OpenID: fail.

[ Do you know what – I’m a bit nervous about this blog post. The reason I’m nervous is that I’m writing about something I really don’t understand too well. I’ve tried – I really, really have – I’ve watched videos and slideshows, looked at diagrams, read explanations. But I still don’t really understand how OpenID works. And for a long while that put me off writing this. I know that OpenID has a lot of people gunning for it. And I know that support is gaining, at least in numbers of service providers. But in the end, it comes down – as always – to the user – and the experience I have had has been as that user. And I simply can’t, won’t – and don’t use OpenId. Because it’s rotten, and broken, and failing. So I went ahead and wrote this anyway..I’m sure you’ll let me know what you think 😉 ]

The geek world has been getting excited for a fair while about OpenID. You’re probably all familiar with it and I’ll leave it up to Wikipedia to describe the service in detail, but in short the notion is that managing multiple identities online is increasingly problematic, and that some kind of way of managing these identities in one trusted, decentralised place is what is needed to make life better.

OpenID is based around the use of a uri as the unique identifier for an individual, not an email address, as is so common today with most sites.

All well and good, you’d have thought. The only thing is there’s an enormous, hulking great elephant in the room: OpenID doesn’t work.

I should clarify. In a technical sense, OpenID works. But from a usability perspective, it’s absolutely horrible.

Let’s examine the user flow for someone signing up to a.n.other site using the “traditional” method: they arrive, they click “register”. They put in their details, including email address. They go to their email account and click on the “validate” link. Done. The purists all shift uncomfortably in their seats – the users’ identity has been propogated to yet another site (eek, duplication) and there is also a reliance on the email provider (eek, single point of failure / “evil” company fear, etc).

Now let’s have a look with OpenID. And let’s consider it in the best possible case scenario – user has not only already created an OpenID but knows the address AND is signed in (i.e has a currently active session/cookie) to that providers’ service.

So..user arrives at site and is asked for their OpenID. They put in the address and push go. The site then redirects them to their OpenID provider. User clicks to allow access to data, and selects a persona. Provider site then redirects back to the original site. Original site then (inevitably, in my experience) asks user to fill in additional “persona” data for their service as well as what they already entered. User enters site.

That’s at least a couple more steps, and remember that’s if they’re signed in or even have an OpenID account. If they’re not signed in (but have an account) then they still have to sign in on the OpenID providers’ site. Using a username and password…If they don’t have an OpenID, just add at least 3 more steps. If they forget their OpenID then the process to get it back has to be done on the provider site and not on the site they’re wanting to access.

There are several thing that are really badly wrong with the OpenID / user landscape. Here’s how I see them:

1. Users don’t understand the use of a URI as identifier
This is about education, but it’s an important point. People see URI’s as “web addresses”, not as personal identifiers. They don’t get it, and aren’t being encouraged to get it, either.

2. Users don’t like redirects
Actually, users don’t care about redirects – what they do care about is maintenance of trust and brand. A user mid-basket on Amazon is not going to be happy about a jump away to another site unless they’re very clear that there is brand association between the sites.

3. Users won’t remember OpenID’s
Not only are OpenID’s longer and more complex, they’re also a dog to get back once forgotten. With email/pwd, you just click the “forgotten pwd” link. Email, click, done. With OpenID you have to go back to your provider site and do it from there, not on the site you’re trying to access.

4. There is no paradigm
Apart from password remembering within the browser, there isn’t a “central persona management” paradigm. This doesn’t mean there shouldn’t be one, but it makes the job of invisibile tech that much harder.

I’ve left what I see as the single biggest issue until last:

5. There isn’t a problem that needs solving
As I’ve indicated before, we (tech savvy geek types) are not the normality. I may have a sign-up obsession and belong to hundreds of sites, but normal people just don’t. By some gentle “finger in the air” reckoning, I’d suggest that most people have – what – ten sites they sign in to? That’s hardly shouting out for a distributed, decentralised, persona-based solution, is it? What’s actually wrong with a “remind me of my password” link, anyway? And using email as identity is secure enough for pretty much any application. We geeks are making assumptions based on our experiences of the web. It’s us, not Joe Normal who has 400 passwords in our heads, surely?

So on the one hand we’ve got an elegant, beautiful, technically “good” solution that is almost completely unusable. On the other is something ugly and flawed – but something that works well for most people: something that isn’t actually broken, and – frankly – doesn’t need fixing.

OpenID feels like it could and should be better, but the current scenario whereby hundreds and thousands of sites are becoming providers (AOL, Orange, Yahoo!, etc) and very little effort is being put into fixing the flawed user flow – or user education for that matter – is just a road to nowhere. Some sites (LiquidID, ClickPass, Vidoop as examples) are just starting in the usability direction, but it’s nowhere near enough. And right now, I – like most people I know – are just fine sticking with the original email/pwd alternative.

2008 (a little late…)

If you write a blog, I’m discovering that you pretty much have to do a January post with either a review of the previous year or a punt at what the future holds. I’ll leave the review bit to others, but here’s my personal mind-dump for the big things of 2008…

Facebook, Schmasebook

I reckon Facebook as it is now is going to fall way off the public radar during 2008. The disclaimer “as it is now” is my get-out clause – if Facebook find a way of changing the rules around applications, finally expose their Social Graph data to the world or make some serious amends to browse and search then they may have a hope. But right now, here’s a typical Facebook experience:

“Hey, I’ve been invited to this Facebook thing. Now let me see. Wow, Bob is there. And Jon. And Jane. I’ll invite them all to be my friends. Cool. Look, Bob got married. He looks old! I can’t believe he has kids. Look – Jane went to the shops. Now…um..Right, might post some pictures. Nice. Someone added a comment. Cool. Now I’m going to look for my mate Jon…Damn, there are 4 million Jon’s. Never mind…Er…Who the hell is this inviting me to be a friend? I never heard of her…Wait, WTF is a FunWall? Why have I got 35 invites? I don’t need this noise. Life is too busy. For now I might just add Facebook emails to my spam filter…Oh crap, all my friends have joined AnotherDamnSocialNetwork.com. What, you mean I have to re-input all my data? Sod that, I’m off”

Facebook has also reminded us of something else: we lose touch with some people for a very good reason. 🙂

Some say Twitter is the new Facebook. And although I don’t actually do it much (yeah, ‘course I got an account…) I’d say that the single best thing about Facebook is the updates feature, which is basically…Twitter.

