Saturday, January 19, 2008

Looking at the evidence...

... it seems that we still have a ways to go when it comes to user education, user-centric identity and IdP discovery. I applaud Yahoo! and Blogger for supporting OpenID by being OpenID Providers. That is a huge step forward. However, it's interesting to note how these main stream relying party (RP) sites are implementing the user experience.

From the OpenID listserv it appears that Yahoo! would prefer RPs to put a Yahoo! logo on their site that is clickable to enable Yahoo! users (and others) to login to that site (using the "directed identity" flow).

Also, looking at the Blogger implementation of accepting OpenIDs they list 4 main OpenID providers (I'm guessing Yahoo! will be added to the list) and then a button for "Any OpenID".

Maybe lesser known, but (an AOL property) which accepts OpenIDs uses the OpenID protocol to authenticate AOL/AIM users but presents the UI as "Sign in using my AOL Screen Name".

What I find fascinating about this trend is that it bypasses one of the benefits of an OpenID (built in IdP discovery). Basically, these main stream RP sites are using the "User picks their IdP" solution for determining where to send the user rather than having the user type in their IdP (,, etc) or full OpenID URL. At the moment, this scales OK as there aren't that many mainstream providers, but either user education needs to get better so this mechanism isn't needed, or we need a different technical solution.

2 comments: said...

Seems to me that only the Yahoo UI actually bypasses the arbitrary IDP benefit. The others provide it for those users who know about OpenID (a minority today) but don't get in the way of people who only know they have an account somewhere.

The direct route is not necessarily the fastest.

George Fletcher said...

Agreed. Even Yahoo's best practices will likely not preclude the free form entry of an OpenID.

As you said "people who only know they have an account somewhere". I think this is the larger "demographic" (right now) and user experience needs to address their needs (which these examples do).

It just interesting that by using this sort of a user experience, OpenID is removed from the experience and is just a protocol for transferring the authentication "assertion". Something that could easily be done with other standard protocols.