I won't implement OpenID for any site where I have a say. It needs to die so that something good can step into its place.
If you have a site that requires OpenID, I won't use it for the same reason I won't use your site that requires Facebook. If you're going to implement it, make sure you also implement a standard user/pass registration or you'll lose a lot potential users (as in most of them).
Something that lets me use my email address as my ID.
I can remember my email address. I can't even remember which openID provider I used to sign up for StackOverflow, let alone how they expect me to form the URL that I use for my login.
So once a month, when my cookie expires, I get to perform a forgot-password-like action, where I dig through my email to find my username, then try several combinations of it and claimid.net (or was it .org) until it lets me in. But I'm not in. I still have to type in my username and password and, click OK, then click OK on a second screen.
That's on the order of 10 more steps than it takes me to type in my email address and password. I remember my email. And I can type it in 400 milliseconds.
The thing that replaces OpenID needs to understand that.
That's not the suggestion I give to non-technical users, that's the suggestion that I give to you that took the time to learn what OpenId is but complains about it.
What I tell website developers is to add a login with Google, Yahoo, ... + OpenId (Google and Yahoo are openId providers) and each will redirect users to the correct OpenId endpoint (the one from yahoo, the one from google or your own).
And I don't say anything to non-technical users. They will see a "login with Yahoo" or "login with Facebook" or "login with Gmail" and they won't even ask me questions about OpenID. The ones that know what OpenId is and have their own custom URL will use it. Others will use the endpoints provided by Yahoo or Google and won't know what OpenID is and they don't need to.
Have you done any testing to see how many users you lose by doing this? There is, after all, a percentage of your users who will see your "login with Yahoo" message and not understand what you mean, then leave when they can't find a way to register.
You seem to think that number would be low. Experience with users & registration leads me to believe that it will be quite high. I personally don't plan to implement openID, so I can't do any testing. I'd be curious to see what your numbers say.
Something that doesn't require you to be a techie to understand. OpenID is a bit advanced for many users.
FB Connect actually does a pretty good job at being "easy to use". Just log into your FB account and you are set. I know it's not fair, but most people havn't posted anything to that openid website.
Google or Yahoo logins would work, since there's a recognizable brand name and there's a good chance that the user has an account on those sites.
>FB Connect actually does a pretty good job at being "easy to use". Just log into your FB account and you are set.
The only time I used OpenID, it was for StackOverflow. The workflow was exactly as you describe for Facebook Connect, except substituting Gmail for Facebook. I really don't see where there's room to be tripped up, unless you can't handle the idea that you can log in using accounts from multiple places.
That's not an issue with OpenID. That's an issue with the decision to not use OpenID exclusively and applies to every authentication service on the list in that screenshot, by virtue of that list being a list.
You should probably put "Please login with your Facebook or Gmail account below" on your front page instead.
Modify the services named based on expected clients. Choose one or more from the following: AOL, BBC, Facebook, Google, IBM, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!. *
On the sign-up page, put in smaller text "You can sign up/log in with any compatible OpenID service" for the technically savvy users, if you expect any at all.
A problem with asking someone for their gmail password to sign into malwarenet.org is that it seems very suspicious. Why does malwarenet.org want my password? I bet I can guess - they want to steal my email, find my bank account numbers and identity fraud me. Oh, it doesn't work that way, right right, but how can any one without exceptional technical skills know that for sure? Lots of site spoofing out there.
Hell, opendns is giving me a spoofed ip address for google right now. What is that about, I thought they were secure. What else on my DNS service has been hacked? Bank sites? Probably.
"Modify the services named based on expected clients. Choose one or more from the following: AOL, BBC, Facebook, Google, IBM, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream and Yahoo!. "
That's the problem! Most people will look at this and don't know what to do. People hate choice, you generally have to lead them. On the other hand, that you even have to provide such a big list is a flaw in the OpenID spec in my opinion.
Obviously doesn't apply to everyone, but most of the time they don't want to think, they want to use the app.
Perhaps I didn't phrase my comment clearly? I meant that the website creator can pick one or two of the above to feature on the sign-up page. Examples: Aiming at techy 20-somethings? Google's your bet. Professionals? Advertise Linkedin. Users from Russia? Yandex and Livejournal.
Advertise one or two of the most likely sign-in credentials (so people who hate choice have it easy), and then put a small note that others are accepted too (so people who know what's going on aren't locked out).
OpenID is a delegated identity service. It's like a credit card, drivers license or social security card. And on that front everyone knows how to use one. It's been companies like Facebook, Microsoft that have been fucking this up and trying to own it, and to create some bullshit "one web identity" service.
I have been trying to seek out jobs to improve the UX of OpenID, and at MySpace I did the 1st popup login flow.
After MySpace imploded, I even tried for a short time to start an identity company called redrover, but then i had an offer to build an identity service for unity ( which was never internally supported ).
I am very passionate about making web identity work, and allowing people to have multiple web persona.
I have more idea's but i don't have a platform to innovate on.
Maybe now that I am working part time at UCSF on 'Profiles' with Harvard I have a shot again to fix OpenID, OpenSocial, and OAuth.
if you think about it a bit, you could use css inflection to determine or refine a list of potential OpenIDs that the user might use to log in.
maybe we finally make browsers smarter, or even better yet maybe with any login form on a web page
<form type="login"
openidprovider="http://myspace.com/{userid}"
action="https://login.myspace.com/login">
<!-- or something that supports webfinger -->
<input name="username">
<input name="password" type="password">
<input name="openid" type="url">
</form>
then supporting sites could.... tell the browser to cache that those openid urls like you do for username password pairs.
it also might be possible to link your openid to user profile in a browser, so that when you see the openid login form the browser can know what your profile is and delegate that identity transaction for you, like it handles cookies.
If you have a site that requires OpenID, I won't use it for the same reason I won't use your site that requires Facebook. If you're going to implement it, make sure you also implement a standard user/pass registration or you'll lose a lot potential users (as in most of them).