an even smaller provider. Say an independent blog with no login system whatsoever – you’re the only writer, afterall. What then?

  3. February 27, 2007 at 4:04 pm

    onethumb said:
    OpenID goes a long way towards solving some of these problems. Comments can now be far more spam-free since identity can be verified, yet the commenter doesn’t have to go through the hassle of signing up for yet-another-account.
    One problem I see here. If big services (like AOL) use OpenID, doesn’t that dilute the verification process, since those accounts can be free (or at least a free trial)? What if hotmail starts giving OpenID to its members? Then we’re back to square one. Whatever scripts spammers use to create bogus hotmail accounts can just be extended to pull the resulting OpenID and use that instead of the email address. I see that as a big possibility, unless there’s something I’m missing.

  4. February 27, 2007 at 5:14 pm


    again, you’re talking about trust which is not something that OpenID currently attempts to address. But it does provide the foundation for trust and reputation, namely establishing a unique persistent identifier for an individual. If someone spends a lot of time in community A and has established themselves as being trustworthy and possibly authoritative on a particular topic, it would be nice for that reputation to have validity within another community. Communities could share these lists of trusted users so that as people move around, their reputation is known and moves with them. Communities could choose which others they trust to assert reputation… for example, Hotmail may assert all the good rep they want for a user, but that doesn’t necessarily mean I choose to allow it to have any validity in my community. Much more about this can be found by googling for openid whitelist. Of course this is all theoretical at the moment, but the foundation is being laid for this to be a reality.

  5. Raghu
    February 27, 2007 at 5:50 pm


    I like what you guys are doing with SmugMug but you should get your facts straight.

    Shutterfly does not demand an email address (Kodak and Snapfish do) to be able to see your friends photos, when you get an invite. My wife has acounts in all 3 and keeps raving about shutterfly, their photo books and their user friendly site because of that.

  6. February 27, 2007 at 6:00 pm


    That’s fantastic news. I’ve been doing this for 5 years, and for most of that time, Shutterfly has required email addresses.

    But I don’t do a lot of competitive research, so I’ve clearly fallen behind. We just checked and you’re right – the email-address-required-to-view option seems to be gone.

    Kudos to Shutterfly!

  7. Brent Matzelle
    March 5, 2007 at 3:32 pm

    > Honestly, I had no idea it wouldn’t be obvious how great this is.

    Thanks for that additional explanation.

    I believe that the virtues of OpenID were obvious to you because SmugMug is a community site and community-based sites seemingly have the most to gain from OpenID. Keep in mind that most developers, myself included, don’t build community/web 2.0 sites and thus might be a bit slower on the uptake.

  8. October 12, 2007 at 8:07 am

    I am very pleased that SmugMug has become an OpenID provider. There is one feature that seems to be lacking at the moment (though it may just be that I don’t understand something).

    I would like to do OpenID delegation so that I can configure my personal homepage (http://scphillips.com) to be used as my login identifier. By inserting two lines of code into my homepage I should be able to delegate my authentication to any OpenID provider of my choice, e.g.:

    This doesn’t work for me. I am able to login to LiveJournal using scphillips.smugmug.com as my identifier, but using scphillips.com gives me the error “bogus:delegation:”.

    Any ideas?


  9. October 12, 2007 at 11:06 am

    Yeah, it’s on my TODO list. The main reason it hasn’t been done is that you’re the first one to ask for it. 🙂

  10. January 21, 2008 at 1:51 am

    HI Don

    I’m not sure where to put this comment; I guess it could be considered a bug, but I’m not sure on which end the problem is occurring.

    I’m setting up a site to accept openID logins, but I can’t log in with thunderrabbit.smugmug.com

    The reply I get from smugmug is an object:

    Auth_OpenID_FailureResponse Object
    [status] => failure
    [endpoint] =>
    [identity_url] =>
    [message] => Bad signature
    [contact] =>
    [reference] =>

    I can log in to said site with openIDs served by myopenid and livejournal, but not smugmug.

    This is *not* mission critical on my end, and certainly not yours. But if you get some time, email me back and we can maybe figure something out.

    – Rob

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: