Prompted by posts by Randy Reddig and Tony Stubblebine and a conversation with Elliott Kember, I wanted to address, yet again, the big fat stinking elephant in the room: OpenID usability and the paradox of choice.
Elliott proposed a pretty clear picture of what he thinks OpenID should look like on StackOverflow, given the relative value of each provider to him:
Compare that to how it actually looks today:
I’m with him. I get it.
We’re at this crossroads where it really doesn’t matter which OpenID provider you use — because while it might save you the hassle of creating yet another password — there’s little else that you can do with an OpenID beyond that.
And, if you’ve already got more than one OpenID, not much exists to help you decide which OpenID provider you should use (many people tell me: “I hate OpenID! I’ve got like 15 OpenIDs and I never know which one to use!”).
So on the one hand, we’ve done a poor job of building out the value of using an OpenID, and on the other, have failed to explain what it means to have an OpenID (or several) or how to go about deciding which one to use and why (hat tip to OpenID Explained for taking a crack at it).
Meanwhile, there’s a tension between the convenience of having one reusable and durable identity against the desire to express many aspects of one’s identity with many separate IDs, resulting in complex user interfaces.
Fortunately, OpenID as a technology can serve both needs, but communicating and demonstrating that effectively has remained a challenge.
Putting OpenID in context
For my part, I’ve used the metaphor of credit cards to try to explain OpenID:
- Online identity is moving from its “cash and check” era to the era of “credit cards”.
Before the advent of charge cards, payment systems were decentralized — inefficient, cumbersome, and prone to fraud. There were a number of different, non-interoperable payment mechanisms that took 30+ years to get straightened out. Indeed, the credit card system that we take for granted today (so much so that airlines have moved to relying on them as the sole form of in-flight payment) only came about in the late 90s, a good 70 years after Western Union began issuing the first credit cards.
Imagine OpenID taking 70 years to get mass adoption!!
Taking this metaphor at face value, it’s clear that we’re in the neonatal stages of the build-out of the OpenID network and still have much work ahead of us. Fortunately, adoption cycles have also accelerated — I don’t have the actual numbers off-hand, but I can tell you that it took longer than four years to get the first 500 million credit card users!
- As with credit cards, you can have as many OpenIDs as you like for different purposes. I presume that common divisions will fall along work, personal, and affinity lines:
…and of course there are cases I’ve not even considered yet
- To close out this metaphor, picking an identity provider should be like picking a bank or credit card provider: as a fourth-party service provider that advocates for your interest, since you’re their customer! Today, to Elliott’s point, there are not many obvious differences between providers; over time, I expect this to change and for this relationship to become core to one’s experience on (and enjoyment of) the web.
Instead of agreeing to terms of service that disclaim all responsibility to you, the customer, I hope that competition in the identity space will lead providers to actually take responsibility for their services — charging good money for doing so. If your account gets hacked — no problem! — your identity provider can put back the pieces and make things right again! You could even take out online identity insurance in case your identity is ever stolen — so you can always get back to your life and recover your data without the hassle and interruption when it happens today.
Which credit card company would you give your business to? The one that automatically credits back false charges on your account and investigates them or the one that harasses you when you travel and presumes the worst of you? I know which one I’d pick — and I’d apply the same decision heuristics to whoever provides my online identity.
The OpenID “NASCAR”
Apart from confusion over having multiple OpenIDs, the user interface that has resulted from having many top-tier providers in the space also causes confusion.
Elliott’s criticism of the StackOverflow OpenID interface is really aimed at the noise of the brand logos displayed as buttons — intended to help people sign in using an account they already have. This kind of interface is what Daniel Burka refers to as the “OpenID NASCAR” because all the logos look like a NASCAR racecar covered with brand stickers, all jockeying for your attention.
He’s got a point. Since he’s logging in with his Google account, he really only wants a Google button:
For all he cares, it could look like this:
…and the result would be the same thing.
Indeed, it is this kind of lack of choice that makes Facebook Connect so seductively compelling.
And dangerous.
It’s a frigging button. You can’t mistake it. If you argued that reducing choice increases the likelihood that the user will “get it right” and be able to sign in to your site, you’d be correct.
But, that kind of restriction of freedom of choice impairs healthy competition in the marketplace. And lack of competition is, generally, bad for the health of an ecosystem, and ultimately bad for the consumer.
