[OpenID] Combining Google & Yahoo user experience research

Martin Atkins mart at degeneration.co.uk
Wed Oct 22 23:00:57 UTC 2008 

Chris Messina wrote:
> 
> I'm against the notion of verifying email addresses with OpenID.
> 
> I think email addresses used as identifiers are at best hints that 
> resolve to a typical http/https URL. 
> 
> Setting the expectation that OpenID can be used to verify a specific 
> email address seems fraught with disaster, since I would think that the 
> expectation of a "verified email address" would be that the owner of 
> such an address would be able to receive emails with it. Email in OpenID 
> should be primarily for hinting at where a user's OP lives on the web; 
> if it happens that the email identifier provided results in a matching 
> returned email address (via SREG, AX or PoCo), you can consider it 
> coincidence.
> 
> I'm a proponent of emails-as-identifiers insomuch as it means that 
> OpenID will be significantly more palatable for users who are accustomed 
> to identifying themselves to sites as an email address. Expanding the 
> scope to email verification seems bound to failure in the wild.
> 

It seems to me that a big thing that came out of this UX research is 
that registration with OpenID has too many steps. Being able to remove 
one of the most annoying steps -- having to jump off on a tangent and go 
check my email before I can continue -- would, in my opinion, be a big win.

I think it's important to also consider that most legitimate users have 
no reason to lie about their email address, and "illegitimate users" 
(spammers, presumably) already manage to circumvent the traditional 
verification flow just fine.

The current sign-up flow with OpenID is:

  * Put in your OpenID identifier
  * Do whatever you need to do in your OP's UI
  * Enter an email address if your OP didn't provide one via SREG.
  * Go check your email and click the silly link.

It would be would be wonderful if we could reduce that to:

  * Put in your email address.
  * Do whatever you need to do in your OP's UI

For the overly-paranoid RP, there's the option of whitelisting certain 
providers that give good answers and subjecting everyone else to the 
traditional email verification flow. I wouldn't like that much for my 
own purposes (I have my own vanity domain), but it'd solve the problem 
for most people using personal email addresses.

As long as the verification process is under the control of the same 
entity that controls the MX record for the domain, I really don't see 
the problem here.

More information about the general mailing list