[OpenID] New OpenID Customer Research Activity - Google research on federated login

Tue Sep 23 15:02:59 UTC 2008

Some thoughts after reading through the summary 
(http://sites.google.com/site/oauthgoog/UXFedLogin) page...
> Fortunately, even though they are confused, nearly all users did enter 
> their E-mail address and clicked the login button.  As long as they do 
> that, it does not matter whether they chose Yes or No in the UI, nor 
> does it matter whether they typed a password.  Buy.com just needs to 
> know that their domain is aol.com, and can then redirect them to AOL 
> to verify their identity.
I do have a security concern with this approach in that most likely the 
AOL user will enter their AOL password because of the past experience. 
This causes a security leak for the user even if buy.com is not just 
throwing away the value.

Would it not be possible to use AJAX to check the user's entered email 
address against the buy.com data base to see if they've registered and 
if so, hide all the options and just show the user the login button? Or 
maybe replace the "Help me login" and "I have a password" options with 
text that says, "you are already a member of buy.com via your AOL 
identity. All you have to do is click the login button?"  I suppose that 
might scare some users because they would think their account doesn't 
have any password at all.

Great research. It really helps to identify the problematic cases and 
where we need to focus UI efforts.

Thanks,
George

Eric Sachs wrote:
> Last Week the OpenID Foundation held the first meeting of their 
> Content Provider Advisory Committee to gather feedback on how to 
> evolve the best practices for using OpenID so that it might be used by 
> websites in a larger number of market segments. The meeting included 
> representatives from many mainstream content websites including The 
> New York Times, BBC, AARP, Time Inc., and NPR.  I attended from 
> Google, and thought the team who pulled together the meeting did a 
> great job arranging it.
>
> Google has been researching federated login techniques, and at the 
> meeting we showed how a traditional login box might evolve (see below) 
> to a new style of login box that better supports federated login.
>
> <http://sites.google.com/site/oauthgoog/UXFedLogin>
>
> We also shared a summary 
> <http://sites.google.com/site/oauthgoog/UXFedLogin> of our usability 
> research that explains how this helps a website add support for 
> federated login for some users without hurting usability for the rest 
> of the website's user base.  This research is not yet finalized, and 
> we are still working with a bunch of companies to gather more feedback 
> to tune this research.  If you have any feedback, feel free to get in 
> touch with me.  However more generally we hope people will continue to 
> contribute to the user experience discussions that are happening 
> regarding many different use cases for OpenID, and not just the one 
> covered in this research document.
>
> p.s. For Google's original blog post on this research, please refer 
> to http://google-code-updates.blogspot.com/2008/09/usability-research-on-federated-login.html
>
> Eric Sachs
> Product Manager, Google Security
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   