OpenID: fail.

July 16, 2008

[ Do you know what - I'm a bit nervous about this blog post. The reason I'm nervous is that I'm writing about something I really don't understand too well. I've tried - I really, really have - I've watched videos and slideshows, looked at diagrams, read explanations. But I still don't really understand how OpenID works. And for a long while that put me off writing this. I know that OpenID has a lot of people gunning for it. And I know that support is gaining, at least in numbers of service providers. But in the end, it comes down - as always - to the user - and the experience I have had has been as that user. And I simply can't, won't - and don't use OpenId. Because it's rotten, and broken, and failing. So I went ahead and wrote this anyway..I'm sure you'll let me know what you think ;-) ]

The geek world has been getting excited for a fair while about OpenID. You’re probably all familiar with it and I’ll leave it up to Wikipedia to describe the service in detail, but in short the notion is that managing multiple identities online is increasingly problematic, and that some kind of way of managing these identities in one trusted, decentralised place is what is needed to make life better.

OpenID is based around the use of a uri as the unique identifier for an individual, not an email address, as is so common today with most sites.

All well and good, you’d have thought. The only thing is there’s an enormous, hulking great elephant in the room: OpenID doesn’t work.

I should clarify. In a technical sense, OpenID works. But from a usability perspective, it’s absolutely horrible.

Let’s examine the user flow for someone signing up to a.n.other site using the “traditional” method: they arrive, they click “register”. They put in their details, including email address. They go to their email account and click on the “validate” link. Done. The purists all shift uncomfortably in their seats – the users’ identity has been propogated to yet another site (eek, duplication) and there is also a reliance on the email provider (eek, single point of failure / “evil” company fear, etc).

Now let’s have a look with OpenID. And let’s consider it in the best possible case scenario – user has not only already created an OpenID but knows the address AND is signed in (i.e has a currently active session/cookie) to that providers’ service.

So..user arrives at site and is asked for their OpenID. They put in the address and push go. The site then redirects them to their OpenID provider. User clicks to allow access to data, and selects a persona. Provider site then redirects back to the original site. Original site then (inevitably, in my experience) asks user to fill in additional “persona” data for their service as well as what they already entered. User enters site.

That’s at least a couple more steps, and remember that’s if they’re signed in or even have an OpenID account. If they’re not signed in (but have an account) then they still have to sign in on the OpenID providers’ site. Using a username and password…If they don’t have an OpenID, just add at least 3 more steps. If they forget their OpenID then the process to get it back has to be done on the provider site and not on the site they’re wanting to access.

There are several thing that are really badly wrong with the OpenID / user landscape. Here’s how I see them:

1. Users don’t understand the use of a URI as identifier
This is about education, but it’s an important point. People see URI’s as “web addresses”, not as personal identifiers. They don’t get it, and aren’t being encouraged to get it, either.

2. Users don’t like redirects
Actually, users don’t care about redirects – what they do care about is maintenance of trust and brand. A user mid-basket on Amazon is not going to be happy about a jump away to another site unless they’re very clear that there is brand association between the sites.

3. Users won’t remember OpenID’s
Not only are OpenID’s longer and more complex, they’re also a dog to get back once forgotten. With email/pwd, you just click the “forgotten pwd” link. Email, click, done. With OpenID you have to go back to your provider site and do it from there, not on the site you’re trying to access.

4. There is no paradigm
Apart from password remembering within the browser, there isn’t a “central persona management” paradigm. This doesn’t mean there shouldn’t be one, but it makes the job of invisibile tech that much harder.

I’ve left what I see as the single biggest issue until last:

5. There isn’t a problem that needs solving
As I’ve indicated before, we (tech savvy geek types) are not the normality. I may have a sign-up obsession and belong to hundreds of sites, but normal people just don’t. By some gentle “finger in the air” reckoning, I’d suggest that most people have – what – ten sites they sign in to? That’s hardly shouting out for a distributed, decentralised, persona-based solution, is it? What’s actually wrong with a “remind me of my password” link, anyway? And using email as identity is secure enough for pretty much any application. We geeks are making assumptions based on our experiences of the web. It’s us, not Joe Normal who has 400 passwords in our heads, surely?

