<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Shade,<div><br></div><div>You bring up an important topic, and one that is very difficult to address.</div>
<div><br></div><div>First, I think that the mental model of "identity" in the general populace does not well match the model that many of us share, and user education [alone] is always a nearly-impossible approach to changing behavior.</div>
<div><br></div><div>Second, the behavior that you've described is a hard one to combat for many reasons. For one, as you said, people have been "trained" to cough up their password whenever someone asks so that they can move on. My intuition tells me that the password prompt is the new clickwrap screen and people just plow right through it without even thinking about who's asking for the password. Of course this explains why phishing is so successful.</div>
<div><br></div><div>Thus, given this, I think there needs to be a somewhat different model advanced, where an individual closely associates some aspect of their profile (be it profile data, friends, photos, etc) with a given identity or identity provider.<br>
<br></div><div>I wrote more about this on my blog:</div><div><br></div><div><a href="http://factoryjoe.com/blog/2009/11/27/designing-for-the-gut/" target="_blank" style="color: rgb(7, 77, 143); ">http://factoryjoe.com/blog/2009/11/27/designing-for-the-gut/</a></div>
<div><br></div><div>In sum, don't try to develop a solution that is rational per se — or front-loads the sign in task — but instead aligns with one's "gut" feeling about where they are or what they're trying to do.</div>
<div><br></div><div>If you rephrased your proposal to be more like "perhaps we could help people understand that they store their 'identity stuff' somewhere other than the website they're currently on and need to go get it", maybe then you'd have a closer framing to how regular folks think about this kind of stuff.</div>
<div><br></div><div>In other words, no one thinks about "identity" explicitly — I imagine they have a near-approximation of who they "are being" in that moment, and then act accordingly, just as you use a pseudonym on this list but probably your real name when you interact with, say, your family. You know not to sign your posts with anything but Shade, and to send emails from a specific email account. You do this all implicitly; instinctually. You don't need to think about it.</div>
<div><br></div><div>In a similar way, we need to design solutions that map to people's mental models of themselves as actors in the world doing things... and then go from there.</div><div><br></div><div>Chris</div><div>
<br></div></span><br><div class="gmail_quote">On Sat, Nov 28, 2009 at 10:05 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Thinking on the past discussions about countering users' training to enter their passwords at a prompt, I wonder if they can instead be trained to enter their actual password when at the main site, and 'identity' (or 'openid', or any number of accepted synonyms) when elsewhere, thus providing a solution to two problems:<br>
<br>
1) Counter-training users instead of un-training them (the latter weakens their habits at the main site).<br>
2) How to indicate that they want to login with an OpenID (external) Identity rather than log in as a normal user for the RP/site in question.<br>
<br>
-Shade<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net">http://openid.net</a><br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>