The harmony in the Yin & Yang of Simplicity and Choice
Ignoring your actual preference for Coke, if this were the universal experience for buying soda, one might argue that simplicity and fewer choices are better:
But having choice is a better overall condition. Even when a popular brand is made more prominent, having alternatives means at least maintaining the illusion of control over one’s destiny:
(Original photo by Bryan Costin shared under the Creative Commons license.)
So the question is, how can we simplify OpenID so that anyone can use it without reducing freedom of choice? Well, what if the backend technology was fundamentally interoperable, but every site simply supported a button, like this:
…and upon clicking it, a new window would pop open and you’d be presented with a box, in which you could type just about anything: an email address, a URL, the name of a social network, your phone number… heck, you could even type your name (and if you were signed into a site like Facebook that leaks basic aspects of your identity), you could select yourself from a list of names and photos and then proceed through the typical OpenID flow to prove that you are who you are, completing the sign in process.
One problem that I’ve observed with OpenID input boxes, to date, is that they look far too similar to another solitary but familiar input box. Namely — the Google search box! …where anything goes:
Given the training that people have learned from using Google, we must balance the need for simplicity with the ability to make an informed personal choice about which identity to present to a site. Needs which are, in many respects, at odds. Yet, the future of OpenID depends on us unraveling these issues and developing suitable interfaces that are streamlined and straight-forward that also enhance individual freedom.
With the recently approved User Interface Working Group, headed up by Allen Tom from Yahoo!, and with the involvement of folks from Facebook and other organizations, I’m optimistic that we will make considerable progress this year.
And that ultimately, no, OpenID need not be hard. Making it so just won’t happen overnight.
Factory Joe 
This is just a simple observation but why would the “Log in with OpenID” (image) above promote any provider. I mean take your comment form, for example, it simply shows OpenID Enabled (with logo) next to Website with a slide down explanation. I personally think showing this next to a Login label would suffice and invoke more interest. I find it easier to insert a simple url than having to jump through login systems to leave a friggin comment.
I love the idea behind OpenID. I hate the implementation — HTTP URLs are completely wrong for this puprpose.
But the main problem with OpenID accessibility-wise is the potential for phishing. It trains people to entenr their, say, Google login credentials in a dangerous context. It will not happen all the time, but people will get used to being asked to authenticate to their OpenID provider from random websites. Most people aren’t able to grok the URL bar.
I hate to say this… but if I can choose between clicking on an openID button or a facebook connect button I’ll use facebook. It’s a one click wonder. When openID can sort that it might get some where. The whole ethos is too principled and mot pragmatic. All any one wants is something that works and is damn easy… like facebook connect. Open ID is becoming irrelevant imo – I’m not hating on you guys. This is a wake up call. If it’s so important then make it easy peasy to use.
Still do not understand the stubborn use of geek only language for the concept at hand. “Sign In”, “Sign on”, “Log on”, “Log In”, “Access”, etc. do not register with non-geeks. Those are all UNIX administrator terms.
If all the identity providers would use the same big button that says *ENTER*, then prompt for whatever, it would help.
@Cesar: someday, perhaps. But most people today don’t know (and don’t care) what OpenID is, let alone whether they have one. People respond to brands — so if they can say “Oh! Yahoo! I have one of those!” the chance that they’ll be able to sign in goes up.
@NM: I don’t buy the phishing argument. People are being trained to enter their credentials into any website, whether in a redirect or not. With OpenID, if you’re savvy, you can can increase the security of your accounts as you want; traditional username/passwords don’t allow me to set my own security preferences — and if I cycle between, say two or three passwords, it only takes one site leaking my password to hose me. I much prefer using fewer passwords in fewer places.
As for OpenID as URLs — this was my point at the end of my post — as well as why I’ve pushed for email-style identifiers.
@DC: …which is the whole point of my post! First, not everyone has a Facebook; second, even those who do may not want to use just one account everywhere, in which you may actually be losing customers!
@Todd: I hear you, but “Enter” betrays what’s actually happening, which is substantiating identity — who you are (or claim to be). It’s more than entry, since you want entry to YOUR stuff, not everyone’s. I think “Connect” is gaining because it’s like opening a pipe to your data — creating a connection (as you do with friends). I actually like the term, but it’s not accurate for what OpenID actually does, today.
I get your point Chris, really I do. You want choice – I want easy peasy 😀 One point though you mention there ““Enter” betrays what’s actually happening, which is substantiating identity”. 99% don’t care what is happening. They just want to enter. Look at Lifestreaming or APML. No one could be bothered to set it up for themselves. Yet facebook does exactly that at the click of an enter button. Same with driving a car, opening a refrigerator, turning on a tap – I just want to get from A to B, I just want a cold beer, I just want to wash my hands.
