[OpenID] New OpenID Customer Research Activity - Google research on federated login

[Dick Hardt]

On 25-Sep-08, at 9:20 AM, Scott Kveton wrote:

>> Decoupling email from OpenID identity is desirable from a privacy  
>> point of
>> view in addition to being significantly more flexible.
>
> From a technical perspective, absolutely.  However, in practice, users
> are still using their email address as an identifier and as much as we
> might not like it, that's what's happening.

Let's be clear, sites are asking for the user's email address --  
user's in general are not typing in email address to be their username.

The advantage to a site of an email address is it is guaranteed to be  
globally unique (user does not have to keep trying different usernames  
to find one that is available). It also doubles as a mechanism for the  
user to reset their password. Another big advantage is that it is much  
less likely  the user will forget their email address over a username  
specific to the site.

>
>
>> At Sxip we built a prototype for creating a SAML assertion of a  
>> verified
>> email address. We used AX to store and request the verified email,  
>> and
>> demoed this at an IIW over a year ago.
>
> Based on the feedback from the Content Provider meeting in NYC, it was
> clear that people are looking for solutions and not a bunch of
> technology for what the market and usability studies are showing to be
> edge cases.

I think you are stating the obvious here.

> Sign the user in quickly, provide basic profile information to the
> site and don't confuse the user.  If you have to explain privacy,
> OpenID, URL's, implications on global warming, etc then we've failed.

Sxipper does this. Site does not even need to do anything. Works with  
existing password and profile forms. Click of a button and the user is  
logged in!

If this is all that OpenID is going to solve, then it is overkill.

-- Dick