Idea: "Preemptive OpenID Authentication"

It is amazing how OpenID is really picking up steam. Just in the last 30 days Microsoft, AOL, and Digg have announced or deployed support for OpenID, a simple delegated authentication protocol invented by Six Apart.

But my first reaction when AOL announced support for OpenID was,

Awesome, that's 63 million users... that don't understand OpenID!

I was being cynical of course, because in reality making OpenID ubiquitous is a major milestone in making it accessible to the market.

But adoption by service providers does not necessarily translate to adoption by consumers. I am constantly looking for ways to make OpenID easier to grok by, for example, my mother. If she can use it without me having to explain anything to her, then we seriously have gotten somewhere.

One idea was using email addresses as a mechanism for looking up an OpenID. I like the idea, but it is not without some problems.

But what if I am going about OpenID the wrong way? Let's look at this from a user's perspective. What experience can I offer my Mom such that she could go through OpenID simply and without explanation? In my mind, here is the ideal experience for her:

  1. My mom visits http://www.majordojo.com to comment on my latest post to say how funny it is.
  2. She sees a prompt: "Login to Vox to comment on majordojo" (where she already has an account - because that is where I post private photos to my family and friends)
  3. She clicks the link and is taken to Vox.
  4. Vox prompts her to enter her login (her email) and her password.
  5. Vox validates the information she entered and redirects her back to majordojo.
  6. My mom, now having authenticated, leaves a comment on majordojo.

fin.

So is this experience possible? I think so. Here is how this would work on the back-end:

  1. The OpenID client is instructed to authenticate "preemptively" at a URL.
  2. The client redirects the user to that URL/OpenID Server.
  3. The user authenticates at the OpenID Server.
  4. The server returns to the OpenID client the authenticated user's OpenID URL.
  5. At this point the regular OpenID protocol takes over.
  6. The OpenID client is redirected to the designated OpenID URL.
  7. The OpenID client looks up the OpenID Server and redirects the user to that URL.
  8. Because the user is already logged in to that URL (they logged in at step #3 above), the OpenID Server simply returns the user to the originated URL where all of this began.

Granted this flow is optimal for hosted service providers like Vox, TypeKey, LiveJournal, Digg and AOL, etc, because the URL to which the user authenticates is fixed. Movable Type blogs for example all live at different URLs, so this experience could not be replicated so easily, but it is possible in a slightly modified form.

In summary, it would be easy for us to proclaim victory with OpenID, but that would be premature. Until we can make OpenID an idea even laggards understand, then OpenID will remain a protocol for the technical elite and adoption by all the services in the world won't make a difference.

Recommended Entries

3 Comments

I don't think you need to invent another protocol for this to work. It is quite sufficient if the service in question allows you to log in immediately if you aren't already. TypeKey does this, LiveJournal doesn't.

I think you are missing the objective or problem that is being solved. That vast majority of people don't know what their OpenID is, or what it even looks like. Requiring them to enter their OpenID then presents a huge problem, because they don't know what to do.

Many technically minded folks say to this, "well educate them damn it!" But the reality is that this is far more difficult than that. People don't want to have to think when they are browsing and commenting.

So this model helps fit into a pre-existing mental model and removes the requirement for them to know what an OpenID is. OpenID is a great protocol, but it really is a less ideal user experience.

And that is what I am trying to address.

There are ways to improve OpenID usuability that you can exercise on your own without having to change the protocol. I'm not sure if i is enough, but it is a start. And I like to start at a point where I can start, rather than telling others to do something. See my URL for an example of how it could be done. (At the time of writing, unfortunately our application server is unreachable so you cannot actually try it live, but I think you'll get the idea how it works.)

Leave a comment

what will you say?


Recent Comments

  • There are ways to improve OpenID usuability that you can exercise on your own without having to change the protocol. I'm not sure if i is enough, but it is a start. And I like to start at a point where I can start, rathe...

  • I think you are missing the objective or problem that is being solved. That vast majority of people don't know what their OpenID is, or what it even looks like. Requiring them to enter their OpenID then presents a huge p...

  • I don't think you need to invent another protocol for this to work. It is quite sufficient if the service in question allows you to log in immediately if you aren't already. TypeKey does this, LiveJournal doesn't. ...

Close