OpenID Usability Non-solutions

At work we’re building our new centralized authentication solution. Allowing OpenID logins is not part of our first release, but it’ll follow at some point in the future, at least if Rob has any say in it. Even though I’ve had an OpenID identity for as long as anyone, use mine extensively and have even implemented my own provider, I’m not convinced it’s a good idea to only support OpenID logins.

The approach taken by Magnolia (who only support OpenID logins these days) and IDSelector (which is supposed to make OpenID usable) is allow users to log in with any of their existing accounts that offer OpenID (Yahoo, Livejournal, AOL, etc). The thinking behind this is that users don’t have to remember a new username and password this way. This thinking is backwards. Users already remember their usernames and passwords. Web browsers remember passwords and people use consistent usernames and password patterns across sites. Both software and humans have adapted to this problem. People haven’t adapted to remembering which account they used to sign into a site.

If I sign up for Magnolia using one of the accounts I have (of the 7 external account types they offer, I have 5) what happens in 2 weeks when my cookie expires and I need to log in again? Even though I might use the same password across all of those accounts there isn’t an easy way for me to remember which account I chose to use to log in. Fundamentally, this approach to OpenID doesn’t give users less things to remember, but more.

I think a better approach is for site to allow either local logins or OpenID identities. When offering OpenID logins it’s important that sites help educate users about the value of OpenID rather than hiding it.

3 replies on “OpenID Usability Non-solutions”

  1. Ian,

    Great point about people already being conditioned to remember usernames/passwords. Remembering which account you used is a new paradigm which people aren’t used to. If they forget which account they logged in with, what is the recourse? Logging in with OpenID, however, is essentially the same as just remembering the “username” portion of the username/password combo.

    The idea with IDSelector is to help the user log in *and* educate them about OpenID. For example, if a user selects Livejournal from the IDSelector box, while they type their LJ username into the box the widget fills in their full OpenID URL into the OpenID input field. Other implementations, like Magnolia, ask for the LJ username and then generate the OpenID URL for them behind the scenes.

    This little bit of education is important, so that when the user visits another OpenID enabled site, or when that cookie expires, they have a better chance of remembering their OpenID and logging in successfully.

  2. I had a reply crafted similar to Brian’s and then the WordPress OpenID plugin ate it… I love the bleeding edge.

    The basic point was that the proliferation of OpenID providers has made getting in to the technology more confusing and ideally you would use the same account each time using tools like the ID Selector or Emailtoid to make it so you just have to remember a username or email address that is easy to remember.

    Also that sites like Ma.gnolia accept only externally verified identities because that frees them up from creating a way to manage accounts, to focus on making an awesome social bookmarking site. With OpenID You can have your data secured with a provider whose sole focus is securing your data online.

  3. @Brian, I’m not sure that many users will notice that URL being constructed and remember what it was. I think it’s worth trying things like this and seeing what kinds of education measures work. Does Janrain have any stats on its success?

    @Kevin, I understand the appeal of avoiding account management overhead when developing a web site, but I don’ t think current OpenID solutions solve this problem. If we start to see widespread adoption I’m worried we’ll see “forgot OpenID” forms pop up where “forgot password” forms used to live. Also, your OpenID provider doesn’t secure your data, they secure your identity. Your data is still stored all over the web.

Comments are closed.