Federated Identity (and why OpenID sucks)

The idea of federated identity management on the WWW has been around in various forms for years, but has only gained real traction in the past year or so.
For websites, the idea is simple – instead of each site that requires user authentication asking for registration and capturing and storing all that information themselves, sites may allow external services to authenticate users for them.

This is great for users, because they don’t have to remember lots of passwords and maintain identity on various sites, and it’s great for websites too, because they don’t have to force all users through convoluted sign-up process nor do they have to secure usernames and passwords for every user that interacts with the site. The authenticating service only vouches for ‘who’ the user says they are, the authorization, or ‘what’ they may do once authenticated is still managed by the websites themselves.

It’s taken a little while for website owners to get their heads around the idea that they don’t have to authenticate users themselves, but it’s starting to happen all over now.
A great analogy for this new way of thinking is paying for a meal at a restaurant with a credit card – the restaurant probably doesn’t care whether it’s Visa or Mastercard doing the authentication, they just want to know that a trusted authority confirms that the user is probably who they say they are and have funds available.

It’s taken a long time to get to where we are… Microsoft launched their Passport ‘Single Sign On’ (SSO) servicein 1999, promising a single login that could be used at multiple websites, all managed by Microsoft.
Major Microsoft properties such as the MSN Network used it, and other high profile sites like eBay adopted it over the following couple of years.
In South Africa, MWEB launched a similar service called ‘Sign Me In’, sometime around 2001 if my memory serves me.
Sign Me In, or SMI was a Single Sign On service modeled on MS Passport, and rolled out to all MIH and Naspers group sites at the time like SuperSport, the M&G, and News24.
It was also used to lock down all local news and content sites published by Media24 and MWEB to South African users. International users had to pay a subscription to access the content.

Predictably, there was some resistance to SMI amongst partner sites, and it faced a similar battle to gain widespread adoption to that faced by Passport.
Website owners didn’t want to entrust their user database and authentication services to another party. They got the sense that the authenticating services wanted to ‘own’ the users somehow, and they were probably right. Service level agreements had to be put in place. Any down-time on the sign-in service would knock out all dependent sites. International bandwidth and latency issues meant that early versions of SMI could take up to 2 minutes to log users in across all sites.

The way it was implemented meant that it was possible for a user to log in, be authenticated against a number of sites, and then hit a ‘Sign Me Out’ button that would log them out of only a single site, leaving them authenticated against loads of other sites. And most importantly, site owner lost control of the user experience at one of the most important moments of interaction with them.

The experience for all concerned was poor, and SMI and Passport shared a similar fate – over time the relying parties moved away from them or offered a choice of login. Today, Windows LiveID, Passport’s successor is only used on Microsoft sites and services and some affiliates like Expedia. And today SMI is only in use on MWEB’s products and services and a couple of sites that haven’t got around to unhooking from it yet like Food24.

Fast-forward to today, and there is a huge amount of buzz about OpenID, Facebook Connect, Google Friend Connect, MySpaceID and various other services that allow you to use your choice of authentication service to login to websites.
The use of these services today is quite different to the experience of Passport and SMI:

1. Customers are given choice, rather than the website choosing one single-signon technology
2. Users trust Facebook, Google and MySpace. They already maintain identities there, and use their login credentials all the time to access these services
3. Facebook, Google and MySpace are well-known, instantly recognisable brands for web users
4. Website owners get to access existing profile details without requiring registration, and to interact with the users’ social graph
5. Users maintain multiple personas online, and the use of multiple alternate authentication services allows them to choose which one they use to login to a given site
6. The experience is slick – users are often able to login to a site without a fresh login if they are already signed into a trusted service

At 24.com we’ve started dabbling with the idea of federated identity and 3rd-party authentication, having recently launched an integration between comments on Wheels24 and Facebook using Facebook Connect.
The experience is great – if I’m logged in to Facebook as Tim Gregory, when I attempt to comment on the site I’m already recognized and my details (including profile pic) are pulled through.

