Print this article | E-mail this article | Comment on this article

Yahoo usability tests bode ill for OpenID takeup

By Angela Gunn, BetaNews

October 15, 2008, 5:10 PM

The OpenID digital identity management standard's long and winding road to general usage hit a pothole in recent tests by Yahoo, one of the program's most prominent identity service providers.

Started in 2005, the service has reported several gains in adoption over the past few months. Most notably, MySpace announced in July that it would be providing OpenID services -- a tremendous increase in potential users of the single-sign-in system.

OpenID allows users to winnow down the number of usernames and passwords they must remember to just one. The user chooses an identity provider he or she trusts -- leading providers currently include Yahoo, Google, AOL, and LiveJournal -- and registers, getting a URL-style identifier (e.g., angela.openid.justmakingthisup.com) in return. When the user later comes across a site that requires sign-in info, she or he instead gives their identifier. The site communicates with the identity provider to ascertain who the user is.

That's great in theory, but according to the results of usability testing Yahoo did with a group of mainstream users over the summer, there's a lot of work to do before users recognize that the OpenID system even exists, much less how it works or why it might be helpful.

A post by Yahoo membership architect Allen Tom captures a bit of the fun. Users who completed the tests and were told about OpenID thought it sounded like a swell idea. Unfortunately, every single user had to be told what it was -- none knew of the service, none had noticed the new sign-in box next to the usual login form, and even when they were made aware of the service, most of them got confused either trying to use it or trying to sign up.

User comments during testing, which are sprinkled through the 25-page report (PDF available here), indicate there were some fairly cranky people in the evaluation room. The feeling was mutual according to Tom's blog: "Observing these tests was more than a bit frustrating for the Yahoo OpenID team, and the test subjects may have been distracted by the sounds of the groans and head-pounding coming from the other side of the one-way mirror. Certainly there is a lot of work to be done on the OpenID UX (user experience) front."

Add a Comment (5 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By billweh

posted Oct 16, 2008 - 8:32 AM

I don't mind having Passport for access to everything on MS's site, but the idea of a single sign-on to everything I do online worries me.

If that ID is compromised (and it's not a matter of if, but when) - then EVERYTHING I have access to (and let me guess - they don't track what locations you tried to sign in to ) is now vulnerable.

I love Roboform, I use it exclusively to keep track of all my accounts and passwords. It even generates them for me so that I can use a more secure password.

Then I only need to worry about my machine being compromised, which is something we all need to worry about.

I'm sorry - I'm not trusting this or any other "all-in-one" solution - there's too much at stake and once it becomes popular, tell me it won't become the target of every hacker/thief out there to get the info.

Heck - there will be people lining up to pay employees of these ID sites to get the information. Who's going to notice someone walking out with a thumb drive full of IDs?

NOPE - not for me.

Score: 0

By drorharari

posted Oct 16, 2008 - 3:28 PM

Bill, your comment indicates that you do not understand OpenID. With OpenID you can pick your identity provider and the authentication mechanism might be anything you can think about starting from regular username/password and ending with those fancy ID dongles or even one-time-password pads.

This is a very promising technology that will take time to evolve.

I highly recommend listening to podcast #95 of SecurityNow for a good explanation or see the link in the show notes of that podcast at http://www.grc.com/sn/notes-095.htm

Score: 0

By billweh

posted Oct 16, 2008 - 8:57 PM

Nope - I understood it and if their site is compromised and the information that you use to identify yourself is captured, how hard would it be for someone to make a device that "pretended" to be you?

Do you really think that the majority of people using OpenID have three biometric devices attached to their computer and a random number generator that changes every 15 seconds?

Sure - that's the extreme, most people are going to do what most everyone does - create a single password (probably something like password or Pa$$W0rd - because that's secure ).

And following your link and looking through the info there, I found the last link had this to say:

"Unfortunately, there are several problems with OpenID. One is its vulnerability to phishing. A user trying to log on to a site that claimed to support OpenID might be typing username and password details into a forged page. Another weakness is that OpenID depends on the URL identifier routing to the correct machine on the internet. This, in turn, depends on DNS, the system by which names are mapped to internet addresses, which is known to have security weaknesses.

The OpenID specification does not even insist on Transport Layer Security (TLS) for every web site that participates in the authentication process. It allows properly secured authentication, but does not insist on it, which is a missed opportunity. The snag with any single sign-on scheme is that if the credentials are stolen, the thief gets access to many accounts, not just one.

It is easier to fix security issues with OpenID than to fix millions of individual web sites with weak authentication. But OpenID is not a cure-all. Currently, it is suitable for commenting on blogs or registering for trial software, but not for e-commerce or online banking. I would like to see sites that accept OpenID insist that it is used in a secure manner. The work being done to integrate with CardSpace will solve the phishing vulnerability. If that is combined with TLS, OpenID is real progress towards a secure internet. Otherwise, it may be a disaster.
" http://www.computing.co....84695/openid-open-abuse

Score: 0

By darkfire79

posted Oct 15, 2008 - 6:42 PM

Didnt Microsoft try this? I mean, it wasnt "open", but Passport was a sort of the same idea.. It was on every where for for a short period of time, but now it's on may be.. one website I use. I think it had security issues or something.

Score: 0

By poundsmack

posted Oct 15, 2008 - 5:31 PM

well this can be explaind in a few short sentences.

1) your average user is stupid. not in general, but more computer stupid.

2) a user will do what they are used to. they will only changed if they are forced to, and often do things the hard way because thats what they have been doing from day one. take away their usualy log in option and the more diligent users will figure out the new system due to not having an option.

3) OpenID has had no true advertising focussed at your average user. most of the "sign up for an OpenID" boxes have been tucked away and usualy only the most observant IT person or "advanced user" will even notice it. normal users have tunnle vision only seeing stuff on the site that they are used to seeing, unless terribly obvious they won't notice a change.

4) see items 1-3

Score: 0

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue

Nov 21 - 11:11 AM ET Verizon admits Obama's cell records were violated

Nov 21 - 11:06 AM ET A tale of two houses, or, 'It looks like you're baking a casserole...'

Nov 20 - 6:13 PM ET Microsoft says it 'has always preferred' DRM-free content

Nov 20 - 5:48 PM ET With the petaflop barrier broken, is it time to change the benchmark?