[OpenID] Yahoo OpenID UX Study

Andrew Arnott andrewarnott at gmail.com
Fri Oct 10 21:12:44 UTC 2008 

Shade, I don't think it would be so bad if users got stuck midway at the
point of "SSO is done by big-name sites".  Think about it.  We nerds like
our control and thorough understanding and flexibility behind OpenID.  My
mom couldn't care less.  She just wants to log in.  If the Internet can
eventually train the average user to click "Log in with your Yahoo! ID" and
type in a credential to just one (or a small handful of large OPs) and not
ever share that credential with third parties, we've done a great service.
The average user has nothing to gain (and a whole lot to lose!) by
discovering and choosing a small OP site.

The majority of users (>90%) on the Internet *should* pick very large,
reputable OPs like Yahoo! to host their identity because they won't know the
security risks inherent with picking smaller ones.  Yes, I think that every
RP should offer the ability to log in with any OpenID the visitor cares to
use.  But the few big names ought to be one-click easy to log in with.

*To take OpenID to the general public, we need one-click login with at most
3 options for login buttons, like what the "Log In With Your Yahoo! ID"
offers.

*The IDSelector is a poor user experience in my opinion.  It screws up input
focus, it shows itself when the user is not expecting it, it blocks
everything behind it lower in the form making it difficult and frustrating
for an ordinary user to fill out the rest of the form below the box, etc.
etc.  And as this usability study showed, and my own tests, it's not simple
enough.  The only thing simple enough for getting the general public to make
the necessary transition from "give my password to anyone that *says* they
need it" to "hoard it like your wallet" while we retrain them is a single
button.

Yes it's great that OpenID decentralizes the OP, but the *average user
doesn't care*.  The average user just wants to log in.  And since the
average user very often already has a Yahoo account (or Google, or Live ID,
etc.), the easiest and most likely way to get everyone using OpenID is to
(in my opinion) stick a "Log in with your Yahoo! ID" button on every RP
page, and a very small, out of the way, OpenID text box where people can
type in their own special OpenID if it is something less common.  We nerds
will be able to find that out of the way box, but the Yahoo button must be
them most prominent.

The IDSelector offers some 15 OPs.  Most users have no idea what to do with
so many choices!  (because they see them as opaque choices that they have no
bearing to choose from).  Let's get everyone using OpenID without even
realizing it.  And at the same time (somehow) train them to hoard their
password.  Once we have that done (5+ years), we can start introducing to
users the idea that "hey, by the way, if you want you can actually choose
another provider to host your identity."  And most of them won't care,
because it won't matter -- as long as their first choice was a secure one.

Bear in mind, I'm partly using Yahoo as an example here.  I think
myopenid.com might be a fine choice as well, except most people haven't
heard of it, so Yahoo would do better with recognition to people.

On Fri, Oct 10, 2008 at 1:08 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

> Martin - those are excellent points about using a few big providers
> to shift users' awareness a bit at a time. I'm worried about what
> happens when we get midway, though - will users continue to
> transition the rest of the way, or get stuck at the point of "SSO is
> done by big-name sites."?
>
> >I agree that at this point users shouldn't be seeing the name "OpenID"
> >as the primary brand for logging in.
>
> Interesting thought, there - should OpenID be the underlying
> technology, and respective implementations the actual brand names? I
> think it's important for big providers to have high visibility of the
> OpenID technology, so users aren't misled into thinking that the
> underlying technology is created/owned by those big sites - if they
> were to then see the same service offered at many smaller sites,
> OpenID could be seen as "something made by large companies that was
> later opened to smaller sites" instead of what we can *now* clearly
> see as an open technology that is available to ANY site.
>
> Something like the proudly displayed Verisign logo, where sites show
> off that their security is confirmed by a highly reputable name - if
> the big sites could showcase OpenID in that same way, that would be
> really neat :)
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081010/7e102568/attachment-0002.htm>

More information about the general mailing list