[OpenID] Feedback requested: New OpenID RP login UX prototype

[Andrew Arnott]

Thanks, Shade.  I appreciate your thoughts, however I have some goals that
don't really lead to where you seem to be going with it.  Let me explain and
see if you agree...

The goal of this starter kit is to make it easy, and compelling, for web
sites to become OpenID RPs.  In addition, to make the login UI itself look
more uniform and predictable across RPs so users begin to expect "good" RP
behavior.  Therefore the starter kit takes the RP's needs into account at a
higher priority than promoting OpenID itself.  Sounds sort of like a
contradiction, but I'll clarify that.

One of the greatest risks a web site takes on by becoming an OpenID RP is
that their user base is dependent on OPs for their account access, and those
OPs may go down, either temporarily or permanently.  If an OP with a lot of
users (for that RP anyway) goes down, that's a very significant customer
service, and potentially legal and liability cost, to help customers recover
their accounts.  For this reason, only the very large OPs, that have a long
history and strong track record for profitability (lending to long-term
future) like Google and Yahoo will qualify for OP buttons so that the
majority of an RPs user-base is "safe".

So what role does the OpenID button play at all?  Well, the power user who
happens to know what OpenID is, may actually care enough to not want to use
the otherwise very convenient Google or Yahoo buttons.  And I definitely
want to cater to that.  Such a power user would also (*theoretically*!)
understand the implications of using an identifier that he/she may lose
control over in the future and make judgment calls based on that.  (also as
a mitigation, multiple identifiers can be bound to the same account).

So Shade, regarding your suggestions... An RP gains no profitability from
teaching users what OpenID is, nor from helping them choose an identifier
from an OP that the RP has less reason to believe will be around for a long
time.  Also, as you already brought up, encouraging a user to just type a
web site in, when most web sites aren't OPs (nor should they be), would
confuse and frustrate users when they don't work.

So I see the OpenID button as a backdoor for the guys in the crowd (like
me!) that would shout "hey, you say you take OpenID but all you take is
Google & Yahoo!" to keep them happy.  I summarize by saying that the Google
and Yahoo buttons sell the UX to the CEO, and the OpenID button sells the UX
to the web programmer.

Now, if given my reasoning/goals you still disagree, I'm happy to hear more
of your thoughts as you may change my mind. :)

Of course ultimately, this starter kit will ship with a "change anything you
want" license, so it's not like I have the all-powerful say of what these
RPs do.  If they want to enhance it to do more what you're describing,
they're certainly free to.  Although in the interest of a predictable UX for
the user, I hope we can come to a UX that is good enough for RPs to just
use.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, Nov 19, 2009 at 9:00 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

>  If you could take a look at the site and help me figure out how to apply
>> your suggestions it would help me.
>>
>
> I like that the OpenID box autodiscovered Yahoo when I typed in "yahoo.com"
> there instead of clicking on the graphic. That box itself, though, could be
> a bit confusing - what is "OpenID", to the uninitiated? Perhaps have, in
> addition to that (recognizable) logo, another way of triggering the OpenID
> login field - an icon saying "Click here to type in the website yourself."
> or something like that. That can come later; the tricky part, how to prompt
> them for sites they enter passwords at (without completely replacing the
> current instructions), should come first.
>
> It would be nice to prompt users with "You enter a password ONLY at these
> websites:", but that's awkwardly phrased, and doesn't reliably convey the
> essential (proper) idea, anyway. Also, what if none of the sites (a user
> selects) are offering OpenID?
>
> Perhaps asking "Where have you entered your password before?", and placing
> that *below* the main (account) line, as if that's the feature description
> and the question provides directions on utilizing the feature? It lacks the
> security boost of associating "always enter your password at the appropriate
> site only" with OpenID, but seems understandable enough.
>
> Back to triggering the OpenID login field, then - I think most users grasp
> the click-to-activate (or click-to-select) concept today, so how about"Let
> me type it in myself" or "Let me type in the address"? (Are there any
> studies on how well users have absorbed terms like "URL"? I don't want to
> suggest using that, not knowing if it would be widely recognized.) The
> language aims to empower; "let me" suggests that the user can bypass a dumb
> machine's limits, "myself" that power is being given into their hands; but
> too many words extends the size of that button and complicates the sentence
> (it should be easy to read).
>
> Just semi-idle thoughts for now. Help this helps you figure something out
> :)
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091119/89464c4b/attachment.htm>