It’ll be interesting to see whether the geek adoption of Twitter goes mainstream in ’08.

Signal / Noise

Dunbar wrote about the 150 being the maximum number of individuals that any one person can keep in touch with at any one time. I don’t know of any measures for information input but as RSS continues to spread, so I reckon we’ll hear more about what we should do about the sheer quantity of incoming material. Certainly I’m seeing a lot of buzz (not all just about it being January and everyone having a good spring clean..) and the beginnings of some products (AideRSS, SocialStream, etc etc) which help us cut down on the inputs. We all took to RSS because it lets us do more with less: I’ve just cut down my feed list massively and I’m still trawling through 400+ articles a day. Something is gonna break :-). While you’re at it, check out this great post which Mr Pope sent over to me. Similar kind of sentiment about keeping up with tech – or not, more to the point…

More “Everyware”

The iPhone will obviously be seen as the beginning of the mobile web, although of course the reality is that many of us have been “browing” online since that wap thing back in the 90’s. User adoption as always drives public perception which drives investment which drives adoption…

The iPhone does two major things in one blast:

1. The “usually crap” experience you have during mobile web surfage is buried under full-page zoomable browsing, easy(ish) typing and widgets, all of which manage to surface the web but without the chuff you usually get around mobile browsing. In short, the iPhone is primarily a sexy and really usable interface. For many people – especially the queues of teens you see hanging around O2 shops where they have the iPhone/iPodTouch available to fiddle with – this is enough.

2. Apple have done a very cunning deal in the UK with The Cloud whereby all iPhone users get access to any hotspot as part of their contract. In one swoop, you’ve got on-the go internet access at a huge range of hotspots with no hassle..

Two continuing and evolving approaches: RSS and OpenID

We tech types might all be 100% familiar with the format and ease of use of RSS. Continuing support from browsers (IE friendly feed view, etc) means that it’s going to keep hitting the mainstream over the coming months. I’m also willing to bet, however, that new tech will appear around OPML and feed analysis. I’m also pretty sure that we will see more of RSS as a portable data format (for instance, getting search results like these from Technorati) – not “just some news headlines” but a further extension of RSS, and a great example of how to extend a simple format to do interesting things.

OpenID is another approach which has been around a looong time but is finally seeing some serious heavy hitters in the form of Google, IBM and Flickr joining the party. I’m also noticing many more sites supporting OpenID – maybe some museums during 2008…?

And finally to the biggest keyword of them all for 2008: APML..

Attention, please

The notion of “Attention Data” is already chugging around tech circles pretty hard, and has been for a couple of years. The underlying question about the openness of the Social Graph is integral to this, and has to a certain extent driven AD back into the limelight. Fundamentally, we’re all giving any site we visit something incredibly valuable: our attention. Anything you do online carries with it an implication about what you like and who you are – this is understandably very powerful information, both for developers and advertisers. Attention Profile Markup Language (APML) is an XML based standard for attempting to capture this activity, and I reckon it’s going to be big in the next months and years – not just capturing it but also doing useful and interesting stuff with it as well…

And that, as they say, is it for now…Let’s see where it all goes…

Social graph, attention data, openid and stuff like that

OpenID talkI’m at a one-day conference on OpenID and education, organised by Eduserv. I’m live blogging over on our new Eduserv PSG blog, and that’s hard enough to do in one place, let alone two so I have no intention of doing the same here 🙂

Just a quickie: during coffee break I had an interesting chat with Paul Walk who is a big advocate of OpenID – and has been using it for some time. We started a conversation about the notions of identity, attention data, the social graph, single sign-on, etc. It strikes me that the community is fairly bad at defining how these differ and where they cross-over.

I’m a bit of a novice when it comes to OpenID, but in some ways (he blags) that puts me in a good position: I’m a naive consumer of the service rather than a geeked out pro.

As I had understood it, OpenID seemed to be to be always sold as a single sign-on technology, much like Microsoft Passport (sorry, Microsoft “Live ID”..). The question I have is how far it goes beyond “just a sign-in” technology and moves into being an identity holder. Paul tells me that is exactly what it is, and that’s a relief – not least of all because identity is much more interesting than sign-on.

The second question I have is about where the line is drawn around identity. Is the fact that I’m married, for instance (a relationship on my “Social Graph”) a question of identity? Would this information be stored in my Identity profile? Would the name (or name of “node”) of my wife? Looking at it from one angle, I could argue that yes – this is very obviously identity information. From another, it isn’t..

Thirdly, where does attention data sit in this scenario? Over on AttentionTrust, they have a diagram which says “how we browse, what we say, what we read = me” which very much implies that Attention Data = identity. Paul (and others I got talking to) seemed to think otherwise. I’m not entirely sure why, but hopefully we can get some more talking in later on.

I’ve always had a soft spot for approaches such as FOAF, and that’s the final question: how do you map these relationships, and where do they “live” in the OpenID world? Where does OpenSocial sit?

Help.