tags:

views:

989

answers:

13
+17  Q: 

To OpenID or not to OpenID? Is it worth it?

Does OpenID improve the user experience?

Edit

Not to detract from the other comments, but I got one really good reply below that outlined 3 advantages of OpenID in a rational bottom line kind of way. I've also heard some whisperings in other comments that you can get access to some details on the user through OpenID (name? email? what?) and that using that it might even be able to simplify the registration process by not needing to gather as much information.

Things that definitely need to be gathered in a checkout process:

  • Full name
  • Email

(I'm pretty sure I'll have to ask for these myself)

  • Billing address
  • Shipping address
  • Credit card info

There may be a few other things that are interesting from a marketing point of view, but I wouldn't ask the user to manually enter anything not absolutely required during the checkout process. So what's possible in this regard?

/Edit

(You may have noticed stackoverflow uses OpenID)

It seems to me it is easier and faster for the user to simply enter a username and password in a signup form they have to go through anyway. I mean you don't avoid entering a username and password either with OpenID. But you avoid the confusion of choosing a OpenID provider, and the trip out to and back from and external site.

With Microsoft making Live ID an OpenID provider (More Info), bringing on several hundred million additional accounts to those provided by Google, Yahoo, and others, this question is more important than ever.

I have to require new customers to sign up during the checkout process, and it is absolutely critical that the experience be as easy and smooth as possible, every little bit harder it becomes translates into lost sales. No geek factor outweighs cold hard cash at the end of the day :)

OpenID seems like a nice idea, but the implementation is of questionable value. What are the advantages of OpenID and is it really worth it in my scenario described above?

+9  A: 

It seems to me it is easier and faster for the user to simply enter a username and password in a signup form they have to go through anyway.

I think, on the contrary, that often it's easier and less of a hassle if the user can login with his existing OpenID, instead of creating separate credentials for every site. (Isn't that the main point about it.)

Jonik  2009-08-22 20:40:05
I frequently use the same credentials everywhere (if the username was available at Microsoft or Google, odds are it is everywhere else I go too.) And I can do that without ever leaving the sign-up page. So if that's the main point of OpenID, then it doesn't have much point at all does it?
Eloff  2009-08-22 20:53:05
I think he was referring to the case where the user has no existing OpenID (and must sign up either way)
Cameron  2009-08-22 21:49:03
@Eloff, I've done that too, and one additional point is related to exactly that: Using the same credentials (name *and* password) all over the place is a security risk. If some poorly administered forum gets cracked, an attacker might gain your credentials for many sites. (I don't know if you meant using the same password too, but in general people certainly do that a *lot* — for the simple reason that having to come up with new passwords for every damn site that requires registration is too much of a hassle!)
Jonik  2009-08-22 23:04:50
@Cameron, who these days doesn't at least have either a yahoo or google account? Those two right there make up at least 90% of the internet.
nbv4  2009-08-22 23:50:58
@Jonik: But the same could be said about your email password on a non-OpenID website. If someone gets your email password, they can use the "I forgot my password" links on websites that you visit and reset your password. So OpenID by itself does not pose any new security risk.
musicfreak  2009-08-23 01:23:18
@Jonik I'm sure 90% of people just reuse the same username/password everywhere. In fact they probably often give their email along with their email password everywhere. Yes, security nightmare. But from a business point of view, it's a pretty smooth signup experience...
Eloff  2009-08-23 03:16:08
@Eloff, security nightmare but smooth, agreed. Now, then, doesn't all this make a pretty good additional case for OpenID? :) (To be honest, I'm not familiar with its implementation details, but I assume OpenID is much less of a risk than reusing same non-OpenID credentials everywhere.)
Jonik  2009-08-23 17:01:34
@musicfreak, I think you misunderstood my comment; I wasn't claiming OpenID poses new risks, on the contrary, I tried to argue in favour of OpenID based on security concerns.
Jonik  2009-08-23 17:02:06
+2  A: 

It's great not having to make too many user accounts all around. All those passwords.... then again, I far prefer a solution like 1Password for the Mac. OpenID is better for sites I'll return to than a separate username, though

niklassaers  2009-08-22 20:40:09
+4  A: 

Well the promise of OpenID is a single sign on for multiple websites. The issue is that it's still pretty obscure from a mass-market perspective. I personally would not implement it in a broad customer-facing application just yet.

