Quora and a bad user experience

I compulsively sign up for all sorts of stuff I don’t really need. Call it professional curiosity. Yesterday I was talking with a friend and he mentioned quora, a popular Q&A site that I have never really bothered with. So, on a whim I did my thing and signed up. This blog post is about the bad stuff that happened after that. In short the experience was appalling and mildly offensive and illustrative of how some companies just don’t get it.

So, here’s what happened.

I went to their home page. Basically there’s nothing there except a login box and a message stating “Quora connects you to everything you want to know about.”. I thought I had Google for that. Whatever. Despite this shocking lack of information and spectacularly bad marketing, I went ahead and attempted to sign in using the Facebook button. So, I clicked that and did the oauth exchange with Facebook. So far so good. Many sites offer this style of signups with Google, Facebook, Twitter, and other sites and it is sort of convenient.

After that it showed me a page to create a password. Eh… didn’t I just sign in?! Surely the intent of that was avoiding this. Annoyed, I just went ahead anyway and typed one of my  passwords that I reserve for sites I absolutely don’t care about one bit.

Then I was presented with a page that required me to select five topics out of some huge list. That just sucks. I’m a new user. Don’t force me to make choices like that right away. Since I wasn’t particularly interested in following anything at this point, I just clicked next and got another page with yet more crap to choose from. It just kept insisting I had to follow topics in order to use the site. I declined and closed the tab, which sort of my way of saying fuck you very much and have a nice life. Basically, I had lost all interest in quora at this point. Bad UX and I’m not really convinced I need it to begin with.

It could be I’m missing out on something really great. Whatever. Bad UX causes you to lose users like that. I wasted five minutes of my time and Quora never even got around to explaining what they do. Shit happens.

Then I started getting emails like X is now following you on Quora. Apparently, quora just went ahead and spammed my Facebook friends on my behalf. That’s a definite red flag in my book. There is no way in hell I would give permission to any company to do that.

I just deactivated my account to prevent more damage and because frankly I felt offended. If you got spammed, sorry.

There are a couple of patterns here that I observed with other sites:

  • Signup is needlessly complex. Every extra mouse click loses you customers. Every usability expert knows this. Don’t do this. At this point even having an email signup + password is fairly pointless for most users. Make it optional, if you bother implementing this at all (why would you?).
  • The site is useless without signup. So how am I to decide I want to sign up at all? Give me samples or partial access.
  • The site assumes you want to receive loads of email notifications. Off is a good default for any such notifications except the truly urgent ones. If I didn’t turn shit like this off, my inbox would have hundreds of new messages every morning from all sorts of sites I really don’t care about. Sorry, you are not the most important thing in my life.
  • The site hijacks your Facebook feed to promote itself. No I don’t endorse your shitty site and I certainly don’t want you anywhere near my friends until I’ve had a chance to evaluate what you are about. I clicked the sign in button to sign in, not to give you permission to abuse privileges you sneaked in with that request. If you are going to post to my Facebook feed, make sure I know it is going to happen and have an opportunity to prevent it.

Quora failed on all four points and displayed a level of arrogance and aggressiveness that may or may not have been intended that caused me to de-activate my account right away.

OpenID study at Google

Google and Yahoo have both posted a usability study for federated and openid logins. Basically both of them hint at keeping things simple and as easy to use for the user. Google has a quite nice suggestion about the UI but they all but stop at going all the way.

We’ve done a lot of thinking on this topic regarding the demo and youtube movie I linked last week. We have a similar problem that our users have to login, somehow and then login again for OAuth like authentication with e.g. Facebook for extra features.

I really like Google’s UI but would like to suggest a few simplifications:

Basically the site should ask:

With what openid identity, email address or username do you wish to login (excuse ascii art)?

-------------------------------- ------
| http://www.jillesvangurp.com | | OK |
-------------------------------- ------

The user will enter whatever seems right and the server will make a best effort to authenticate with whatever the user provides. Then the server checks the following rules (using AJAX of course) against the address/username

  • address/username known, not an IDP -> ask for the password
  • address//username known & an IDP -> redirect to IDP. Let user choose username optionally when returning to the site so the user can login with either short login name or IDP identifier.
  • not known & an IDP -> redirect to IDP, on return create an account on the fly with info IDP provides
  • not known, not an IDP -> show create account form, let user pick a username if email address was entered. Optionally, point out how to sign up with an OpenID provider and of course allow login with a different ID.

This is as simple as it gets. Basically, the only problem is the user entering a username that is in use by somebody else. A password field will show and login will fail.

The failure should look like this.
Login failed because the user and password are incorrect. You can either:

  • try another password
  • try another openidurl, email address or username
  • sign up with us or one of these Identity providers: XXX, YYY, ZZZ

This is as simple as it gets and it still supports a wide variety of login mechanisms.


  • Only one question that the user should be able to answer: who am I?
  • Using OpenID is rewarded by easy login
  • Worst case, user still has to provide a password.
  • Can support any kind of authentication, including non password based ones.