The Single button sign in is possible with the existing infrastructure. I what to bounce it off you sometime. I enjoyed the post.
All OpenID Providers that support the soon-to-be-finalized Popup Mode will have an OpenID sign in UX identical to Facebook Connect.
Unfortunately, we still have not found the best Call To Action for Relying Parties to display on their login screen. The NASCAR buttons still seem to be the best practice. I think there’s a lot of potential with displaying a freeform text box, and encouraging the user to enter their @gmail/yahoo/hotmail/myspace [or other OpenID enabled] email address.
The problem with the NASCAR buttons, as Brian Ellin pointed out, is that once you stick an OP button on your site, you can never get rid of it, unless you’re willing to lose the users who sign in using the button.
Good article, Chris, but your soda-machine idea is back-to-front.
I want one button for every outcome. That means one button for Fanta, one button for Coke, and one button for 7UP. That’s how a soda machine works. If it only serves Coke, it has to only have one choice button – Coke. Otherwise, each button should serve a different purpose. I know what I want from the machine, so I know what to choose.
You’ve given me 5 different buttons for Coke. That’s 5 different buttons for the same outcome, and that’s confusing. Which do I choose? That’s what the problem is here – OpenID includes loads of different buttons which have the same outcome: signing in.
I definitely think entering a URL is confusing to non-techies… something /like/ an email address would be more appropriate. However, the last a lot of people want to do is continue to leak their email address everywhere. It’s just asking for spam. Maybe a centralized solution like username@openidprovider would be better suited?
Great to see you driving the dialog Chris.
Enabling the user to not have to type something in will give OpenID much more appeal to the user.
An active client can deal with the usability and security issues. Not saying we require an active client, so still want someone to be able to use OpenID on a machine with no client — but that could be the exception instead of the rule.
I consider myself fairly internet savvy, especially compared to the general population. I thought I understood the idea behind OpenID when I registered, but for some reason it has never been simple for me to use. EVER. I am sure I could figure out its intended use if I gave it ten minutes of trying to understand, but I think it should be easy enough to just use without researching further. It’s not. At least it hasn’t been for me. I think it’s dumb. Sorry, just my opinion.
I agree that the purpose of OpenIDs is not explained thoroughly enough.
I was reading some of your past works and thought to myself, if Web 2.0 is about openness, why are so many social websites closed environments?
You have inadvertently just answered a question I just tweeted on twitter here; I was asking if it’s normal or acceptable to make an account to broadcast tweets (and reply to them) and a listening account to follow the feeds that tweet news way too often, and I think the answer is yes.
Agreed with Dick that smart clients can really make the discovery of your OpenID Provider quite a bit easier! Wrote about this a few months ago (http://radar.oreilly.com/2008/12/getting-openid-into-the-browse.html) using some of the same metaphors as applications like 1Password on the desktop.
We’re basically asking for a world where once you click that universal sign in button it figures out the right brands to show you depending on who you are and what you’re trying to do. For me that’s OpenID, for my Mom that’s Google and for my Uncle that’s Microsoft.
I find that Facebook is becoming the most pervasive of the sign-in options I see. Most likely this is due to the ease of use. Click the button, login to facebook, and .. boom I’m in. That being said, facebook is the least useful one for me. When I comment on a blog that requires registration I want to link back to my blog, not to my facebook profile. Some sites don’t allow the use of OpenID, they only use Facebook for Google connections. Sometimes I just move along because I can’t be “who” I want to be.
I am working on a site at the moment that attempts to solve this exact problem. My solution has a number of parts:
* Find out whether the user has been to various sites such as GMail, Facebook, Yahoo, Flickr etc. using the Javascript “visited” CSS pseudoclass hack.
* Only display the providers the user is most likely to have been to. i.e. don’t show AOL if the user hasn’t visited AOL (avoid the Nascar effect wherever possible).
* Each provider link should just be a button. A text box should appear prompting for the users’ username only if the OpenID URL for that provider requires it (sites like Yahoo and Google don’t require the username in the OpenID URL, but sites like AOL/Wordpress/LiveJournal do).
* If the user clicks the plain-old OpenID provider button, give them a URL since they clearly know what they’re doing.
The aim is to assist the user who thinks “oh yeah, I have a Gmail account I could use”, but doesn’t need or want to know about the OpenID URL scheme for it…even if it’s auto-filled for them.
