[OpenID] Combining Google & Yahoo user experience research
Dick Hardt
dick.hardt at gmail.com
Fri Oct 17 18:31:17 UTC 2008
On 14-Oct-08, at 11:48 AM, Allen Tom wrote:
> John Panzer wrote:
>>
>>
>> I can also think of #4: I have existing legacy systems that are
>> based on having the verified email address (especially as a foreign
>> key), and want to migrate incrementally, if at all.
>
> Bingo!
>
> Sites need to have a realistic migration path to OpenID. Many sites
> have registration systems keyed off of the user's verified email
> address, and they'd probably want to minimize the changes in their
> backend systems to support OpenID.
>
> I do think that URL based identifiers are ideal, however it seems
> that RPs may want an even lighter weight way to start using OpenID,
> so defining a use case for Email Verification could be a way to
> transition RPs to OpenID.
The UX flows I have seen ask the user to merge an existing account by
logging in with their existing username/password.
The UX of getting a verified email and then auto binding an existing
account is cleaner. It does mean that if I can prove I have your email
address, that I can take over your account. Seems to broaden the
attack surface rather then narrow it.
-- Dick
More information about the general
mailing list