MattC  2009-08-22 20:41:11
Well, in my opinion you should implement it as much as you can. It won't become mainstream if everyone is afraid to use it in their app because it's not mainstream.
Robert Rouse  2009-08-22 20:43:50
Somebody has to, and broad customer-facing companies need to be the ones who lead the way!
Dan Atkinson  2009-08-22 20:44:37
You guys are thinking like programmers, not like business people. Business people need an actual advantage to use a technology.
Eloff  2009-08-22 21:04:56
Exactly, he needs to have a reason to do it that makes sense.
MattC  2009-08-22 21:13:11
@Eloff, you're on the wrong website. You will primarily find programmers here.
Nick Presta  2009-08-22 21:22:48
We're programmers but some of us are business savvy as well ;)
MattC  2009-08-22 22:11:06
@Nick you really think I can ask business people about OpenID? There's a reason I'm here asking programmers.
Eloff  2009-08-23 02:52:48
+1  A: 

I would agree with you that ease of use for your users is something to heavily consider. Your audience is another thing to consider. As OpenID becomes more accepted this will be less and less of an issue. If you are working on a project where you know the majority of your users will not even know what OpenID is then perhaps you should steer away from it.

Stackoverflow was my first intro into OpenID and I'm a geek.... I created the account after avoiding it for a few days and reading up on it. I finally jumped in but I would venture to say non-geek types would perhaps not. Now, I love the idea and would love to see it everywhere also.

If you can do both your own and OpenID, offer both. I think that would be the best of both worlds. You could point users to the goodness of OpenID but still let them go the other way. If you see a high adoption rate with OpenID you could eventually only offer it.

klabranche  2009-08-22 21:05:14
I'm loathe to distract the user with more options than absolutely required during the checkout process. Perhaps adding OpenID support for existing accounts only, accessible from somewhere else would work, but doesn't seem like a high priority to me.
Eloff  2009-08-22 21:09:15
True. That is definitely a part of what should be considered.
klabranche  2009-08-22 21:23:31
+2  A: 

In my latest application I give the users a choice. I think if you do offer OpenID it should be optional and the fact that it's optional needs be very clear to your users. I tested my signup with "average" users and they were very hesitant to sign in with their Yahoo, Facebook, Google, or what have you.

For users that do want to use OpenID, do it right. If there is additional information that your site requires and you can pull that info in along with their authentication token then do it.

Andy Gaskell  2009-08-22 21:15:03
+17  A: 

What I like most about OpenID is that it doesn't feel like I'm creating an account at all. It's more like I already have an account for the entire Web, and StackOverflow is taking notice of it when I log in. I'm really tired of having to create a new "identity" on every site I run across because they want to have a bigger user count.

I also like that sites that (only) use OpenID tend to make the whole account experience more flexible: no email confirmation required, no enforced-unique usernames, use of Gravatar, etc. The upside is that there is no registration; I just log in like I was already here.

Eevee  2009-08-22 21:20:40
+1. Well put; it does feel like that ("account for the entire Web")
Jonik  2009-08-22 22:57:22
+4  A: 

Maybe it isn't worth the effort on the large scale (yet), but I am very reluctant when it comes to registering on the sites that do not support OpenID: coming up with yet another password, confirming email (which, sometimes, involves waiting for the email), etc. They basically lose me as a user unless I really have a good reason to register there.

But also keep in mind that OpenID is not only about single sign-on, it's the way to maintain your identity, to prove that you are who you claim to be. OpenID sign-on is great, but the ability to perform action on the site on your own behalf (e.g. leave a comment) without registering is even more important.

Michael Krelin - hacker  2009-08-22 21:45:15
+23  A: 

I respect your need for a business reason to use OpenID rather than a tech-geeky reason. So here it is:

Reason #1

OpenID is way easier than username+password. "Oh no", I hear the responses now, "OpenID is confusing and scary for users. They'll run away." That's why you don't tell the user it's OpenID. Just offer Yahoo and Google buttons and say "use an account you already have" or something to that effect. Users will love you. Underneath you're using OpenID, but don't advertise the fact, and perhaps don't even offer an OpenID text field, until OpenID becomes more mainstream.

A strong majority of users are already logged into Yahoo or Google, so "Click here to log in using your Google/Yahoo account" buttons will mean it's faster and easier for your customers -> more sales.

Reason #2

Do it for your customers, even if they're not asking for OpenID. OpenID is more secure than username+password, since your customers won't be reusing the same username+password on your site as all their other sites. It's bad security to reuse username+password across web sites, but that's what users do. Using OpenID (without telling them) to get them to reuse their existing [pick your small list of major OPs here] accounts will mitigate this and give your users added security. If your site is hacked, their credentials won't be stolen. And if other sites your customers have accounts with are hacked, there's a good chance your customers account with you won't be compromised.