OoO 3.0 Beta & cross references

It still looks butt ugly but at least this bug was partially addressed in the latest beta release of Open Office. The opening date for this one, “Dec 19 19:13:00 +0000 2001”. That’s more than seven years ago! This show stopper has prevented me from writing my thesis, any scientific articles, or in fact anything serious in open office since writing such things requires proper cross reference functionality. But finally, they implemented the simple feature of actually being able to refer to paragraph numbers of something elsewhere in the document using an actual cross reference. This is useful to be able to refer to numbered references, figures, tables, formulas, theorems, sections, etc.

The process for this bug went something like this “you don’t need cross references” (imagine star wars type gesture here). Really for a bunch of people implementing a word processor the mere length of the period they maintained this point of view was shocking and to me has always been a strong indication that they might not be that well suited for the job of creating an actual word processor. Then they went on to a infinite loop of “hmm maybe we can hack something for open office 1.1 2.0 2.1 2.2 2.3 2.4 3.0″ and “we need to fix this because imported word documents are breaking over this” (never mind that real authors might need this for perfectly valid reasons). This went on for a very very long time, and frankly I have long since stopped considering open office as a serious alternative for doing my word processing.

I just tried it in 3.0 beta and it actually works now, sort of. Testing new OoO releases for this has become somewhat of a ritual for me. For years, the first thing I did after downloading OoO was try to insert a few cross references before shaking my head and closing the window. The UI is still horribly unusable but at least the feature is there now if you know where to look for it.

Six years ago Framemaker was the only alternative that met my technical requirements of being an actual word processor with a UI and features that support the authoring process (unlike latex, which is a compiler),  the ability to use cross references, and flexible but very strictly applied formatting. Theoretically word can do all of this as well but I don’t recommend it for reasons of buggyness and the surprising ease with which you can lose hours of work due to word automatically rearranging & moving things for you when you e.g. insert a picture, pasting a table, etc (and yes I’ve seen documents corrupt themselves just by doing these things).

The last few years, I’ve used open office only to be able to open the odd word/powerpoint file dropping in my inbox at home. I basically have close to no office application needs here at home. For my writing at work needs, I usually adapt to what my coauthors use (i.e. word and sometimes latex).  Framemaker has basically been dying since Adobe bought it. The last version I used was 6.0 and the last occasion I used it was when writing my phd thesis.

OpenID 2.0 and concerns about it

It seems JanRain is finally readying the final version of OpenID 2.0. There’s a great overview of some concerns that I mostly share on readwriteweb.com. Together with another recent standard (OAuth), OpenID 2.0 could be a huge step forward for web security and privacy.

Lets start with what OpenID is about and why, generally, it is a good idea. The situation right now on the web is that:

  • Pretty much every web site has its own identity solution. This means that users have to keep track of dozens of accounts. Generally users have only one or two email addresses so in practice that means most these accounts are actually tied to 1 email account. Imagine someone steals your gmail password and starts scanning your mail for all those nice account activation mails you’ve been getting for years. Hint: “mail me my password”, “reset my password”. In short, the current situation has a lot of security risks. It’s basically all the downsides of a centralized identity solution without any of the advantages. There are many valid concerns about using OpenID related to e.g. phishing. However, what most people overlook is that the current situation is much worse and also that many OpenID providers actually address the concerns by implementing various technical solutions and security practices. For example myopenid.com and verisign employ very sophisticated technologies that you won’t find on many websites where you would happily provide your credit card number. There is no technical reason whatsoever why openid providers can’t use the same or better authentication mechanisms that you probably use with your bank already.
  • While technically some websites could work together on identity, very few do and the ones that do tend to have very strong business ties (e.g. banks, local governments, etc. This means that in most cases, reusable identity is only usable on a handful of partner sites. Google, Microsoft, and Yahoo are great examples. They each have partner programs that allows externals to authenticate people with them. Only problem: almost nobody seems to do that. So reality check: OpenID is the only widespread single sign on solution on the web. There is nothing else. All the other stuff is hopelessly locked into commercial verticals. Microsoft has been trying for years to get their password solution to do what OpenID is doing today. They failed miserably so far.
  • Web sites are increasingly dependent on each other. Mashups started as an informal thing where site A used an API from site B and did something nice with it. Now these interactions are getting much more complex. The amount of sites involved in typical mashups is increasing and the amount of privacy sensitive data flying around in these mashups is also increasing. A very negative pattern that I’ve seen on several sites is the “please provide your gmail/hotmail/yahoo user password and we’ll import your friends” type feature. Do you really want to share your years of private email conversations with a startup run in a garage in California? Of course not! This is not a solution but a cheap hack. The reality is that something like OpenID + OAuth is really needed because right now many users are putting themselves in danger by happily providing their username and passwords.
  • Social networks like Facebook authenticate people for the many little apps that plug into them. So far Facebook is the most successful here. Facebook provides a nice glimpse of what OpenID makes possible on a much larger scale but it is still a centralized vertical. I am on Facebook and generally like what I see there but I’m not really comfortable with the notion that they are the web from now on (which seems to be implied in their centralized business model). Recent scares with their overly aggressive advertisement schemes shows that they can’t really be trusted.

