Yahoo!: Mainstream Has No Idea what OpenID Is

Yahoo! today released the results of the OpenID usability study (PDF). The good news, says Yahoo!, is that after being explained the idea behind OpenID, most participants saw the utility of being able to sign into multiple web sites using a single sign-on and not having to sign up for more than one account.

The bad news, though, is that not one participant — who were “several experienced Yahoo! users (representative of [their] mainstream audience)” — had heard of OpenID. Several didn’t notice the additional option of signing into Yahoo! using OpenID or using their Yahoo! username and password as OpenID credentials elsewhere and didn’t understand what that meant until it was explained to them. Yahoo! has supported OpenID since January of 2008.

Users were also confused by Yahoo!’s implementation, which asks them to choose their OpenID provider when signing then, then auto-populates the login box with that provider’s URL. Users were confused when they weren’t presented with the password box they’re used to.

Despite of seeing the upside of OpenID, some respondents to the Yahoo! survey expressed concern over the security of having one set of login credentials for a multitude of sites. “I’m a little fearful about global stuff. I prefer to have different passwords than one global one. Once someone gets that one password, they have free access to roam,” said one. Others thought that the process of signing up for an OpenID account was so cumbersome, it didn’t sell them on the convenience of the concept.

The key takeaway here is probably that even if OpenID is ready for the mainstream, the mainstream doesn’t seem to be ready for OpenID. It could definitely benefit from being simplified (in terms of both signing up and signing in), but the main thing that needs to happen for average users to begin to adopt OpenID is that it needs to be pitched in a completely different way.

Yahoo! advises that publishers “promote the utility, not the technology. To reach the majority of users who aren’t familiar with OpenID as a technology, promote the ability to log in using an existing account, not ‘OpenID’ itself.” Further, says Yahoo!, there needs to be strong partnerships between OpenID providers and relying parties in order for OpenID to work as a broadly accepted login paradigm. “Users are focused on tasks, not technology; undiscoverable or confusing experiences directly impact the success” of the providers and relying parties, says Yahoo!

The test results were disappointing for Yahoo!, said Yahoo! Membership Architect Allen Tom, but helpful. “Observing these tests was more than a bit frustrating for the Yahoo! OpenID team, and the test subjects may have been distracted by the sounds of the groans and head-pounding coming from the other side of the one-way mirror. Certainly there is a lot of work to be done on the OpenID user experience front,” he wrote in blog post.

OpenID is fundamentally a sound idea, but these test results demonstrate that for most users it is not an ideal solution and has not been explained to them very well at all.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • David Recordon

    Josh, I’m quite honestly not that surprised by the results of the Yahoo! usability study. I completely agree that the results are quite informative of where we as a community need to focus assuming we want to see mainstream adoption of OpenID. When we look at OpenID along a traditional adoption curve we are still in an early adopter phase as the technology gets worked out, adapts to feedback from implementers, and becomes easier to use and more prevalent.

    I’m certainly not discouraged by this result, rather glad that it now becomes far more clear what we need to tackle moving forward!

  • http://lepixelshoppe.com/scrap4dollars Asuka_Aki

    Wow that clarafies things…I had heard of open id but didn’t understand or see it’s utility so I never gave it a second thought…This is the key phrase for me…”To reach the majority of users who aren’t familiar with OpenID as a technology, promote the ability to log in using an existing account, not ‘OpenID’ itself.”

  • Steve S

    I would be careful about promoting OpenID. It has some serious security issues and is a phisher’s dream come true. A little bit of Google-ing (or even a trip to Wikipedia) will turn up this information.

    http://idcorner.org/2007/08/22/the-problems-with-openid/

    I am personally glad that OpenID is not gaining mainstream acceptance.

  • http://www.sitepoint.com/ mmj

    Please forgive me for saying this, but I could have told them that!

    I’m guessing that, like most usability studies, the study was conducted to gather further evidence to support someone’s claim – in this case, that OpenID in its current form is not suitable for mainstream use.

    Firstly, it has the stench of ‘emphasise the technology, not the utility’. Everywhere I have seen OpenID implemented it’s been referred to as ‘OpenID’, as if it is some technological term that only the clued-in geeks know. The benefits are not made obvious.

    It’s already pretty unfamiliar to users that they should use a URL to log in rather than a password, but the idea of sharing a login across multiple sites sits very uneasily with them. Why shouldn’t it, if we’ve been teaching users not to share the same password over multiple sites, or let their account on one site fall into the control of others? Technically, if you are a responsible person and you are knowledgeable about security and the web, OpenID is pretty sound, but the average user knows little about security and the web and will be reluctant to engage in something that seems dubious like this.

    So what can be done to make OpenID more user-friendly and tempt new users? Well, I think that forcing changes in user behaviour is about a lot more than just putting a word like ‘OpenID’ on a site and hoping users will use it. Users will only change existing behaviour if the benefits to doing so is made so clear that they realise they would be wasting time not to. The key would be in somehow getting this message through in less time than it takes to type in a username, password and email address.

    I don’t claim to have the answer, unfortunately.

    Just between you and I, however, I am not a fan of OpenID in its current form, and would be uncomfortable to see it pushed to the mainstream. It’s not just the buzzword-over-function approach most implementers seem to take. OpenID makes too many assumptions about users’ security practices. It’s already been mentioned that OpenID is a phisher’s dream, and this is actually a point that cannot be over-emphasised. Introducing such a foreign way of authenticating to new users will leave them confused about what they previously thought they knew – that an account is kept secure with a password and a different password should not be shared between companies. Confusing users about security matters will leave them less secure than before. If a user has bad security practices before using OpenID, then an attacker may easily break into one of their accounts and impersonate them. But if a user has bad security practices with OpenID, an attacker will almost certainly be able to gain access to all accounts the unwitting user signed up to with that ID.

    Perhaps I could give a simple illustration. An inexperienced user goes to jimswebsite.com, and sees that jimswebsite.com supports OpenID. “Great, I already have an OpenID account” thinks the user. On the jimswebsite.com page it says “Please enter your OpenID username and password”. What do you think the user is going to do?

    If your answer is that the user is being duped by a phishing page into providing access to their account at their OpenID provider, you are probably right. OpenID blurs the traditional boundaries that people thought they should respect in terms of keeping secret details private from other sites, and forces people to re-learn security practices, during which time users may make costly mistakes. The end result is not easy enough to use or as good a benefit to justify such confusion and risk.