Should I implement OpenID authentication? American/Japanese users

Question

I've got a membership site using the default ASP.NET membership setup. The user accounts are free, with capability of paying to activate other key parts of the site.

In keeping with the nature of the site, i.e. embedded Google maps, Street View, and using Google's CDN to host jQuery/jQueryUI for me... it'd be nice to offload the authentication as well.

Also, it's in beta... meaning I can wipe the slate clean if needed. I have no paying customers yet. If I stick with what I have, it would be much more difficult to change later.

Here's one point that worries me. While the primary users are Americans (U.S. service members), the primary customer is Japanese. Would implementing OpenID be problematic in this situation? Has anyone tried using an OpenID-only authentication system on their membership site for Japanese users?

Few more questions:

• What happens when the visitor doesn't have any OpenID based accounts to sign on with?

• Should I use a service like RPX or roll my own?

• What are the common pitfalls when using an OpenID-only auth system?

Answer 1

As numerously pointed out, the whole OpenID idea is too difficult to grasp for non-techie users. You've come to the site X, you then are suggested to choose between sites Y1, Y2,..., Yn, go there, register there, then return to the site X and login here by being temporarily redirected to the site Y again.... brain fart is guaranteed.

Most common suggestions are to support both authentication methods, classic for normal users and OpenID for those who's into the idea. Even there, depending on the nature of your site, you might require some minimum of registration information, so you have to display the same registration form just after initial OpenID sign-in before allowing users to continue to the site which rather makes the whole OpenID idea pointless.

For some sites like SO where there is no information about a user is required, this could work. On some others like social sites, you have to specify at least gender and age, this will be more difficult.

As for the Japanese users, I believe it's no difference. It will be equally easy or complicated for all nationalities.

ADDITION: I can communicate my personal experience with the first encounter of OpenID here at SO. I have to shamefully admit it took me more than one day to get into SO. First, I read SO comments on what it is and how it works. Then I follow the Google link but only get some error message. I didn't know how to use it so I tried to replace the "login" part of the link with my login name but was only getting weird error messages about not configured endpoints or something. I had no idea what they meant and how to proceed so I dropped it. A few days later I returned, tried again, it still didn't work, so I dropped it again. Then a few more days later I returned again and now it somehow worked. Maybe it was a temporarily outage on the Google's side. Who knows. But I only returned because I had a sufficient level of curiosity and motivated to get onto SO which is rather unique. If your business is unique as well then the users will eventually be getting it. But if there are many competitors who are just as good as you are, there is a good chance your potential users will be going there and never returning back to solve the OpenID mystery.

Answer 2

OpenID is actually more popular outside the U.S. than in it for some regions it seems. So I wouldn't worry about the Japanese market in particular.

OpenID is only confusing to people if you present it poorly. People have been logging into web sites by clicking on "Login with Yahoo ID!" for years and people haven't found that difficult. That exact flow works in OpenID too. It gets confusing if you present too many buttons, or only an empty input box and expect the user to know what to do.

Don't roll your own OpenID. It's a mammoth task. RPX is one option that you already know about, and has the advantage of a very easy user interface for novice users. Another one since you're using ASP.NET is DotNetOpenAuth, which allows you to host it without the external dependency of relying on RPX.