Sun 18 Nov 2007

OpenID Doesn't "Just Work" Yet

When Simon Willison started to do a lot of publicity work for OpenID last year, I figured it was probably the right time to at least learn as much about it as possible and start trying things out. Just over a year later and, whilst as a technical specification and a service it shows a lot of promise, as something for users, it doesn't seem to be there quite yet.

Lately I've been looking a lot at the user experience. Whenever possible, I've been using OpenID logins on sites that allow it for comments. I've also been noticing sites that aren't OpenID-enabled when they really should be. My feelings have been mostly ones of disappointment. The user experience doesn't end up being very inviting as a rule and I'm gradually arriving at the point where I'm nervous about using OpenID because it's misused so often. Time to draw a few conclusions.

Case Studies

Firstly, a note on my particular setup. I have a couple of OpenID accounts, but I primarily use this blog's URL as my OpenID URL and the service is delegated to ClaimID. So not one of the original OpenID providers, but still an early adopter.

Livejournal

I am not a livejournal member. However, you can leave comments there by identifying yourself using OpenID. Kind of. Certainly I can enter my URL and the delegation bit works. Livejournal then chooses to display my URL as my name in the comment! What the @$%!? I realise that I've just used that URL as my identity under a very loose set of constraints, but it's not my name and I choose not to use it as such. I already have a name.

Much more importantly, other people know me by my actual name (the one that's spelt M-a-l-c-o-l-m); they shouldn't have to track down who I am via the URL I entered. So people using non-Livejournal OpenID providers are second class citizens here. It makes me look bad as a commenter and discourages me from wanting to leave comments on friends' Livejournal blogs ever again.

Wordpress plugin(?)

I'm a little unclear on all the pieces involved here, hence the question mark in the title, but, again, I'm experiencing this as a user, putting my tech/debugger persona aside for a while. I left a comment today on Jeff Waugh's blog. Jeff uses Wordpress. I don't know how much control he has over his comments box here (I suspect more than he's used, but this isn't a "beat Jeff" exercise, since his isn't an atypical case). The comment form said my name and email address were required, but it also indicated OpenID would be used on the website link. As an experiment, I left off the two initial required fields and only entered my OpenID URL.

Things mostly worked... delegation to claimID, enter username and password, repeat because I screwed up the password. Now it wanted "handle", "full name" and "email address". Hmm... two problems here. Firstly, claimID already has the latter two pieces of information. Why do I have to fill them in? Secondly, the "handle" field (it may have been called "nickname", I can't remember) isn't even used in the display on Jeff's website.

No indications when I was filling in this information as to how it was going to be used on the target site. I guessed that the "handle" would be the display name used on the comment. Nope (it wasn't used at all). My full name was used. This might (in other circumstances) influence what I entered in those fields. This might sound in conflict with my complaint that the information wasn't automatically extracted from my account at claimID, but it's also an expectation issue. Based on my Livejournal and other experiences, it seems the auxilliary data is used in very inconsistent ways (or not at all). Until the user has a reasonable expectation of what will happen next, they have reason to be nervous. It's also just bad UI: I'm being asked to supply some information with no more information than "the requesting site needs it".

Blogger (Google)

A lot of blogs I read are hosted on Google's Blogger (no link for them, since there doesn't seem to be any page that doesn't try to log you in or use up resources needlessly in Firefox). Leaving comments on Blogger is a distressing experience for so many reasons (tiny pop-up windows??!). Their OpenID support is very uniform across all providers: nobody gets anything. They simply don't support it. Whoops. Since Blogger's default behaviour is to notice I'm already logged into Google for actual useful reasons and use that, which gives a URL linking to a page saying I don't have a profile (well, duh .. I don't use Blogger), the whole experience is very time consuming when I want to comment.

simonwillison.net

I'll use Simon's blog as an example of a very nice user experience. Logged in once many moons ago and decided to trust his site. Comments are displayed with my full name and OpenID authentication icon is in full view. No complaints here. However, the experience is very atypical (but not unique, thankfully)

Drawing Conclusions

At this moment, I haven't dived into working out whether my unpleasant experiences (and I haven't listed all my good or bad OpenID cases above, just a few of the typical ones) are a result of the consumer's site being poorly integrated or something my provider is doing a bit differently, or not as well as they could. I haven't taken the time to try out the whole thing again using my openid.net account, for example. What I have learnt is that I'm going to have to do this before I can feel comfortable about what the expectations are for an average user. There's too much variation and poor support for the single account I've tried so far.

Looking at OpenID from a consumer or providers' perspective doesn't worry me. I understand the spec (I've read it a few times, plus the proposed extensions), but I'm not happy that the user's experience has been exposed well so far. Note that when I say consumer here, I mean a website that accepts OpenID logins. The provider is the site managing the OpenID identities — providing the authentication — and the user is the person using their OpenID URL to log into a consumer's site.

When this blog eventually grows the ability to support comments, I'll be wanting to support OpenID. Without sucking. It's not a trivial thing. A few things that I need to work out (and all consumers of OpenID identities need to concern themselves with):

1. A common conscientious user question has to be: "why do I need to keep entering my name?" If other information is needed (and exactly why do you need my email address, Wordpress, if I'm establishing my identity via OpenID?), what's it going to be used for?
2. The URL I use to establish my identity is not necessarily the URL to display as the link for my name. In my case it works, but if, for some reason, I can't use OpenID delegation and have to directly link to claimd.net, say, or if I have a livejournal OpenID URL but it's not my primary blog, then it's probably nice if we can differentiate between "preferred website" and "URL the user has identified with". If those two are different, you don't want to say the user has identified with the former site, but you don't want to hijack their preferred link, necessarily. Not sure what the solution is here.
3. The OpenID URL is how the user identified themselves to the consumer's website. However it is absolutely not how the user identifies themselves to other people (are you listening, Livejournal?). Don't confuse the human readable presentation with the computer readable identity.

Over time, I'm sure OpenID will improve. However, I suspect it's a bit too early for everybody to be announcing how easy it is to use and how so many million people have OpenID's. It's just too poorly supported to be useful.

Topics: technology/openid, thinking