Reason #3

Fewer support calls and web pages to support users who forgot their passwords.

Andrew Arnott  2009-08-23 00:51:06
For people who don't know what OpenID is, and you just show a Google or Yahoo button, they will run away because they will think you are stealing their account user name and passwords.
Martin  2009-08-23 01:37:45
Martin, perhaps a few people would. Many people who log into web sites that accept an "email address" for a username and a password not only reuse the same password across sites, but use their email password for it. Most people don't even know what it means to be phished, let alone when it's happening. It's sad, but the truth. Those that know tend to be able to look at the Location bar and see that they're indeed sending to yahoo.com. Remember that OpenID didn't introduce "Login with Yahoo!". That button's been around for a long time.
Andrew Arnott  2009-08-23 02:44:55
Finally someone who presents a good argument for using OpenID on an e-commerce website! You are swaying me.
Eloff  2009-08-23 02:57:13
Excellent answer. #2 is exactly the point I tried to make in comments to my answer, just presented more clearly. :) And nice, outside-the-box thinking in #1 and #3.
Jonik  2009-08-24 22:17:05
@Jonik: yes, #2 is the same point you made. And you are right on the money. But saving people from their own bad security habits is hardly the goal of an e-commerce site.
Eloff  2009-08-25 01:44:38
Eloff, well I'd say maintaining your customers online security is within the interest of an e-commerce site at least insofar as it protects the site from purchases made by identity thieves, resulting in the merchant having to not be reimbursed by the credit card companies.
Andrew Arnott  2009-08-25 02:30:21
+1  A: 

Always keep things consistent. OpenID is still in infancy and non-existent to most casual users. It will confuse users who are not familiar with it and they may even end up thinking that they're opting to 'Open' their IDs to the general public.

You can optionally embed a unobtrusive link on the sign up saying "Have an Open ID?". This way you, those familiar with it know to use it, those who aren't simply ignore it.

gAMBOOKa  2009-08-23 01:01:49
YES! This is what I was going to write.
Martin  2009-08-23 01:38:34
Currently, probably less than 1% of people might click that "Have an Open ID" link, making it a waste of time. I like the idea, but it's not practical.
Eloff  2009-08-23 04:55:48
+1  A: 

I have been finding more and more that if I'm required to pick a username, and my preferred one is already taken, I'll simply leave the site. At least one company has lost a sale this way, and I refuse to join Twitter. On the other hand, sites that use your email address as a username don't have quite the same problem. For me, it's a different problem: Which address did I give them?

The good news about OpenID is that a few major sites have found a way to make it easy for new users to figure out what's going on, by listing the icons of a few sites where they're likely to have accounts. Whether your average user will trust that method is still in question, though.

eswald  2009-08-23 01:15:44
I'm sorry, but you might be 1 in 100,000+ people who do this. If I really want something, and my username is taken, I find a new one.
Martin  2009-08-23 01:39:38
+1  A: 

I feel it depends on the end users of your system. Open ID is successful in SO because people who are using SO knows some thing about Open ID.

But, I am not sure whether the same thing will be applicable to a Greeting card site / online shopping site where my parents go. The problem I see here is you give users a choice between various providers they will get confused.

One of the way I could think of for check out process is not to force a user signup. If they decide to simply check out let them do so.

Ramesh  2009-08-23 01:29:08
I think most people who encounter StackOverflow still haven't heard of OpenID. I think StackOverflow demonstrates that OpenID as a login system is successful at teaching people what OpenID is.
Andrew Arnott  2009-08-23 02:39:44
Its easy to teach about OpenID to a tech person compared to a layman and so depending on the target users you may or may not want to implement Open ID
Ramesh  2009-08-23 15:02:00
A: 

I'm a developer and tech-savvy person and I find it horrible to use OpenID. But that's just my opinion. In the end you have to choose what fits best with your hypothetical end user.

Sergio Tapia  2009-08-23 03:09:24
A: 

Personally, I think the value of a well implemented 'lazy registration' concept is far more useful than the OpenId itself.

I already have so many accounts online I don't mind registering on new websites, but forcing me to sign in just to see what the service is about, or to complete an order, is very annoying with or without openid.

zalew  2009-08-23 03:21:30

related questions

how to get login credentials by openId?
OpenID Migration
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?