Yahoo! Releases OpenID Research
None of the users had heard of OpenID before, and none of them even noticed the OpenID sign-in box displayed below the traditional email/password login form on the site. In many cases, the test subjects entered their Yahoo email address and Yahoo password to try to log in. We had told the test subjects that they could sign into the site using their Yahoo! account without having to register…Certainly there is a lot of work to be done on the OpenID UX (user experience) front.
TR1
on 14 Oct 08I find this very believable. OpenID is a great idea that needs to be explained better.
Snowflake Seven
on 14 Oct 08Unfortunately this solution slaps a brand name on what is meant to be a independent system. The OpenID community has proposed login fields that highlight a broad variety of provider by name (like YahooID) but I have not seen anyone say this approach has had a significantly better effect.
What is worse in my mind is that, as a user, once you get it, once you understand the benefit of OpenID and are keeping any eye out for it, too few sites offer it for it to become central to the surfing experience.
OpenID is excellent concept. And it is the best approach to single-sign on we have seen yet. But just like syndication (RSS, Atom) it may take quite a while before enough users get it, demand it and enough sites deploy it. And even with the killer app of feeds—podcasts—adoption and user understanding is slow growing.
wuputah
on 14 Oct 08Direct link to the PDF: openid-research-jul08.pdf
While many of the points are univerally valid in explaining how to present OpenID to users, most of the study is the nature of using Yahoo!’s OpenID system for the first time, which only affects people using Yahoo! for their OpenID.
Brad Flora
on 15 Oct 08We already have single sign-on. It’s called “use the same username and password everywhere”.
I avoid sites that require/use OpenID. I understand what it’s trying to do and I get confused everytime:
“If I’m trying to log into site X why am I being sent over to Yahoo?”
I wish Twitterfeed would go away from it. Then I’d be Open ID-free.
Andy
on 15 Oct 08“If I’m trying to login to site X why am I being sent over Yahoo?”
If I’m trying to buy beer, why do I have go to the DMV to get a state issued ID?
OpenID needs to be explained in terms that are already familiar. We already do, as part of our daily lives, everything that is conceptual behind OpenID. When you buy beer, your ID (which you’ve already gone through the trouble of going to the DMV previously) says that the state vouches for your age. The seller trusts the state more than they trust whoever you are to claim information about yourself. The state is a third-party verifier. The state also doesn’t want minors to have easy access to alcohol.
Site X doesn’t necessarily trust the anonymous user who is at their login box to claim who they say they are, but they will verify your identity with a password you provide or let you defer that to Yahoo (or some other OpenID provider). You assert who you are to Yahoo (in this example), and Yahoo vouches for you. You, and your OpenID provider, have a vested interest in avoiding people doing things as you. The system is in some ways more trustworthy than the state issued ID because with OpenID being federated you can shop around for identity providers based on their security; the security of identity based on the state issued ID is only as good as the public’s inability to forge identity documents.
OpenID is like a state issued ID that you control the expiration of. You assert to the site “You don’t know who I am, but OpenID Provider Y does, go ask them”. Provider Y then verifies you are who you say you are (maybe this is via a long lived cookie, or with a username and password, or some other form of authentication), and then vouches for you to site X.
The real difference here is who maintains control. The state controls alcohol and taxes through the use of laws requiring it vouch for your identity (and thus your age) when you buy alcohol. You maintain control over your identity on these sites by using a third-party OpenID provider (or running your own OpenID provider) and you can limit what these sites.
In either case, the responsibility for your identity is put in the hands of the party most able to control it given the circumstances and who has the greatest amount of trust between all the parties.
Jake A. Smith
on 15 Oct 08Andy, that is the best explanation I’ve ever seen written out. Kudos for that.
Andy
on 15 Oct 08Glad it helped. Too bad my typing and sentence structure went a little wonky near the end though. I’m usually more articulate.
Tom
on 15 Oct 08The subject of “Should we use Open ID for our new site” came up in a meeting the other week, my response was that only web geeks really understand and are using Open ID. This Yahoo! research just backs up my assumption, yes it’s a fantastic idea but there are some serious usability issues that still need to be solved.
