OpenID study at Google

Google and Yahoo have both posted a usability study for federated and openid logins. Basically both of them hint at keeping things simple and as easy to use for the user. Google has a quite nice suggestion about the UI but they all but stop at going all the way.

We’ve done a lot of thinking on this topic regarding the demo and youtube movie I linked last week. We have a similar problem that our users have to login, somehow and then login again for OAuth like authentication with e.g. Facebook for extra features.

I really like Google’s UI but would like to suggest a few simplifications:

Basically the site should ask:

With what openid identity, email address or username do you wish to login (excuse ascii art)?

-------------------------------- ------
| http://www.jillesvangurp.com | | OK |
-------------------------------- ------

The user will enter whatever seems right and the server will make a best effort to authenticate with whatever the user provides. Then the server checks the following rules (using AJAX of course) against the address/username

  • address/username known, not an IDP -> ask for the password
  • address//username known & an IDP -> redirect to IDP. Let user choose username optionally when returning to the site so the user can login with either short login name or IDP identifier.
  • not known & an IDP -> redirect to IDP, on return create an account on the fly with info IDP provides
  • not known, not an IDP -> show create account form, let user pick a username if email address was entered. Optionally, point out how to sign up with an OpenID provider and of course allow login with a different ID.

This is as simple as it gets. Basically, the only problem is the user entering a username that is in use by somebody else. A password field will show and login will fail.

The failure should look like this.
Login failed because the user and password are incorrect. You can either:

  • try another password
  • try another openidurl, email address or username
  • sign up with us or one of these Identity providers: XXX, YYY, ZZZ

This is as simple as it gets and it still supports a wide variety of login mechanisms.

Advantages:

  • Only one question that the user should be able to answer: who am I?
  • Using OpenID is rewarded by easy login
  • Worst case, user still has to provide a password.
  • Can support any kind of authentication, including non password based ones.

2 Replies to “OpenID study at Google”

  1. Having been the victim of a malicious destruction of a massive amount of data on a site I was using, I don’t trust passwords or other on-line ID systems which can be defeated by today’s very smart hacker programs. Instead I think that the user should be identified on the system he is using by some internal method which cannot be mimicked by a hacker using a different system. This removes the possibility of a user getting to a place using different systems but providing the same password, which is a small price to pay to defeat hackers out to destroy other people’s data.

  2. Sorry to hear but what you suggest will likely never happen. The problem is that most users are too stupid to know the distinction. In any case, any improvement over the current situation is progress.

Leave a Reply