Why OpenID sucks from a user experience perspective
Many people seem to be touting OpenID as the next big thing in authentication. Early adopters request it, web geeks love it, and sites having it claim to be easier to use and more modern. The idea of maintaining only one login to access everything else sounds like a great idea until you thoroughly examine it. I personally have been considering the concept, especially since many Cashboard customers are requesting OpenID login as a feature addition.
What problem are we solving exactly?
The first gripe most people have with regular login systems is memory. There's no doubt about it, maintaining all of the login information across your accounts can become tedious.
I personally have about 40 web logins and passwords I have to maintain for various services. The idea of having only one login to remember is nice, but is this really a problem?
Today all browsers allow you to save your login/password information, and if you're worried about security you can always use a program to manage your passwords which also encrypts everything for safe keeping. Most password managers also have mobile versions for your phone so you can take login information with you on the go.
Replacing non-problems with confusion
OpenID claims to solve this memory "problem" another way, by providing one password to rule them all. It sounds good in theory, but in reality quickly it falls apart from a usability perspective.
I stumbled across a great article that explains the usability downfalls of OpenID which I suggest you check out. I won't rehash all of the discussion there. Rather, I'd like to take a look at a real world example I personally ran into on Stackoverflow.
One can imagine the following thoughts racing through the average web visitor's head when this screen initially pops up.
- Where's the username and password fields?
- I like Google, but don't like Yahoo. Should I click Google?
- What do I type here?
- What's my OpenID URL?
Even those that know what OpenID is could be challenged when presented a screen like this. I personally have a Google account, 2 Yahoo accounts, a WordPress account, and an AIM/AOL login. Which one do I use to login here?
At least with the majority of my other accounts I use a standard email address which I've been conditioned to remember. OpenID invents a whole new bag of problems, this being just the first.
New problems being invented with OpenID
I've actually logged into Stackoverflow before and had linked it with my Yahoo account. Returning to the StackOverflow site to ask a question I attempted to login with my Yahoo OpenID once again. The problem is, now Stackoverflow didn't recognize my Yahoo OpenID.
Instead of being logged in after completing the OpenID process I was greeted with this screen.
I thought I must have forgotten which OpenID I used to login. Perhaps it was my Google account? Nope, not that one...not any of them in fact.
Feeling frustrated I finally stumbled to this page which is supposed to email your forgotten login information. I played roulette with my different email addresses, finally hitting one that it found acceptable.
When I received the "account recovery" email it told me something quite bizarre; I had linked my account to my Yahoo/Flickr OpenID. The problem is I had just deleted my Flickr account a couple of days ago thinking I would never use it again. Even though I still had a Yahoo account, I did not have my Flickr account. It turns out that you can actually have MULTIPLE OpenIDs through the same provider.
This is supposed to be better than a regular username / password combination how?
Unfortunately there is simply no way to ever login again to the site, or reset my account to be linked with another OpenID.
What a horrible user experience.
Where do we go from here?
I'm sure the example I ran into is just one of many usability scenarios that nobody has bothered to think through. Multiple this by the number of sites implementing OpenID logins and you can quickly start to imagine the myriad of usabilty problems being invented daily.
OpenID does solve a number of interesting security problems, but at the moment I think it's not mature enough from a usability standpoint to be useful.
I hope the interaction problems surrounding OpenID continue to be worked on, as Yahoo is doing. They've conducted a very thorough usability study on OpenID, which I encourage you to read if you're interested in the topic. It appears they're making progress, but at a slow pace.
There seems to be a few great implementations of Facebook connect and Twitter oauth starting to pop up around the web.
I really like what Disqus is doing with blog commenting and linking to the social web, and I'm sure we'll continue to see more interesting alternatives appear.
I'm interested to see where things go from here. Have you seen any great implementations of OpenID yet? Share them with me.