So on the one hand we’ve got an elegant, beautiful, technically “good” solution that is almost completely unusable. On the other is something ugly and flawed – but something that works well for most people: something that isn’t actually broken, and – frankly – doesn’t need fixing.

OpenID feels like it could and should be better, but the current scenario whereby hundreds and thousands of sites are becoming providers (AOL, Orange, Yahoo!, etc) and very little effort is being put into fixing the flawed user flow – or user education for that matter – is just a road to nowhere. Some sites (LiquidID, ClickPass, Vidoop as examples) are just starting in the usability direction, but it’s nowhere near enough. And right now, I – like most people I know – are just fine sticking with the original email/pwd alternative.

34 comments
bob
bob

I disagree with the point that multiple creds is a pain point for even nongeeks. If they didnt have to expose their personal information over and over I think surfing the web would be alot more enjoyable. Also, you may think guessing from your fav passwords and user names is "OK", but remember that you are not alone, everyone does that. When lots of people duplicate this info across sites its a serious security risk.

bob
bob

This comment form sucks for asking me for my email. But seriously, I have been ignoring openID ever since I heard about it. Then I went to implement another website and I wanted it to be registration free. I have no interest in storing personal information in my database or writing the mind numbing waste of time registration pages. I decided to only accept openID. And I have no registration page. There is not a single piece of personal information in my sites database and Im pretty darn excited about that. Seems like the way it should be. Maybe it will evolve into something different, but for now ME LIKEY!

Nick Burne
Nick Burne

Hey Mike, Long time no speak. Just implementing a site with Open ID and going through the user journey was a bit of a nightmare - so very useful matey! I've always wondered why we don't just solve all these login usability issues using browsers - thought Google Chrome was going to come up with something, but alas just another IE. Google Clone!

Mike
Mike

Hi Byron - thanks for your comment, and sorry it's taken me so long to reply. I've been kinda busy (see http://electronicmuseum.org.uk/2008/09/11/its-bathcamp-weekend/)... You raise some very good points, and certainly there are some ways around the usability issues. I feel these should now become the focus of OID now: less about the technology, more about the user. If we can do this, we stand half a chance that it'll work for "most" users. If we don't, it'll continue to fail. Mike

Byron
Byron

Howdy, I've recently been looking into OpenID 2.0. I think these particular issues are mostly perceived rather than real. Which does not necessarily mean OpenID is problem free, but... Regarding issues 1&3: There is no need for users to see or even know their OpenID 2.0 URI. You know, even with traditional authentication, it's common for back end systems to know users by a number or string that makes for a good database key, rather than by their username or email address. With 2.0, an OpenID can be thought of as the same sort of thing: an ID that backend systems use, and about which users do not need to concern themselves. On each web site where a user signs up for an account, they will pick a conventional username that is specific to that site, same as ever. Not only that, but with OpenID 2, there should be far *less* need for users to remember usernames than with traditional auth. For example if you signed up to foobar.example.com as "foouser22" and later you forgot that username, no problem. The web site will be able to remember your username once you've authenticated. The only piece of information you'll have to supply will be your identity provider (eg: "yahoo.com"). Regarding issue 2: Yeah, I can see the point, but there's a counterpoint too: using OpenID, a user can have one single sign-on screen rather than one per website. Currently, without federated ID's, every site manages it's own unique sign-in function with it's own unique look and feel, it's own unique "forgot password" feature, it's own rules for password complexity, etc. So I ask, from a lay-user standpoint, which scenario is truly the more confusing? Regarding issue 4: Centralized identity management is indeed a different problem. OpenID does not attempt to address it, but IMHO, that is as it should be. Identity Management is a whole big ball of wax unto itself. Regarding issue 5: I beg to differ with this assumption. First off, there are a very large number of web users with a lot more than ten accounts. Whether it is "most" users, I cannot say (but suspect it is). But even if it is not "most", I'm sure we can stipulate that it's probably a very large number, which speaks to a serious need. Just about everywhere you go these days wants you to sign up for something -- even sites that offer free services. But even for just ten accounts, keeping track of and managing the usernames and passwords for all of them can be cumbersome. It's well known that most people end up re-using the same password on multiple sites, and that the practice of periodically changing passwords is largely neglected because of the amount of effort involved. The amount of work needed to responsibly change your passwords from time to time scales badly with traditional per-website passwords. Even ten websites can be a chore, and beyond that it gets truly painful. But with federated ID's, the amount of work needed is small and constant, regardless of the number of sites one uses. There are other real problems that OpenID also addresses. For example: with current non-federated password authentication systems, users are repeatedly entering passwords and sending them all over the place. That is a serious security risk, especially coupled with the tendencies of users to reuse and not change their passwords. OpenID addresses this by allowing users to authenticate just once, to a chosen and trusted provider; all other web sites then leverage that but get nothing that could expose the user's main authentication credentials.

