[OpenID] Combining Google & Yahoo user experience research

Dick Hardt dick.hardt at gmail.com
Fri Oct 17 18:31:17 UTC 2008


On 14-Oct-08, at 11:48 AM, Allen Tom wrote:

> John Panzer wrote:
>>
>>
>> I can also think of #4:  I have existing legacy systems that are  
>> based on having the verified email address (especially as a foreign  
>> key), and want to migrate incrementally, if at all.
>
> Bingo!
>
> Sites need to have a realistic migration path to OpenID. Many sites  
> have registration systems keyed off of the user's verified email  
> address, and they'd probably want to minimize the changes in their  
> backend systems to support OpenID.
>
> I do think that URL based identifiers are ideal, however it seems  
> that RPs may want an even lighter weight way to start using OpenID,  
> so defining a use case for Email Verification could be a way to  
> transition RPs to OpenID.

The UX flows I have seen ask the user to merge an existing account by  
logging in with their existing username/password.

The UX of getting a verified email and then auto binding an existing  
account is cleaner. It does mean that if I can prove I have your email  
address, that I can take over your account. Seems to broaden the  
attack surface rather then narrow it.

-- Dick




More information about the general mailing list