It'd be nice if there was a way to redirect the user back to a specific page after they log in. With asp.net, we tend to include a query parameter called ReturnUrl that has the url to return to after authentication.

Thanks for sharing. We've had internal discussions about adding OpenID to our global registration system and decided that I was a bad idea for now based on the apparent level of knowledge our current users exhibit.

First we need to get a lot of them off IE6. :)

thanks for sharing!

It'd be nice if there was a way to redirect the user back to a specific page after they log in. With asp.net, we tend to include a query parameter called ReturnUrl that has the url to return to after authentication.

Hi Jim,

ASP.net libraries are currently available to support OpenID. See http://wiki.openid.net/Libraries if you're considering implementing an RP on your site.

When a relying party passes a user to an OpenID provider, they may pass a return_to URL as a parameter ( see http://openid.net/specs/openid-authentication-2_0.html#anchor27 ). What Allen is suggesting is that relying parties pass a URL that will take the user back to what they were doing rather than taking the user to a site registration page.

E.g. if the user was attempting to rate a product, the return_to URL should take them back to the product rating page upon completion of the OpenID registration process. Currently, most sites will take the user to a site specific registration page, and once the user completes that, on to the rate product page.

Hope that clarifies things :)

Wow, thanks guys for sharing this wealth of information. I totally get where you guys come from with the head bangng she. Uses don't get stuff but as we take off our elitist hats we can all make the weB a more intuative place to be. Keep up the good work, lots of us look up to y! Dev in a big way.

-Kai

Interesting results but I think at the heart of this is a bigger fundamental issue. No-one knows what OpenID is, and more importantly no-one had a simple up-front, short explanation that made sense before asking someone to fill in a form... Communication is the key - not throwing more programmers or technology at it.

-Rick-

It's not surprising that users were concerned. On the "best practices" page you recommend that sites include a button labelled "(Y)! Sign in with a Yahoo ID" on their logon page.
(1) It's a button so obviously some users will assume it's an alternative submit button for the normal logon form and fill that in.
(2) Why no mention of OpenID? Is this the same as your Yahoo! ID or not? Obviously some users will assume it is and fill in their Yahoo! email address and password.

Hi-

It has been several months since I signed up to use yahoo as openid provider, but I seem to remember that my Yahoo username was presented as my default openid identifier and I was unable to change it. If folks used their yahoo credentials for openid, I guess that the reason is that they had the same problem I had.

I had also suggested that a button be available on my Yahoo toolbar (Firefox) to paste in my openid identifier.

Also, I have not noticed the availability of OpenID on sites that I frequent. I understand that would not be an issue you can fix for me.

Thanks

@Rick - One of the great things about building so many sites for the average user is that we have these great User Experience Design teams that can help us solve these hard problems. We definitely still want to make OpenID useful for our users. This study is part of a journey to the best solution rather than a roadblock.

@Pete - We've found that the "Sign In With Yahoo" button is best for users so far. Most users don't know about the OpenID brand but they do know about the Yahoo brand. If you want to make it easy for people to log in with their Yahoo ID then this is a great way to do it without asking them to understand more technical terms.

@Ken - You should be able to create a number of identities either based on a nickname unrelated to your Yahoo ID, or an anonymous one. You can also users identifiers like your Flickr username.

Tom Hughes-Croucher
Yahoo! Developer Network

I think that UI and phrasing could overcome many of these problems. I think @Pete and @Tom's responses come closest to describing it. OpenID doesn't *mean* anything. What *means* something is "using my login from a different site." I put together an example UI over at my blog: http://blog.toppingdesign.com/2008/10/15/letting-users-know-about-openid/

Great write up, good findings.

The biggest hurdle for OpenID is that a user has to remember two IDs.
first_last@yahoo.com and http://me.yahoo.com/first_last

I understand that there's an opt-in/out deal for users and that services can easily redirect to your openID url.
Flexible for the provider, but confusing for a user that probably uses his (in this case) @yahoo.com address a lot more than the OpenID address he received at signup.

But a few conventions could help here.
If a user enters first_last@yahoo.com and wants to do OpenID, the service redirects to openid.yahoo.com/first_last

In other words, why not make your email your OpenID?

Great point and exactly what I was thinking... If the Y! implementation of OpenID used a canonical URL schema, as @thomas has suggested, then we RPs outside the ecosystem could reliably translate the user's Y! ID username to OpenID URL for Yahoo. Alternately, Y! could have a service that does that _for us_, such that my app requests http://me.yahoo.com, passing the Y! ID username (which is all I ask the user for) and gets a response with a redirect to the correct (or most likely correct) OpenID URL.

@thomas/David - absolutely, when I was demoing a new proof-of-concept at work I knew I had a Yahoo! OpenID but for the life of me couldnt remember the full URL so had to head off to yahoo.com, sign in and click the right button/link to see my OpenID URL :).

It is much easier to recall your email address than an OP's custom address plus username.

I'm looking at using OpenID internally and this research is definitely swaying me towards using username@address.com rather than http://openid.address.com/username...