OpenID is not a complete solution for the above problems and it is important to realize that is by design: it tries to solve only one problem and tries to solve it well. But generally it is a vast improvement over what is used today. Additionally, it can be complemented with protocols like OAuth which are about delegating permissions from one site to another on your behalf. OpenID and OAuth are very well integrated with the web architecture in the sense that they are not monolithic identity solutions but modular solutions designed to be combined with other modular solutions. This modular nature is essential because it allows for very diverse combinations of technology. This in turn allows different sites to implement the security they need but in a compatible way. For example, for some sites allowing any OpenID provider would be a bad idea. So, implement whitelisting and work with a set of OpenID providers you trust (e.g. Verisign).

OpenID and OAuth provide a very decent base level of protection that is not available from any other widely used technology currently. The closest thing to it is the Liberty Alliance/SAML/Microsoft family of identity products. These are designed for and applied exclusively in enterprise security products. You find them in banks and financial institutions; travel agencies, etc. These are also used on the web but invariably only to build verticals. Both Google and Microsoft use technologies like this to power their identity solutions. In fact, many OpenID identity providers also use these technolgies. For example, Microsoft is rumoured to OpenID enable their solution and several members of the Liberty Alliance (e.g. Sun) have been experimenting with OpenID as well. They are not mutually exclusive technologies.

It gets better though. Many OpenID providers are employing really advanced anti phishing technologies. Currently you and your cryptographically weak password are just sitting ducks for Russian/Nigerian/Whatever scammers. Even if you think your password is good, it probably isn’t. OpenID doesn’t specify how to authenticate. Consequently, OpenID providers are competing on usability and anti phishing features. For example, Verisign and myopenid.com employ techniques that makes them vastly more secure than most websites out there, including some where you make financial transactions. There has been a lot of criticism on openid and this has been picked up by those that implement it.

So now on to OpenID 2.0. This version is quite important because it is the result of many companies discussing what should be in there for a very long time. In some respects there are a few regrettable compromises and maybe not all of the spec is that good of an idea (e.g. .name support). But generally it is a vast improvement over OpenID 1.1 which is what is in use currently and which is technically flawed in several ways that 2.0 fixes. The reason 2.0 is important is because many companies have been holding off OpenID support until it was ready.

The hope/expectation is that those companies will start enabling OpenID logins for their sites over the next few months. The concern expressed here is that this may not actually happen and that in fact OpenID hype seems past its glory already. Looking at how few sites I can actually sign into with my OpenID today, I’d have to agree. As of yet, no major website has adopted OpenID. Sure there are plenty of identity providers that support OpenID but very few relying parties that accept identities from those providers. Most of the OpenID sites out there are simple blogs, startups web 2.0 type stuff, etc. The problem seems to be that everybody is waiting for everybody else and also that everybody is afraid of giving up control over their little clusters of users.

So ironically, even though there are many millions of openids out there, most of their owners don’t use them (or even are aware of having one). Pretty soon openid will be the authentication system with the most users on this planet (if not already) and people don’t even know about it. Even the largest web sites have no more than something like a hundred million users (which is a lot). Several of those sites are already openid identity providers (e.g. AOL).

The reason I hope OpenID does get some adoption is because if it isn’t it will take a very long term for something similar to emerge. This means that the current very undesirable situation is prolonged for a very long time. In my view a vast improvement is needed over the current situation and besides OpenID, there seems to be very little in terms of solutions that can realistically be used today.

The reason I am posting this is because over the past few months me and my colleagues have been struggling with how to do security in decentralized smart spaces. If you check my publications web site, you will see several recent workshop papers that provide a high level overview of what we are building. Most of these papers are pretty quiet on security so far even though obviously security and privacy is a huge concern in a world where user devices use each others services and mash them up with commercial services in both the local network and internet. Well, the solution we are applying in our research platform is a mix of OpenID, OAuth and some rather cool add-ons that we have invented to those. Unfortunately I can’t detail too much about our solutions yet except that I am very excited about them. Over the next year, we should be able to push out more information into the public.

semantic vs Semantic

Interesting post on how microformats relate to the Semantic web as envisioned by the w3c.

The capital S is semantically relevant since it distinguishes it from the lower case semantic web that microformats are all about. The difference is that the Semantic web requires technology that has been defined by the w3c but is not currently available in any mainstream products such as for example web browsers that people use to browse the current web. This technologies include RDF, the OWL query language, XHTML 1.x and 2.x and a few other rather obscure “standards” that you won’t find on a typical end user PC or web server. I use quotes around the word standard here because I don’t believe the W3C to be very effective in transferring its recommended standards over to industry in a proper way.
Continue reading “semantic vs Semantic”