Anonymous Coward
on 15 Oct 08@Andy: The thought of the internet being turned into a state-regulated bureaucracy just sent shivers down my spine.
Nick
on 15 Oct 08The problem is awareness, not usability. Anyone who has ever used email understands the concept of OpenID. If I want you to email me, I give you MY EMAIL ADDRESS. In the same way, if I want to log into your site, I should be able to give you MY USERNAME AND PASSWORD.
The concept is simple and easy. People just don’t know it exists.
Jason Garber
on 15 Oct 08We (Mixx) recently took on the “bring OpenID to the masses” challenge and came up with what we believe is a good blend of presentation and user education. You can see the results at http://www.mixx.com/register.
Our approach was that the user doesn’t care what OpenID is or how to use it—we take care of constructing OpenID URLs under the covers. We’re also using other third-party authentication (in the case of Facebook), but for the OpenID providers, we’ve made the experience as simple as possible.
I wrote a longer piece on our developer blog which can be found here outlining our support for OpenID and our goals with the redesign.
In the two weeks since we made the change, we’ve noticed an uptick in the number of OpenID (and third-party) registrations on the site. We’re also in contact with the folks at Jan Rain about ways to continue to improve the OpenID user experience.
OpenID is hard—it’s a developer’s solution to a layman’s problem. The devil is in the details and it’s up to us to build an experience that is attractive and easy to use for everyone.
Jason Garber
on 15 Oct 08@Andy Excellent example of a real-world situation that is analogous to OpenID. We were kicking around a similar metaphor based around passports and the implied trust between countries as people travel from nation to nation. Spot on.
Topper Bowers
on 15 Oct 08@Jason – your registration page is exactly what I’ve been trying to communicate. The problem with OpenID is that nobody cares We geeks think that the tech is awesome, but a real user just wants to know they can use a u/p that they already know.
I just put up a blog post about it: http://blog.toppingdesign.com/2008/10/15/letting-users-know-about-openid/
Daniel Gibbons
on 15 Oct 08About 18 months ago I was on the phone with a very prominent tech. blogger (I mean, really, one of the most prominent). We had set up an OpenID for him so that he could try logging in to our app using it, but he simply couldn’t understand the concept.
All he could do was click on the OpenID URL (in this case a MyOpenID URL) and ask if we had built the MyOpenID site. The idea of entering a URL to log in was just beyond him.
Since then I’ve seen him write about the benefits of OpenID, but I’m virtually certain he has never used it and still doesn’t understand how it actually works.
Andy
on 15 Oct 08@Anon “The thought of the internet being turned into a state-regulated bureaucracy just sent shivers down my spine.”
I guess you’re welcome to think that, but nothing in my description ever said or even implied that the internet should, or even could be, turned into a state-regulated bureaucracy for identity purposes. As I said, since the concept of OpenID is federated, proper OpenID consumers should be able to accept ANY OpenID provider (because you, as the user, maintain control over who it is that asserts your identity). Vs the buying beer scenario where it is illegal for a business to accept anything other than a state issued ID (which is assumed to be reasonably unforgeble) because the state is enforcing this.
OpenID consumers who only acknowledge certain providers arbitrarily actually end up being part of the problem, and encourage SSO setup tantamount to Microsoft Passport.
I say “arbitrarily” there because OpenID consumers should be able to prefer certain providers based on criteria such as security. A bank could, for example, require that an OpenID provider verify identity via methods “stronger” than just username and password, like using two-factor authentication or a SecureID token (How it is verified they actually verify the way they say they do is beyond the scope of OpenID, however. That being said, the distributed nature of OpenID means that market forces can work to deal with that).
sarath
on 20 Oct 08open id is a good idea but what matters to me is security. However if it advertises then,it can become popular as even small and different topic sites like for example http://www.hindlist.com which is a free classified website is becoming popular. What matters is advertising the product in a right way for the people to understand. personally i like the open id system.
This discussion is closed.