[OpenID] New OpenID Customer Research Activity - Google research on federated login

[Allen Tom]

Eric - thanks for publishing the results of the Google OpenID usability 
study. I believe that the biggest obstacle preventing OpenID from being 
widely adopted are the usability issues which can be painfully 
experienced by anyone trying to use OpenID for the first time, and which 
are nicely documented in your usability study.

I'm reluctant to endorse an approach which assumes that the user's 
OpenID Provider is also their email provider, and I'd prefer to find a 
solution that does not relegate email-less OPs to be second class 
providers.  The proposed solution also makes the email address the 
defacto universal identifier, rather than the OpenID url, making the 
OpenID protocol just a browser based email verification system.

This approach prevents the possibility of issuing RP-specific disposable 
email addresses to help prevent spam, and also makes it problematic for 
the hybrid OpenID+OAuth protocol, as an OP/SP could only provide 
services for users who use the OP/SP's email.


George Fletcher wrote:
> I do have a security concern with this approach in that most likely the 
> AOL user will enter their AOL password because of the past experience. 
>   
I also believe that presenting a username/password combo is a bad idea, 
from a security perspective. Based on our own usability studies, Yahoo 
users will type in their YahooID/Password.

That being said, most newer websites allow users to sign in using their 
email address, and will reset the user's password via email. As Simon 
Willison mentions in his OpenID talks, allowing OpenID for login is 
equivalent to allowing a password to be reset via email, just with a 
much better user experience.

Allen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080923/af03abba/attachment-0002.htm>