The irony of this for me is striking, as Google Friend Connect, which lets you make any website accept OpenID in minutes, has a UX that solves that problem.
What it does is check if you are already logged in via Google, and if so it doesn’t show the ‘pick an OpenID provider’ dialog, but assumes you want to use Google.
The irony is that because so may of you are Google users, you didn’t notice it was using OpenID.
Obviously it would be good if this could be extended to know what other sites you already have logins with.
As for ‘little else that you can do with an OpenID beyond that’, the real value comes when you can couple an OpenID to a PortableContacts endpoint via OAuth, so logging in can bring your profile and friends too, and in future add an Activity Streams endpoint too, so that your activities can flow back to your preferred aggregator.
Friend Connect does this now by connecting disparate services that provide subsets of these features, but as more sites adopt the open standards they will be supported too.
I might be a little off subject. But here’s an Idea – why couldn’t OpenID’s be a pull vice push method. If OpenID could gather up my Other so called “Identities” (maybe through OAuth) from Google, Yahoo!, Facebook, Myspace etc.. and convey it somehow, maybe the OpenID logo surrounded by the providers with little arrows pointing in. That way it wouldn’t matter how you logged into any OpenID enabled site. If its through an email address or URL, OpenID would only ask that you verify yourself.
You could then also have some sort of browser add-on/extension that would automagically log you into any OpenID enabled website without having to manually enter creditials repeatedly.
I have to wonder why blogger often asks me for my login/password with browser password fill-in disabled. That’s just begging for phishers to ‘sploit it, just register wwwblogger.com or somesuch, copy a few files, and you’ve got yourself a brand new^Wused Google account.
If every RP knew my preferred OP, the problem would be effectively solved. Facebook Connect solves this by simplifying the set of OPs to one – Facebook. OpenID can go a couple of routes, either push this down into the browser, or set up a centralized preferences store that tracks one’s OP preference and provides a level of indirection for RPs. Google Friend Connect approximates the kind of experience you’d have with the latter.
I’m starting to think that we need to choose our poison: Centralized component or browser extension?
I wrote another one of those javascript openid selectors that uses jQuery so its tiny and flexible http://jvance.com/pages/JQueryOpenIDPlugin.xhtml
Since jumping on the OpenId bandwagon, I have only had the luxury to use it on stackoverflow and 39signals.
The idea behind it is very sound. Recently I have been really annoyed in having to sign up/register on sites to even leave comments. This is just painful, considering that 1 month later I will forget the username/password.
While using openId, the stackoverflow model works wonderfully. Why will I want a popup when I could do it directly on the page I am at. The less I have to do, the better. After all, who doesn’t have a google/yahoo/msn login already??
I hate OpenID for a couple of reasons. I am a software engineer, and even after reading a bunch of stuff about OpenID and getting how it works in principle, all the UIs I am presented with to actually use it are so confusing that I wonder how to use it. And when I actually go to the trouble of trying to use it, it generally does not work. stackoverflow.com is the only website for which it works for me consistently. All others, like blogger.com, typically fail at some point during the authentication. I also don’t want to be logged in to any service for long due to the increased security risks it causes.
I love the Facebook login, especially on sites like StackOverflow or Kotaku or any of those, I mean it is a social site where I can read comments or leave comments, why do I need all these choices. 75 Mil people are on FB, why not give me FB on every social site everywhere, must quicker and hell it is not like it is a financial site.
When it comes to Amazon then I agree no FB button, to easy to get my financial details then.
Hi there,
good discussion 🙂
Some bigger-picture comments at http://blogs.msdn.com/vbertocci/archive/2009/04/08/one-does-not-simply-walk-into-mordor-or-home-realm-discovery-for-the-internet.aspx
You fucked up OpenID when you welcomed Yahoo and Google in with open arms with their bastardized OID implementation. Many of us said it was going to fuck it up but you were so desperate for support that just went along and pretended nothing was wrong.
Now OpenID has to become something else if it’s to survive. Something that’s not longer decentralized. We have to rely on 3-4 major providers so we don’t have 50000 freaking icons at the login prompt.
– You do want the decentralized model where anyone can become an OP.
– The RPs don’t have to add a new button for every new OP that comes on board.
– The users shouldn’t have to type in URL.
– Users should be able to dictate their preference (either at RP via cookie or via a browser extension) and then don’t see the Nascar page again.
