Usability Research on Federated Login
By Dan Alexandru. Thursday, 18. December 2008, 08:47:32
Scenario 1: New user from a trusted IDP
If an AOL user comes to the buy.com site with their current UI (as opposed to the suggested modified UI), and has never created an account at buy.com before, then they would enter their @aol.com E-mail address, and choose "I am a new customer." In that case, buy.com would show them an account creation form. However, let's assume buy.com is willing to act as an RP, and it has decided to trust AOL as an IDP. Assuming they switch to the UI model suggested above, then when the user visits the buy.com site, they would enter their @aol.com E-mail address, and choose "Help me sign in." Admittedly the phrase "Help me sign in" is not as explicit as "I am a new customer" however so far our usability tests have shown it works just as well (though we would like help getting more data to confirm that fact).
In this scenario, buy.com could detect that the domain name is for an IDP that it trusts. It could then redirect the user to AOL to verify their identity. Assuming the user approves sharing their identity, then the user will be redirected back to buy.com which can automatically create an account for them, and log them in.
Read the whole report.
WIDGETIZE
WillYum # 18. December 2008, 22:27
But no good....
I manage a very small website with 200 current members and over a thousand members who visit off-and-on. I long desperately for the days when I can eliminate the need to login to our website with a username and password.
My main complaint is that this proposal relies too much on the 'magic' and behind the scenes workings that users (including myself) tend to distrust.
Think of it this way. I have a key it goes to my gmail account. I have keys that go to my aol.com accounts. A key to my yahoo account. A key to my ebay account. A key to My.Opera. A keychain of all my keys... That key isn't just my password but usually my email address and password combination. It's my keychain of access.
Now you want me to use my key from AOL to login to my My.Opera account? I cringe. Understand, I know that's not what is happening but that's what it *looks* like is happening under this proposal.
The report unfairly fails to address advanced users understanding. I qualify as an Internet expert (some days) and if I don't get a clear picture of what is going on, I inherently distrust it. If I distrust it, I'll tell all of my friends (who rely on me as the Internet expert) not to do it when they ask.
It just simply underestimates users. I think I recall using this system for Amazon.com or something similar and I was Scenario 2 in this report. I was like 'WTF!?' how am I logged in? How do they have my credit card information? How do they have my address?
Now, I realized rather quickly that I had been a victim of information sharing without complete transparency. I was not amused. I use amazon.com once or twice a year, I don't think that is unusual. The transparency *must* be there, in this case, it just freaked me out. Luckily it was a trusted site, if it hadn't have been, I would have been changing passwords and calling credit card companies.
This proposal does not meet the transparency requirement and worse it propagates the theory that "Internet Magic" is okay. There are far too many phising and fraudulent websites out there for this to be okay. We need simple models that can be taught and executed.
I applaud the efforts of Google and this team but as a small site webmaster I'd never adopt this proposal because the benefits do not outweigh the complexity in the system.
I think there is a solution out there and perhaps this is an evolution of it but it is dangerously lacking in transparency and overly complex. Never, ever should I goto a website and be logged in because I happened to also be logged into my email. Any email service that offered this convenience would lose my support. Now, should I be offered the ability to login with just my email address... that I could get behind.
Forgive the ramble. Thanks for the posting Dantesoft but this is bad, bad and more bad. Maybe next year they'll come up with something good. I just hope they don't try to implement this, I'd hate to have to drop my gmail account.
Yum
Stu_Pedasso # 6. January 2009, 18:26
WillYum # 6. January 2009, 19:11
Yum