Your UI missed a *huge* opportunity here. As per the Google research, and now your own, users kept trying to enter their Yahoo email. *that's ok!* Try it sometime: go to any OpenID2.0 RP and enter yourname@yahoo.com as the OpenID. You will be taken to the Yahoo OP. Why? Because http://yourname@yahoo.com/ *is a valid HTTP URL* and returns the same content as http://yahoo.com/ -- which is where the headers for OpenID auth are found for OpenID users.

@Stephen, our team looked at a number of approaches to OpenID 2.0.

Email is one of the things being considered however it also has a number of associated issues that need to be examined before it's considered a complete solution. Issues around phishing and delegation models for email are currently unresolved.

Our original proposal was to allow users to use "yahoo.com" as a neutral login mechanism which didn't expose any of their data. From that point our RP allows them to choose either an anonymous login or one connected to their Yahoo ID.

While the research shows the mental model associated with URLs is not something users understand, we don't want to jump to another solution before fully exploring the implications. Our current recommendation, the "Sign in with your Yahoo ID" button has been shown to work in many cases.

Tom Hughes-Croucher
Yahoo! Developer Network

@Tom I'm not sure what these outstanding issues for using emails as OpenIDs you speak of are. As I pointed out in my previous comment - using yahoo email addresses as OpenIDs *already works*. This is not a suggestion of something you should build or invent *you already have it*! Every blah@yahoo.com address *already* (that means, right now, without needing you or anyone else to change anything) works as an OpenID on *all* RPs.

You may have reasons for not wanting to promote this - but certainly RPs can in their UI.

Regarding OpenID name - I think while certainly we can't have it .yahoo.com due to some obvious reasons, why not do it .me.yahoo.com? It looks much better I guess...

@Stephen Using email has privacy issues. If I want to sign in to a dodgy website to leave my comment, I don't want to use my email address, because they could use it to send spam to me. Or sell it to someone who will send spam to me.

Also, OpenID in general cannot use email addresses, since not all providers have email address for their users. Think about Flickr, Wordpress...

PS. the user experience of the commenting feature on this blog could also be improved. First, it wasn't clear that Email address is a mandatory field. After I filled it in it complained: "Too many comments have been submitted from you in a short period of time. Please try again in a short while." - even if the first submission failed due to missing email address!

@Kari If you don't want to use your email address, don't: the point is that those who want to (which it seems is many), already can with Yahoo. Not all providers give this feature? Duh, that's the point of being decentralized, if you want to use your email address, you'll be using your email provider as OP (like already works with Yahoo).

For those who haven't seen it yet, Yahoo also hosted a user experience summit last week with 40+ representatives from the major OpenID providers. John McCrea of Plaxo provided a great summary at http://therealmccrea.com/2008/10/20/live-blogging-the-openidoauth-ux-summit/. Additionally, you can see a summary of the various OpenID use cases in deployment or being considered at http://blog.janrain.com/2008/10/openid-user-experience-ux-summit.html. The OpenID Foundation and member companies look forward to additional feedback on how to improve the OpenID user experience, so please keep the comments coming.

@Roman Using email has privacy issues...
For those users who concern about privacy, they may use signin button/"http://yahoo.com" to sign in. So you give options to users. Yahoo is free to educate its user about privacy. e.g. upon the first use of OpenID, you send an email to tell them how to protect their privacy.

In many sites, they require registration and an email address is usually mandatory. If an user doesn't enter an email address at first, they'll have to enter the email address at the end after they've been authenticated, and they'll probably be asked to check their email to confirm their email address as Y! doesn't support attribute exchange.

my previous message was to Kari instead of Roman

to use who think they could use email already, it's not entirely true. for an identifier http://foobar@yahoo.com , it is resolved to yahoo.com, but the foobar user name is not checked. User may use any account to authenticate, and you will think he is foobar@yahoo.com

I totally understand the problems with the user interface and registration. I've had an openID and four personas since the late spring but have been spectacularly unable to use it/them at any OP successfully.

Part of the problem for me is that registration at many OPs requires additional personal and other registration information, making it seem that the OpenID persona is either (a) useless or (b) a trick to get a lot more information about users than they were prepared to offer in their personas.

Grrr.

Yahoo OpenID users must navigate through a few screens, where they have to solve a CAPTCHA, and agree to a TOS. They are given opportunities to learn more about OpenID, set up a custom OpenID identifier,

Make Yahoo! a consumer of OpenID too and then I'll start taking your statements seriously. Until then you're just another member of the corporate hypocrisy brigade.

I found your post really interesting. I found Internet marketing a really a great way of promoting a website. I found good results when I started internet marketing my website.

Great post! My friend runs a small business we do internet marketing for companies and so a lot of our e-newsletter, blog and seminar content revolve around for promotion. Thanks!!!

Great work! What is discuss here is one side of the coin, what about social media, isnt it a challenge to google

Really Nice Post. More and more businesses are indulge with online presence, it is costly if you find a wrong company to do your job

I like your post. No matter what amount of debt a person has, willingness to retire is the first step

Nice post. The profit gain from real estate is enormous but on other side those who really wants to buy a house gets hurt

Its very intresting and Informative stuff. Women finds it difficult to manage their cost, save $1 a day and you can see the difference it makes