[OpenID] OpenID Uri versus Email addresses

Peter Williams pwilliams at rapattoni.com
Wed Aug 6 18:34:58 UTC 2008 

I have 100,000 users applying websso, regularly. True, its the idp-initiated variety for the most part. No users are specially trained, and most discovered personal computing and the internet in the last 15 years. Many are highly technology phobic, and not given to suffer any change to ui or functions that is not clearly beneficial. (Tolerance for technical language is also close to zero.)

 We have not seen the particular failure modes described (and we would know about it quickly, given our communities low tolerances for ui-induced error): inappropriate release of password (or use of email address as id). This may be due to not making heavy use of sp-initiated websso flows (like openid auth protocol uses).

-----Original Message-----
From: Scott Kveton <scott at kveton.com>
Sent: Wednesday, August 06, 2008 10:26 AM
To: OpenID List <general at openid.net>
Subject: Re: [OpenID] OpenID Uri versus Email addresses


> I assume you usually present to middle-aged business people, like most of us
> do. Do you think this would also be true for teenagers whose on-line life is
> MySpace?
>
> I postulate -- although I have no data to back it up -- that in that
> demographic, everybody knows what their MySpace page is (i.e. a URL) and
> they consider e-mail to be something for quaint old farts only (like
> middle-aged business people) and irrelevant to them.

I would postulate that the MySpace example is an exception, not the
rule.  Also, MySpace users also use emails quite a bit in the site as
well (for example, to sign-in).  Facebook is also email based.

Having seen the summary of a recent usability study around SSO
(unfortunately, the company can't yet make the study public) when
asked to sign in on a page, users immediately enter their email
address *and* password.  That's scary to me and really highlights both
the usability problems we're seeing as well as the security dilemmas
it creates.

I don't think there is a silver bullet here.  We can head in that
direction but in the mean time, I think we're going to need a bunch of
different ways of doing the same thing that solve these problems.

- Scott

> This is an important discussion, but let's make sure that we don't make
> generalizations that might not be true.
>
> If anybody actually had some hard data, that'd be great, otherwise we are
> arguing everybody's guesses and are none the wiser.
>
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
>
>  http://netmesh.info/jernst
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list