According to adrianh in his comment to an answer:
Every single time I have /tested/ openid with "normal" users as opposed to technical folk it's caused more problems than it's solved. Every. Single. Time. Has anybody's experiences been different?
What makes it so difficult to use? How could those issues be solved?
Answer
Why is it wrong?
OpenID has several drawbacks:
You're actually going to a totally different website in order to register or authenticate. This is not how things work ordinary. For years, registration and authentication for a website was done on the same website: the user was moved to a different website either because he wanted to, or because he was redirected to an advertisement.
Switching to a place completely unrelated to the original website in order to register or authenticate creates frustration. The same frustration exists when you're redirected to a different place when paying online. The difference is that frustration during payment is balanced by the technical choices (asking for credit card numbers on a website requires lots of security measures which are expensive and beyond many programmers), as well as, sometimes, users' trust (I don't give my credit card number to a website I found two hours ago; it's different for PayPal or Google Checkout). The same balance doesn't exist for OpenID.
Count the number of clicks you need to do to authenticate or register with OpenID (if you don't have OpenID in the first place). It's high. Compare it to the simple authentication:
- Click on an element on the page you are on to open the authentication panel.
- Enter your credentials.
- Submit. Congratulations. You're done.
or the simple registration:
- Click on an element on the page you are on to open the authentication panel.
- Click on the registration link.
- Enter your credentials.
- Submit. Congratulations. You're done. Unless you must confirm your e-mail address first, in which case it sucks.
The same issue exists for example for Gravatar, and was mentioned in one of the recent SE podcasts.
Several OpenID providers require choice. Making a choice is scary. Example: Stack Exchange gives basically four providers: Stack Exchange itself, Google, Facebook and Yahoo!. This creates several questions for a user which doesn't have a clue:
- If I pick Google, will SE know my Google password? I don't want that.
- Let's imagine I don't have an account on Yahoo!. Can I still use Yahoo! to authenticate?
- Let's say I have a Facebook account, but it's a bit personal and highly lolcatz'y. Would it affect my rank on Stack Exchange? Would other users see that I'm related to the Facebook account?
When registering an OpenID account on a website, OpenID providers scare users. They often tell that the target website will obtain access to personal information, etc. If you read well, you understand that there is nothing dangerous. If you don't read, you imagine that the website will be able to access your GMail account, know the names of your kids, etc.
When an application (i.e. something which works outside a browser) requires to switch to a browser to authenticate (for example on mobile devices), it creates one of the most poor user experiences I've seen. I don't think there is an easy way to solve this issue, and consider the issue outside the scope of the question.
Here's an imaginary situation where a non-technical person discovers OpenID with a help of a person who knows how to use it:
— Ok, let's register on Stack Exchange. Fine, there is a "Sign up" link. I'm clicking on it. Wait... what are those four logos? Why Stack Exchange is not the only one? I'm registering on Stack Exchange, right? So why is it asking about Google, Facebook, etc.?
— In fact, the other three logos enable you to avoid creating different credentials for SE. You can simply use for example your Google account.
— Different credentials? I don't understand. I use the same ones on every website.
— This is not very secure. You're expected to use different passwords on every site.
— But you're suggesting that I use Google to register on SE. Doesn't it mean that the same password will be reused?
— No. In fact, only Google will ask you for a password. SE won't have any record about your password and let Google do all the work.
— I get it. Let's click on Google. Ok, it asks to provide my credentials. Here they are. "...stackexchange.com would like to: View your email address [Cancel] [Accept]". Hm. Ok. Let's say it can, while I don't actually understand the point.
In short, OpenID:
- Makes simple things difficult, requiring additional clicks,
- Creates unneeded confusion, requiring additional choices,
- Switches the user to another website, visually different, while the user expects to remain on the same website.
How can we made it right?
Don't force me into a choice.
There should be one provider by default. An option should be available to let the user pick a different provider.
Don't switch websites visually.
Nobody among non-technical persons look at the URI. Switching to a different SLD technically doesn't make any harm. But the visual aspect should remain the same. This can be done by making the visual aspect (and partially the content itself) customizable, but it may create security risks.
Require as little clicks as possible.
Registration through a BetterID should be as fast as an ordinary registration. You click on a "Sign up" link which switches you directly to the BetterID provider website (with an option, there, to move to a different provider), you enter your existent credentials, you submit them, and voila, it's done: you're back on the original website, and you're considered registered.
No comments:
Post a Comment