[OpenID] Combining Google & Yahoo user experience research

Mon Oct 13 20:05:00 PDT 2008

Eric & Allen,

I really appreciate the work you have done to assess usability of  
federated identity within your environments.  The data are very  
interesting, and in some ways augment our own experiences.  However,  
the suggested approaches that you describe aren't sufficient to meet  
key discovery needs in most academic communities.  These are four  
primary reasons why:

1)  Our federations are highly multilateral, with hundreds of  
universities and corporations acting as SP's and IdP's.  While not  
all applications serve all IdP's, some serve a lot of 'em.  Close  
association between the discovery mechanism and the application can  
often narrow down the set of choices the user encounters, and more  
heavily weight certain options.
2)  The user's IdP is not necessarily associated with their email  
provider.  Specifically, some new students don't care to use a  
university-issued email account, while many services most interested  
in federated identity need authoritative data from the university,  
e.g. studenthood.  We've worked hard to allow for the distinction  
between email and identity, and we'd like to preserve it, because it  
gives our users personal choice while we still manage key education- 
oriented information.
3)  We're required legally and ethically, particularly in the EU, to  
protect the user's identity whenever possible.  Asking the user to  
enter a primary identifier like email address for discovery makes  
protection of privacy impossible in some ways.
4)  The phishing exposure you mentioned is not a trivial problem or  
cost for us, as identity proofing takes some significant effort even  
at our relatively low level of assurance.

The discovery problem is still the most difficult in federated  
identity.  We've tried buttons, drag-downs, text boxes, cookies, plug- 
ins, duct tape, and telepathy.  Each has pros and cons, we've got a  
lot of scars, and selection of one of them is an art rather than a  
science at this point.  There's plenty of room for improvement in the  
situation and commonality, especially if we consider all use cases  
out there.

Thanks again for all the ideas & testing,
Nate.