Kevin Fox
Kevin Fox

We love the technology, though see OpenID moving into the background, kind of like pop3/smtp. My mom should just be able to login securely without having to know all the acronyms of the underlying technologies that make it possible. As far as phishing OpenID has far fewer vulnerabilities than the traditional login/password method. Also you get to pick who your provider is, so do your homework. Many OpenID providers (myVidoop, claimID, clickpass, Verisign) have taken extra steps to offer multi factor authentication to their members. This raises the bar for would be hackers who will have a better ROI from targeting less secure systems. Hope this helps... -Kevin

Mike
Mike

Thanks for commenting, Kevin... Interesting to have someone from Vidoop in on the loop. (hey, a rhyme..). Someone else made me aware of EAUT which looks like a sensible direction from the usability perspective. What's the Vidoop angle on OpenID? Mike

Kevin Fox
Kevin Fox

Nice post, I agree that the OpenID user experience leaves a lot to be desired. There is progress being made, sites like Clickpass and applications like OpenID browser plugins are doing alot to improve usability. Also regarding URLs there is a new site and spec out that will let you use emails addresses as an OpenID. More info on emailtoid and EAUT is here: http://blog.vidoop.com/archives/139 Cheers, Kevin

Mike
Mike

@Rob - I don't know, tbh.... Anyone else care to comment on OpenID and phishing risk? Mike

Rob
Rob

Is there a problem relating to phishing as well? For instance if the user is redirected to a fake login page. The username/password entered would then compromise the accounts the user has at all sites that he or she has tied to that OpenID.

Mike
Mike

@chris - cheers, good thoughts. The question you ask - can it get better or is it broken for good? - is the key one, I think... As to your last point - surely they just have a single u/p for all their sites..? :-)

chriskeene
chriskeene

Wish I had replied to this sooner! I agree with what you say. I used openid with http://identi.ca/ Where as a normal userid can be saved by your browser (and by the remember me option on the website). The OpenId version involves several clicks and slow page loads each time I enter the site. Then, when I wanted to use ping.fm (to send messages to identi.ca) I had to enter my credentials. Of course I couldn't use OpenID here. I had to use a identi.ca based username/password, which I had never setup. So using OpenID had given me another downside. Thoughts: - I can't remember my URI. (Interestingly the first site I used with it - can't remember what - did not require a URI, just for me to select my OpenID provider and then redirected to them to enter my credentials. If I could just enter yahoo.com and then my username/password, then that would be better than a URI) - Needs a 'remember me' option. - I have just tried to log in to connotea.org and crowdvine.com using openid. both are failing with unhelpful error messages. is this a temporary problem, am i doing something wrong? should i be linking my openid to my user account first, is there a fault with my openid provider? I don't know. but these problems and questions would not exist with traditional authentication. - it does solve the issue of too many *different* usernames (lack of availability) and different passwords (different stupid rules). which can end up with unlimited different username/password combinations to try. - perhaps one area this is useful is discussion forums and commenting on media sites (BBC have your say, thesun etc), and blogging sites for commenting. I've signed up for loads of forums (phpBB etc) for one off asking questions, probably never to use the forum again, i.e. when looking at purchasing something in particular (such a broadband). OpenID seems like a good solution to these forums which you want to use to get an answer to something but don't really want to go through a full signup process. - I don't agree that non-geeks don't need this. Obviously everyone is different, but I know people who use youtube, flickr, perhaps del.icio.us, and a few other sites (see forums), and they must be getting sick of different usernames, different passwords (different password rules) etc.

