<div dir="ltr">Shade, I don't think it would be so bad if users got stuck midway at the point of "SSO is done by big-name sites". Think about it. We nerds like our control and thorough understanding and flexibility behind OpenID. My mom couldn't care less. She just wants to log in. If the Internet can eventually train the average user to click "Log in with your Yahoo! ID" and type in a credential to just one (or a small handful of large OPs) and not ever share that credential with third parties, we've done a great service. The average user has nothing to gain (and a whole lot to lose!) by discovering and choosing a small OP site. <br>
<br>The majority of users (>90%) on the Internet <i>should</i> pick very large, reputable OPs like Yahoo! to host their identity because they won't know the security risks inherent with picking smaller ones. Yes, I think that every RP should offer the ability to log in with any OpenID the visitor cares to use. But the few big names ought to be one-click easy to log in with.<br>
<br><b>To take OpenID to the general public, we need one-click login with at most 3 options for login buttons, like what the "Log In With Your Yahoo! ID" offers. <br><br></b>The IDSelector is a poor user experience in my opinion. It screws up input focus, it shows itself when the user is not expecting it, it blocks everything behind it lower in the form making it difficult and frustrating for an ordinary user to fill out the rest of the form below the box, etc. etc. And as this usability study showed, and my own tests, it's not simple enough. The only thing simple enough for getting the general public to make the necessary transition from "give my password to anyone that <i>says</i> they need it" to "hoard it like your wallet" while we retrain them is a single button. <br>
<br>Yes it's great that OpenID decentralizes the OP, but the <i>average user doesn't care</i>. The average user just wants to log in. And since the average user very often already has a Yahoo account (or Google, or Live ID, etc.), the easiest and most likely way to get everyone using OpenID is to (in my opinion) stick a "Log in with your Yahoo! ID" button on every RP page, and a very small, out of the way, OpenID text box where people can type in their own special OpenID if it is something less common. We nerds will be able to find that out of the way box, but the Yahoo button must be them most prominent. <br>
<br>The IDSelector offers some 15 OPs. Most users have no idea what to do with so many choices! (because they see them as opaque choices that they have no bearing to choose from). Let's get everyone using OpenID without even realizing it. And at the same time (somehow) train them to hoard their password. Once we have that done (5+ years), we can start introducing to users the idea that "hey, by the way, if you want you can actually choose another provider to host your identity." And most of them won't care, because it won't matter -- as long as their first choice was a secure one. <br>
<br>Bear in mind, I'm partly using Yahoo as an example here. I think <a href="http://myopenid.com">myopenid.com</a> might be a fine choice as well, except most people haven't heard of it, so Yahoo would do better with recognition to people.<br>
<br><div class="gmail_quote">On Fri, Oct 10, 2008 at 1:08 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Martin - those are excellent points about using a few big providers<br>
to shift users' awareness a bit at a time. I'm worried about what<br>
happens when we get midway, though - will users continue to<br>
transition the rest of the way, or get stuck at the point of "SSO is<br>
done by big-name sites."?<br>
<div class="Ih2E3d"><br>
>I agree that at this point users shouldn't be seeing the name "OpenID"<br>
>as the primary brand for logging in.<br>
<br>
</div>Interesting thought, there - should OpenID be the underlying<br>
technology, and respective implementations the actual brand names? I<br>
think it's important for big providers to have high visibility of the<br>
OpenID technology, so users aren't misled into thinking that the<br>
underlying technology is created/owned by those big sites - if they<br>
were to then see the same service offered at many smaller sites,<br>
OpenID could be seen as "something made by large companies that was<br>
later opened to smaller sites" instead of what we can *now* clearly<br>
see as an open technology that is available to ANY site.<br>
<br>
Something like the proudly displayed Verisign logo, where sites show<br>
off that their security is confirmed by a highly reputable name - if<br>
the big sites could showcase OpenID in that same way, that would be<br>
really neat :)<br>
<br>
-Shade<br>
<div><div></div><div class="Wj3C7c">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>