I’m guessing that, like most usability studies, the study was conducted to gather further evidence to support someone’s claim – in this case, that OpenID in its current form is not suitable for mainstream use.

Firstly, it has the stench of ‘emphasise the technology, not the utility’. Everywhere I have seen OpenID implemented it’s been referred to as ‘OpenID’, as if it is some technological term that only the clued-in geeks know. The benefits are not made obvious.

It’s already pretty unfamiliar to users that they should use a URL to log in rather than a password, but the idea of sharing a login across multiple sites sits very uneasily with them. Why shouldn’t it, if we’ve been teaching users not to share the same password over multiple sites, or let their account on one site fall into the control of others? Technically, if you are a responsible person and you are knowledgeable about security and the web, OpenID is pretty sound, but the average user knows little about security and the web and will be reluctant to engage in something that seems dubious like this.

So what can be done to make OpenID more user-friendly and tempt new users? Well, I think that forcing changes in user behaviour is about a lot more than just putting a word like ‘OpenID’ on a site and hoping users will use it. Users will only change existing behaviour if the benefits to doing so is made so clear that they realise they would be wasting time not to. The key would be in somehow getting this message through in less time than it takes to type in a username, password and email address.

I don’t claim to have the answer, unfortunately.

Just between you and I, however, I am not a fan of OpenID in its current form, and would be uncomfortable to see it pushed to the mainstream. It’s not just the buzzword-over-function approach most implementers seem to take. OpenID makes too many assumptions about users’ security practices. It’s already been mentioned that OpenID is a phisher’s dream, and this is actually a point that cannot be over-emphasised. Introducing such a foreign way of authenticating to new users will leave them confused about what they previously thought they knew – that an account is kept secure with a password and a different password should not be shared between companies. Confusing users about security matters will leave them less secure than before. If a user has bad security practices before using OpenID, then an attacker may easily break into one of their accounts and impersonate them. But if a user has bad security practices with OpenID, an attacker will almost certainly be able to gain access to all accounts the unwitting user signed up to with that ID.

Perhaps I could give a simple illustration. An inexperienced user goes to jimswebsite.com, and sees that jimswebsite.com supports OpenID. “Great, I already have an OpenID account” thinks the user. On the jimswebsite.com page it says “Please enter your OpenID username and password”. What do you think the user is going to do?

If your answer is that the user is being duped by a phishing page into providing access to their account at their OpenID provider, you are probably right. OpenID blurs the traditional boundaries that people thought they should respect in terms of keeping secret details private from other sites, and forces people to re-learn security practices, during which time users may make costly mistakes. The end result is not easy enough to use or as good a benefit to justify such confusion and risk.

http://idcorner.org/2007/08/22/the-problems-with-openid/

I am personally glad that OpenID is not gaining mainstream acceptance.

I’m certainly not discouraged by this result, rather glad that it now becomes far more clear what we need to tackle moving forward!