tlacroix
tlacroix

Mike - We're on the same page, it sure could be more usable, and probably won't spread if it says that way forever. But I'm almost sure that it won't evolve much on an usability standpoint before wider adoption. And maybe it won't even be OpenID because it will be found to be too restrictive for future needs, and that another project will spin off it. Who knows... To push speculation a notch further, browser integration could be an easy way to make it available to a large public and make it more usable at the same time. An out of the box Firefox & Safari support, and major brands like Yahoo & Google backing it in their various apps & services could be a success scenario. We'll see! :-)

Mike
Mike

Tommy - cheers, really good points. I agree it needs time to bed in - I guess I'm just concerned that no-one seems to have got any closer to it being usable in the comparatively long period that OpenID has been a runner. As I say above, I'm just wondering whether this is because it *can't* get any more usable, rather than there being lack of trying. In which case, for me it's a non-starter from a usability perspective.

tlacroix
tlacroix

Nice post, enjoyed reading, and I totally agree with your opinion about OpenID's usability. But I feel that it's 100% normal, that we're at this stage of the adoption process. After all, 15 years ago when most people didn't have or knew their email address. Now most people have many. Though it might well stop there and never go further, like Gopher (there's a small community still using it, but my dad ain't part of it). There's a few big providers giving them along with their other services, such as AOL, Yahoo, and Flickr. Other big providers (Microsoft? MSN? Facebook? Apple?) might follow. There might be an OS integration at some point. More and more regular guys will have OpenIDs. So more and more sites and web apps might allow OpenID logins. And, hopefully, more and more people will use it, and it'll become "main stream". Or it'll fail along the way. But the thing is, the more regular guys that use it, the more non-tech exposure it gets, and the more user friendly it will become. Because tech savvy users are usually really bad at designing things for the regular guys. Just like the email, which started with ugly complicated clients with tons of fields (my mom doesn't care about BCC or incoming mail headers) to end up with the easy to use Thunderbird. After all, isn't OpenID a huge revolution? It takes time to change people's habits.

Mike
Mike

Hey Chris - interesting perspective, and thanks for commenting. I'm with you on the different requirements posed by various sites (username must be X characters on one site, Y on another..etc) but I still find I manage to get away with maybe 5 different combinations of u/p ranging from strong to horribly weak (all depending on context). My browser does a fair bit of the work, and I always know I can fall back on the "forgotten password" link if I need it. I'm still not sure this is a widespread requirement though, even taking on board the fact that you're not a geek ;-) Good that you like AthensDA. My day job is with Eduserv...

ChrisR
ChrisR

I'm not a geek, I don't think, and I have not yet used OpenId, but I do use many dozens of different sites. It wouldn't bother me so much if they all used the email address approach to username. It wouldn't bother me so much if they all insisted on the same conventions for usernames. It wouldn't bother me so much if I cared about their security all at the same level. But the reality is that many sites make different demands on you WHEN YOU REGISTER, but give you no clue what those demands were when you are asked to sign up again. How many times have I struggled to remember, is this a my work username? The short username from the past I use for insecure and rather public sites? A special one I had to invent for this site? or an email address? And did the password have to have a number in it? or a non-alpha? I've used re-directing sites, particularly AthensDA in the UK, and as far as I'm concerned it's great. I get a very clear context letting me know I'm at my home institution and about to login with the username and password I need for external service authentication. I give them, click, pause, I'm back where I was an in action. Soooo much easier for me... and for my external service provider, who doesn't have to manage my identity. So the implementation may be broke, but I think there IS a problem to solve!

LisaP
LisaP

Great post. I support the ethos behind OpenID but agree that the user experience is far fromperfect. In fact, although I like to consider myself a pretty technically aware non-technical person, I found the process pretty confusing and had several false starts. For the user it's a whole new language to learn, even with dummies' guides like http://openid.yahoo.com/

drewinthehead
drewinthehead

@Mike - I do think it's true for Joe Normal. They're being bounced to somewhere they've selected and trust. Good ecommerce UX is about establishing and maintaining trust, and being bounce to *your own* provider of choice enhances that.

