[OpenID] Combining Google & Yahoo user experience research

[Kick Willemse]

Great initiative to share the usability research.  I fully disagree with the "fact of life" statement. (For the short term your suggestion is the "best of bad")



For the long term:



Did we see it as a fact of life to have all logo's  of telco providers on the RP's website when introducing a "call now" button?

Do we present all bank logo's on the RP's website when we introduced a "Pay now" button?

Do we put all Internet Provider logo's on the RP's website if there is a "download now" button?



Looking at the above and parallels with other industries  I still think we miss a role within our OpenID model.



Current situation for OpenID : one-t-one relationship between RP's and IDP's

Preferred situation in a Network Type Model: RP's have a relation with acquirers, acquirers have a relation with IDP's



Just like banks, energy, ISP's, Telco's etc..



Please bring the important role of the acquirer within OpenID discussions and work on a cooperative scheme for:



Business/ governance

- Rules & regulations

- Business model

- Brand & licensing

- Specification & certification



Application

- Functionality

- Semantics

- Message standards



Infrastructure

- Protocols

- Connectivity

- Security

- ...



Kick



-------------------------------------------------------------------------------------

Kick Willemse

Product Manager

e-mail: k.willemse at diginotar.nl

weblog: http://www.papierloos.nl<http://www.papierloos.nl/>



DigiNotar B.V.

Vondellaan 8

1942LJ Beverwijk

telefoon: 0251-268888





Van: general-bounces at openid.net [mailto:general-bounces at openid.net] Namens Eric Sachs
Verzonden: maandag 13 oktober 2008 20:46
Aan: OpenID List
Onderwerp: [OpenID] Combining Google & Yahoo user experience research



In September/October both Google and Yahoo posted some Usability Research on Federated Login:

Google Presentation<http://sites.google.com/site/oauthgoog/UXFedLogin> at OpenID Foundation on September 18, 2008

Yahoo UX Research<http://developer.yahoo.com/openid/bestpractices.html> on their IDP endpoint


Both companies have been asked for suggestions on how to merge the feedback from these two sets of research.  Allen Tom & I have been exchanging mail about how to do that, and here is one way to merge the set of conclusions:

1.            Based on the test Yahoo & Gmail have done earlier in the year, we already both believe that any "login" buttons have to include the brand of the IDP and must be right next to the login box.  While that might not scale nor promote the OpenID technology brand, that is just the fact of life.

2.            For RPs who currently use E-mail based logins, they can maximize adoption by using either the Google or Yahoo UX suggestions along with education/re-education screens.  However this requires that the IDP also verifies the user's email.

3.            The Google UX option will enable RPs to trust the most IDPs, but the Yahoo UX suggestion will make the process the simplest for users of the few IDPs that are listed below the login box.  So the best solution may be for RPs to combine our two UX suggestions by using the Google UX for the login box, but still include buttons for a very small number of IDPs under the login box.

4.            From the data we have gathered, buttons work best if they are (1) just below the login box (either the password or sign-in button), (2) contain the full name of the E-mail provider (not just logo), and (3) the set of buttons is no wider then the login box.  That generally means a max of 2 buttons for a regular username/password login box, and a max of 3 buttons for the buy.com<http://buy.com/> style login box Google suggests.

5.            An RP can use one-off protocols for a few big IDPs (like @hotmail.com<http://hotmail.com/>), but OpenID is a good fit for RPs that want to support a large number of IDPs.

This suggested combination was based off the two publicized research reports, along with one other old study Google had done.  In that study I took Netflix's login page and added a Gmail & Yahoo signin button below it.  For that study, I used a modified Yahoo BBAuth confirmation page that indicated the user's E-mail would also be shared.  As you would expect based on Yahoo's research, none of them clicked the Gmail or Yahoo buttons.  However, what I did was create a fake "upgrade to federated login" prompt that they were shown after signing in.  Four of the six testers chose to go through the wizard, and the other two said they might skip it if they were trying to do something quick, but they would want to come back later and do it.  The "upgrade wizard" took them through the flow of federated login.  Once users were sent back to Netflix, I then showed an "education" screen where I told users that in the future they should click the yahoo or gmail buttons below the login box.  I then distracted them for a while pretending I was done with the test, and then said "oh, i forgot to test one more thing, can you just sign in again one more time?"  Of the 6 users, 4 typed their Gmail/Yahoo E-mail and password into the Netflix login boxes (just like in Yahoo's UX research), and only 2 remembered the "education" screen they had just seen a few minutes ago.  For the 4 who forgot, I then reshowed them a modified version of the education screen that asked them to please use this method in the future, with a button to go to Yahoo/Gmail to finish their current login attempt.  Those 4 were all slightly embarrassed, but all said the re-education screen was good, and that they liked the fact that once they got trained, they would no longer see it.  One thing I had planned to test was to ask people to sign up for Netflix instead of sign-in, and then on the signup screen once they typed a Yahoo or Gmail address, I would use JavaScript to suggest that they "upgrade" to federated login instead of creating yet another password.  I never did that in this scenario, but we did something very similar in the Google research we publicized.



After reading the details of Yahoo's research, I realized that this old study was half-way between the suggested UX of Google and Yahoo's published reports.  The only difference between this old study and Google's suggested UI is that we changed the login box to the new style described in our research.  However that technique still uses an education/re-education screen, and it had the same % of users who forgot the education the first time.  That technique also uses the idea of prompting existing yahoo/gmail users to "upgrade" to federated login, as well as looking for new accounts that users try to create for yahoo/gmail addresses, and redirect them to the federated login flow.  So the list of conclusions above suggests how these different user studies could be merged.



p.s. This summary is also posted to http://sites.google.com/site/oauthgoog/UXFedLogin/CombineGoogYahoo



Eric Sachs
Product Manager, Google Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081014/6b8c1c41/attachment-0002.htm>