[OpenID] Yahoo OpenID UX Study

George Fletcher gffletch at aol.com
Fri Oct 10 22:02:43 UTC 2008 

+1 for getting support in browsers

I have no problem with the "OP Login button" approach, but even that 
(once we get more than three that want to be on the RP) will get 
cumbersome and I worry that users will be looking all over the site for 
"the login link/form". They might pass right over the "Login with your 
Yahoo! ID" button.

It probably will take minimal spec work to close the necessary gaps, but 
I agree it's not "an amazingly difficult problem technically". Is there 
a reason to wait on this effort? I can envision a very simple 
"config/settings" panel that asks the user for their email address (with 
an advanced button for people who know what they are doing) and uses 
EAUT to determine the user's OpenID. Minimal text could tell the user 
that they can increase their security and convenience by setting this up.

The browser could even detect that a site supports OpenID and walk the 
user through configuring the browser to help them login. Once done for 
one site, the browser could proactively inform the user of new sites the 
user can login to based on the configured identity.

This doesn't seem hard and will make the user experience much better. 
And it will improve security by interacting with the OP directly instead 
of via redirect in the current model.

Thanks,
George

Martin Atkins wrote:
> SitG Admin wrote:
>   
>> Martin - those are excellent points about using a few big providers to 
>> shift users' awareness a bit at a time. I'm worried about what happens 
>> when we get midway, though - will users continue to transition the 
>> rest of the way, or get stuck at the point of "SSO is done by big-name 
>> sites."?
>>
>>     
>>> I agree that at this point users shouldn't be seeing the name "OpenID"
>>> as the primary brand for logging in.
>>>       
>> Interesting thought, there - should OpenID be the underlying 
>> technology, and respective implementations the actual brand names? I 
>> think it's important for big providers to have high visibility of the 
>> OpenID technology, so users aren't misled into thinking that the 
>> underlying technology is created/owned by those big sites - if they 
>> were to then see the same service offered at many smaller sites, 
>> OpenID could be seen as "something made by large companies that was 
>> later opened to smaller sites" instead of what we can *now* clearly 
>> see as an open technology that is available to ANY site.
>>
>> Something like the proudly displayed Verisign logo, where sites show 
>> off that their security is confirmed by a highly reputable name - if 
>> the big sites could showcase OpenID in that same way, that would be 
>> really neat :)
>>
>>     
> I should probably have completed that thought.
>
> I was referring to the "login page" (or equivalent) specifically. What I 
> meant was that RPs should be providing big, prominent buttons to log in 
> with big providers and then put the generic OpenID login box somewhere a 
> little more obscure so that those who know to look for it can find it, 
> but normal users aren't confused by it. A button that says "Log in with 
> OpenID!" alongside the "Log in with Yahoo!" and other buttons could do 
> the trick; presumably then users will just dismiss it as a brand they 
> don't recognise amd move on.
>
> Once they've got past this initial hurdle, it might be useful to 
> introduce them briefly to OpenID during the login transaction, though 
> not to the point where it gets in the way of doing whatever the user was 
> trying to get done. If we can just get the mental model of users to 
> switch away from sharing usernames/passwords I think that'd be a great 
> thing; they might start to recognise the OpenID brand along the way -- 
> even if they don't know exactly what it is --  but I don't think we 
> really want it up in the user's face at this point. OpenID is a bit of 
> technology, and isn't really that interesting to end-users in and of itself.
>
> My hope is that moving forward we'll get OpenID support into browsers 
> and users can find out about it by that route. Once browsers can help 
> users to log in rather than relying on complicated per-site UI it'll 
> open up the possibility of getting rid of these provider-specific login 
> buttons on sites. That's probably going to require some more spec work 
> so that users can get things configured easily, without faffing about 
> entering OpenID identifiers, but I don't think it's an amazingly 
> difficult problem technically.
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list