Mike
Mike

@AndyP - I think browser support might be key - stuff like Weave in FF3 seems promising - (ie. attention data // in the browser as well as in the cloud...) but I agree, it doesn't feel quite as satisfying as a "true" decentralised solution.

Mike
Mike

@drewinthehead - that's true (to us) - but do you think it's true for Joe Normal? I guess Facebook is a good example, but I'd be nervous if it happened mid-ecommerce transaction, for example?

drewinthehead
drewinthehead

@Mike - yes, still a jump, but the important factor is that it's a jump back to the site that *you the user* have chosen as your provider. In a way it's sending you home, at the very least not somewhere strange and foreign to you. Consider if Facebook starting acting as an OpenID provider (which would be easy for them to do). All those people who spend most of their work day on Facebook would be able to key in their Facebook OpenID into any number of sites, get bounced to an extremely familiar page (which they're already logged into already), click Allow and they're through. To me that sounds like a fairly painless and simple process. The 'jump' is only a problem if you're jumped to somewhere unexpected.

Mike
Mike

@drewinthehead - still a jump across from the site in question to the provider site and back again? Or is there a better way of doing this? You're right about the "welcome back, mike123456abc" issue (my user name on YouTube is "nofekkinusernames" for that very reason...) ;-)

drewinthehead
drewinthehead

I think your 'best case scenario' is a bit misleading. Real best case is that without even registering at all I log in with an OpenID, click 'allow' from my provider and I'm in to a brand new account on the site in question. As we as developers get more comfortable and experienced with the technology, I think that sort of user experience will be more commonplace. Just give it a little time to bed in. One real tangible "normal user" benefit that I don't believe you've mentioned is the fact that OpenID users don't need to go through the whole choose-an-available-username hoopla that is frequently the most time-consuming and frustrating part of signing up to a popular service. Early adopters often forget how miserable that experience is because they're signing up at a point where their first or second pick of username is still available. OpenID is a great solution for that.

Mike
Mike

Pete, cheers for commenting - pretty much how I feel too :-)

Pete Fairhurst
Pete Fairhurst

I agree; adding more links to an already-fragile and poorly-understood chain doesn't make it better for anyone. OpenID has serious usability issues and I also agree that solving these should be foremost, not least for the reasons you've outlined in your post and Tim mentions (about trying to explain the damnable thing) to an average user. I've been trying to use OpenID on a few supporting websites, even updating the domain records of my personal website to be coupled with my OpenID identity, and it's just an utter chore every time. OpenID isn’t a “smart” solution: it’s a flabby, inarticulate and trudging load of extra user baggage. No thanks.

Mike
Mike

@Tim - I'd love for it to be good (i.e. usable), and I hope it can be made that way. Certainly the wins that OpenID has made (the list of providers is pretty heavyweight, for example) indicates something, and you're right, OAuth is a considerable win. It's also early I guess for usability to be factored in - although I'd personally like this to be the *first* thing rather than the last...

Andy Powell
Andy Powell

Sigh... You're right. I use my OpenID(s) on about 3 sites - I would use them on more, but very few of the real sites I use actually support it. I always end up confused (despite, or possibly because of, Sxipper's assistance). Something needs doing. Browser plugins might help - but I'm generally sceptical about such things because requiring a browser plugin for what is essentially 'core' Web functionality indicates a serious mis-match somewhere. I'm still hopeful that things will get better. In general, I tend to recommend Sxipper rather than OpenID for people who want help managing multiple usernames/passwords - but Sxipper is no way perfect either. I wouldn't recommend it to my mum for example. Information cards anyone - yes, I'm probably clutching at straws. If it helps (which it doesn't) the usability of the UK Access Management Federation is currently worse IMHO - see http://efoundations.typepad.com/efoundations/2008/07/catch-you-on-th.html. Andy.