– The unified button should have a link to bring up the Nascar page if the user decides to choose his preferred OP.
http://itickr.com/?p=119
– Ashish
I love the discussion happening here!
What is the interface inside the popup?
One concern I have with the “Universal OpenID Sign In Button” that you propose here is that is just moves the existing interfaces we’ve seen into a popup. It does have the benefit of adding a universal call to action, but I believe we’ll see the same Nascar style patterns repeated inside the popup window.
I agree with Dick and David that we need to work towards building smart clients and browsers that are aware of OP preference.
Two thoughts:
1. Bookmarklet + standardized identification of OpenID form.
Add your OpenID providers bookmarklet to your browser – click on it when you are about to log in to an OpenID enabled site and it finds the form through some microformat-like classes and auto-fills in your URL and submits the form.
2. OpenID deed
The Creative Commons has done a very good job of describing very complex like licenses in a very easy to understand way. Maybe the OpenID Foundation should do the same thing for OpenID and provide a very short and easy description of what OpenID is.
Also providing a more or less standardized button that can be linked to it, like Creative Commons does, so that web site creators doesn’t have to describe OpenID themselves.
I really don’t get the problem here.
Why does everyone try to support 500,000 OID providers? There’s no point. Pick 2 or 3 for your site, and implement them.
HTTP is a protocol that lets me view web pages, but do I try to include *every* web page on one of my sites? no. OID is a protocol that let’s me verify user identities. There’s no benefit of trying to include *every* openID provider to the point of being confusing.
Yahoo doesn’t give you anything valuable as a consumer, so don’t even use it. What’s the point? Oh no, some yahoo users don’t use comments…. Maybe you’d make up for it by getting more comments from google users.
I’m building some OID plugins for my sites right now, but I actually don’t see a benefit to supporting Yahoo. I get nothing but a huge complicated string to identify the person. Wow, thanks. I almost want your users if it’s going to be that much work on my end. So, goodbye yahoo. Eventually, crappy OID providers will die off because no sites support them (unless all sites support them because geeks like to solve pointless challenges of supporting lame OPs)
Vote with your wallet – or website – don’t support every OID provider. Pick the ones that help you as a consumer.
The reason people use FBConnect is because you can get their first and last names, picture URL, maybe some names of friends, some interests, etc etc. With google federated login, it took a little research just to get what language the user speaks.
FB’s limited choice has helped, but if they treated their ID consumers like google or yahoo, it wouldn’t have the popularity it has today.
Sites that want to use Simple Registration or Attribute Exchange with the Yahoo OpenID provider should send a message to openid-feedback [at] yahoo-inc dot com to enable it.
In contrast to Facebook Connect, both Yahoo and Google will share the user’s email address, allowing the relying party to directly contact the user.
I have 3 open ids & trust I still am not able to figure how properly to use it. There is not one site that tells how to use them for somebody like who is not a comp-techie :((
I think a big problem that the general public has with current implementations is the name used on links and buttons. “Use OpenID”; “Log in with OpenID”; “Sign in with OpenID” all have a tendency to confuse people because they contain “OpenID” and people have no idea what that means. Yes, I know it’s the name of the thing but imagine me asking you to “use Refeget!” Would you have any idea what I’m referring to? (It’s a made up word that means nothing).
“Conncect with Facebook” works primarily because Facebook is so popular but it’s also successful because people get it. I think microformats detection plug-ins suffer from the same problem. Most of them detect “hCards” instead of “Contacts” or “hCalendards” instead of “Events”.
Designers fight trench battles to persuade hospitals to use nomenclatures such as “Ear/Nose/Throat” rather than “Otolaryngology” when doing wayfinding systems and I bet more people would know what “Otolaryngology” means compared to “OpenID”.
I don’t really have a solution, but there must be a way to separate the name of the technology from the language used in the interface to guide actions. Something along the lines of “Conncect with existing account” maybe? If I can use an account I already have, great. If not, guide a sign-up workflow for a preferred openID provider.
The OpenID I use most often is an i-name (“=chris.hills” or “xri://=chris.hills”) since it is short and sweet, and has proper service discovery through xrds.
http://dev.inames.net/wiki/XRI_and_OpenID
I like Emir’s point about the name OpenId and the possibility that people who don’t live and work around the internet might not understand the name and what it entails.
I’m assuming they tested that name?
– Would be nice if the open-id-provider selection could be left to the browser!
– Also since it is so easy to set up an open-id provider, I think a website admin should care which providers are used.
Stephan