Comments on: Federated Identity (and why OpenID sucks)

By: Federated Identity and why OpenID sucks | Tim Gregory – The Facebook News

Thu, 30 Jul 2009 08:50:16 +0000

[...] Tim wrote an interesting post today onFederated Identity and why OpenID sucks | Tim GregoryHere’s a quick excerpt [...]

By: Robb

Robb — Wed, 29 Jul 2009 02:55:09 +0000

Hi,

I’ve got to say I disagree with the logic of your argument here.

Yes, the federated options can offer those six advantages.

Yes, Afrigator’s sign-in UX could use a lot of improvement.

Yes, OpenId is a technology, not a brand. (Good point)

But none of those points speak to problems with the OpenId, or OAuth, or any of these other models or systems. Plenty of sites have implemented great sign-in paths based on OpenId, OAuth, and RPX.

See, e.g: http://zoho.com

By: Competitor usability testing – is it useful? | Tim Gregory

Competitor usability testing – is it useful? | Tim Gregory — Mon, 13 Jul 2009 17:17:18 +0000

[...] I was reminded of this when I took the Afrigator guys to task for the poor user experience on their login page in my post about federated identity. [...]

By: Tim

Tim — Fri, 10 Jul 2009 15:24:47 +0000

Thanks for responding Justin, and thanks for posting the stats on your OpenID logins.
We have different audiences for the respectives sites you and I work with, and I agree that for your demographic more choice is probably required.

Looking at your chart still confirms that the big brands (Google, Facebook, Twitter, Blogger, Yahoo) cover 95%+ of even your audience. I stand by my opinion that OpenID login usability is not yet good enough for the masses.

If you haven’t yet, take a look at the Yahoo! usability reports on OpenID linked from my post – there are some key issues identified and a couple of suggesting for improving the UI.

By: Justin Hartman

Justin Hartman — Fri, 10 Jul 2009 14:54:02 +0000

Hey Tim. A nice post and well thought out!
There’s quite a strong focus I see on how poorly the execution is of OpenID/RPX on Afrigator which is never a good thing for me to see but I understand your viewpoint.

You unfortunately caught the bad end of the login process so let me try and explain why it is the way it is. Hopefully you’ll see some method to our madness!

1. Big image of the logos in the sidebar

The reason we chose to use an image with 6 six logos in the sidebar was because we wanted to show (quickly) users that they could login with any of those accounts. Up until about 2 weeks ago when you clicked on that image a JavaScript overlay popped up which allowed you to select your provider (this overlay is done via RPX). This process made a lot of sense because you saw the logos, clicked it and then you select a provider and it was working well.

Unfortunately though, because we’re on the free RPX plan you have little control over the login box and being able to control that so what was happening is that the overlay popup took a really long time to load and was actually slowing down the afrigator site as it was calling their externally hosted JS file each time the page loaded. This became a big usability issue so we decided to only include RPX’s JS file on the login/signup page and then linked the big image to this page. In hindsight I can see how this has confused the issue but is has improved overall speed and performance for us.

2. All the OpenID options

While you say having so many providers is unnecessary I have to disagree with you completely. Yes Google and FB are fine to an extent but we have a much bigger audience to this. For Afrigator having WordPress and Blogger logins make absolute sense as most of the blogs on Afrigator are hosted on wordpress.com or blogger.com. In addition, I read a report that in Africa Windows Live has a much higher penetration to Google and Yahoo in terms of these SSI accounts and because we attract a big African audience it made absolute sense to have Live as an option.

We’re also all about social media so having Flickr and Twitter makes sense for us once more. In addition, Afrigator was one of the first African websites (if not the first) to offer OpenID login – this was way before Google, FB, etc. had opted in to the technology and you had to register an openid account with something like claimid.com. While the usage of OpenID was limited Stii has eluded to our early adopter market and we couldn’t not offer the OpenID option when implementing RPX.

Since we launched we’ve had a number of logins via RPX and here’s a breakdown of the providers that people are using to login with: http://hartman.me/openid-logins-on-afrigator

3. Moving Forward

Sure, I’ll concede that the replication of logos isn’t very usable so we’ll look at changing this process. We’ll probably also move to a paid version of RPX so we can control the login process better.

By: SEO Update #2 | Tim Gregory

SEO Update #2 | Tim Gregory — Thu, 09 Jul 2009 07:28:50 +0000

[...] other interesting thing has been the automated syndication of particular posts – my post on Federated Identity was picked up by planetidentity.org and idmjournal.com and sent some traffic my way. I have no [...]

By: Stii

Stii — Wed, 08 Jul 2009 08:19:30 +0000

As far as I can see, no one really does it. Unless RPX returns the endpoint (i.e. claimid.com) instead of the delegate URL. I used to do it with my old blog, but I used it so little that I did not even bother when I moved to my new blog!

On the twitter stats, I’m quite surprised to see that figure! 100K SA users? Of that 100K I doubt if many of them are active users. Very few of our third party registered users opt for the Twitter option although it may just be due to them preferring the other options :/

By: David Fox

David Fox — Wed, 08 Jul 2009 06:52:23 +0000

Nice post!

By: Tim

Tim — Wed, 08 Jul 2009 05:36:03 +0000

Thanks Stii… is there any pattern to the OpenID use? Are most users authenticating with OpenID issued through their own blogs?
The email problem is not really an issue for us when allowing users to simply drop a comment on an article, but will need to be solved for more general-purpose login & registration.
We currently don’t require an email confirmation when a 24.com account is created, and keep a flag in the DB for confirmed vs unconfirmed accounts.
@ Wogan – Twitter is interesting, but I don’t think it has the brand recognition and userbase (for our audience) that Facebook and Google have. If you have any stats for number of SA Twitter users I’d be interested to know them.
Updated: Some great Twitter stats from a June 2009 report… they analysed 11.5m Twitter accounts… SA users were 0.85% of that base.. so something like 100k Twitter users in SA at the time of analysis. About 10% of the SA Facebook accounts at the time of writing this report.

By: Stii

Stii — Tue, 07 Jul 2009 22:58:41 +0000

Hi Tim,

Duly noted and thank you for the feedback/advice. RPX has a paid for option which offers a lot more flexibility and customization. We opted for the free option (since we wanted to experiment with it and see if there was a significant impact) which resulted in a bit of a mess as far as the usability goes, I will admit. We will revisit our options.

I agree that too many options are not a good thing. A lot of the options we offer are not used and will be removed. OpenID, on the other hand is one of the services that is being used, but that is to be expected. We’re pretty much in a geek/early adopter space, so it makes sense.

That being said, the biggest issue we have with these single sign-ons is that besides Google, Yahoo! and Windows Live, the sign-on API does not return an email address. This is not too big a deal for us, but it does make future communications with users difficult. Yes, you can prompt the user to enter his email address and require him to verify it after he/she signed on with a third party product, but IMHO that defeats the object of having this feature.

Cheers and thanks

Stii
Afrigator.com