Tim Beadle
Tim Beadle

I tried really hard to get all defensive and self-righteous about this (and I was, for a bit) but in the cold light of day, ultimately there is merit in what you say, Mike. There's not a chance I could reliably explain OpenID to my Dad, in-laws or even my fairly web-savvy wife. The "directed identity" stuff in OpenID 2.0 does sound more likely to wash with a non-geek audience, I agree. In OpenID's defence, though, without its creation (even for spurious "not actually solving a real problem" reasons), we probably wouldn't have OAuth, and that *is* useful to non-geeks and is being used as such.

Jenny Brown
Jenny Brown

"I may have a sign-up obsession and belong to hundreds of sites, but normal people just don't." Bang on, Mike. BUT I am all for a one log-in approach. I have bitter experience of trying to encourage people to adopt web tools only to find they have forgotten the username/password they assigned themself and ask 'can you just email me instead?' thus defeating the object and missing out on the benefit of the tools. But you're right, trying to explain to people the concept of OpenID is not going to help in cases like this. I wonder if the proposed development of TLDs will help. Selling the concept of OpenID (unique URI instead of email) is the tricky thing but if we had URIs that didn't end .com (and then described them as 'identities' perhaps rather than URIs) that might be a step in the right direction.

Mike
Mike

@Allen - cheers for your comment. I haven't looked at the directed identity stuff before - will go check it out now. Certainly streamlining the experience feels like a crucial step. The bit that concerns me is that we're - what - 2/3 years into OpenID and I still haven't seen any solutions that seem to do this effectively. Early doors, I assumed this was because the focus was on adoption and not usability - now, I'm starting to wonder if it's something that simply can't be solved with OpenID as a solution...We'll see I guess :-)

Mike
Mike

Thanks Harry. And ta for alerting me to your blog - I'll check it out...

Allen Tom
Allen Tom

Excellent post, there are plenty of usability issues with OpenID that still need to be resolved before OpenID can reach mainstream adoption. OpenID 2.0's new directed identity feature eliminates the need for users to know their OpenID url, users only need to specify their identity provider. The identity provider returns the user's identifier in the authentication response. For instance, yahoo users can initiate the sign in process by typing in "yahoo.com" or by clicking on a "Sign in with Yahoo" button. Simplifying the sign-on experience (redirects, multiple password prompts, confusing user experience) and streamlining the registration process are also crucial to encouraging adoption.

Trackbacks

  1. [...] of OpenID Thursday 17 Jul 2008 Mike Ellis posted an interesting article up about OpenID, which is quite critical of OpenID and although I do like OpenID, I agree with much [...]

  2. [...] Anyway… Now that I’ve actually tackled the problem at a slightly deeper level I’m feeling confident that over time we can not only iron out XCRI’s woes but also introduce OpenID across the JISC CETIS (and IEC) services in a reasonably robust way. The future looks rosy, the sky is blue, thunderclouds? What thunderclouds? [...]

  3. [...] : allows those leaving comments, and myself as blog author to sign in via OpenID. While it’s been noted that OpenID does have userbility issues, it still seems like a good option to have. I’m [...]

  4. [...] Owen Stephens also commented on the post, linking to a post that pointed out that the OpenID “user experience” leaves much to be desired. [...]

  5. [...] with them as an OpenID but they don’t accept other OpenID providers. More importantly, people just don’t seem to get OpenID. It seems unnatural for some reason for a person’s identity marker to be a URL rather than a [...]

  6. [...] I have been very interested in OpenID for some time. I like the relatively agile way in the which the standard has evolved. I like the fact that it has been responsive to the developer community. I agree with Andy Powell when he talks about the importance of the capacity for the delegation of the service providing your OpenID – I’ve maintained an OpenID for myself at http://paulwalk.net despite having changed the underlying OpenID identity provider service twice. However, I’ve become frustrated by the way in which OpenID has been deployed and couched almost entirely in terms of it’s potential to solve the often-exaggerated problem of users needing to maintain too many user accounts (although I confess that I have contributed to this). Personally I maintain a small handful of username/password combinations for accessing hundreds of web services – it’s a minor inconvenience. And as Mike Ellis pointed out in a great post, OpenID: fail: [...]

  7. [...] with them as an OpenID but they don’t accept other OpenID providers. More importantly, people just don’t seem to get OpenID. It seems unnatural for some reason for a person’s identity marker to be a URL rather than a [...]