When posting a comment, I’m given the option of pushing a notification out to my Facebook activity stream which in turn drives further conversation, commenting, and clicks on the link the article. Nice.

Now on to OpenID, and the proliferation of sites accepting alternative sign-ins. I presume the thinking goes something like this – “well, if accepting 1 or 2 alternative log in options is good, then accepting dozens must be awesome!”
And we quickly arrive at login processes like the one on Afrigator. I’m sure the developers had the best intentions, but the login usability is terrible.

The homepage shows six (6!) logos of authentication services that can be used to log in to Afrigator. These include Google, Yahoo!, WordPress, Blogger, Twitter, and Facebook.
Clicking on ANY of the images take you through to a second page that now displays the same 6 logos on the right (which will take you endlessly to the page you’re on when clicked), and then the same 6 logos on the left again, with Flickr and OpenID logos now thrown in for a total of 8 branded login choices. In addition to an invitation to login using a form below all the logos.

Kinda makes you think that you might be able to use any of those logins in the form below the logos, right?
Wrong! That’s the Afrigator login, stupid!
If you want to actually login with your Yahoo! account, you need to click on the logo. (no, the Yahoo! logo on the left, the Yahoo! logo on the right puts you into a loop, remember?).
Ok… so I click on the Yahoo! logo again, expecting that perhaps I’ll be presented with a form asking me for my Yahoo! account details. Nope, wrong again… I’m presented with a popup containing the SAME 6 logos I’ve seen again and again… and yes, the Yahoo! logo is still there. By now I feel like Charlie Brown trying to kick the football – “Go on, kick the ball Charlie Brown, I promise I won’t move it this time”. Should I click it again? Will clicking a different logo do something new?

This is not a good user experience, no matter how good the intentions of the site creators. To try convey the full impact of the choices presented, I’ve created a little montage of all the logo choices presented by Afrigator for authentication. In my opinion, too much choice is a bad thing in this context. It doesn’t help users, and that has to be the over-riding usability objective. To be fair to the Afrigator guys, I do understand the impact of using RPX, and the site as a whole is usable. I just get the feeling that nobody has looked past the technical aspects to see if the interface actually makes sense.

And I haven’t even got to OpenID yet….
OpenID is not a brand, it’s a technology.
Only real geeks recognize the logo. Not even Mac users.
Nobody loves OpenID the way they love Facebook and Google.
OpenID breaks common login metaphors, like the username/password convention.
OpenID is not intuitive, and requires explanation (as evidenced by various sites online that explain how to use it).
The multi-site login/logout behaviour is inconsistent.
The experience of using OpenID to log into a site is usually more painful than simply signing up for a new account on the site.
Few users know that they can use some of their existing services for OpenID authentication.
It offers little utility to site owners in terms of trusted 3rd-party authentication (anybody can be an authenticator using OpenID), and it provides little value in the way of a social graph that can be tapped into by the site owner.

If you don’t believe me, go read the reports Yahoo’s OpenID research group have released regarding OpenID usability. It’s not pretty, and this is the result of testing done on technical users by advocates of the technology.
The Yahoo! usability report presentation is here and should be compulsory reading for tech-utopians who haven’t figured out why OpenID is still a solution looking for a problem.

So… if reason prevails when we integrate 3rd-party authentication services for 24.com, there will be a standard login screen with a username and password form, a link inviting users to register, and only 2 additional logos on the page – Facebook, and Google. Close to these logos will be a line of text inviting users to login with one of these alternatives. Clicking on either logo will log the user in (if the user has a valid authenticated session open), or invite the user to enter an username and password for the service of their choice.
And that is all.

Related articles by Zemanta

• Easy Does It: Google Friend Connect One-Ups Facebook Connect’s Install Wizard (techcrunch.com)

Related posts:

1. Competitor usability testing – is it useful?