I’m at Facebook headquarters in Palo Alto for the OpenID Design Summit that was announced last week along with the big news of Facebook joining the OpenID Foundation. I’ll be blogging it with photos and words, as I have at previous Open Stack events. The event starts at noon, and Facebook is live streaming it via Ustream. Folks are beginning to arrive. I see representatives from Facebook, MySpace, Google, Microsoft, Yahoo, AOL, PayPal, Plaxo, Six Apart, JanRain, and Vidoop. Isn’t it great that all of these companies can work together in the open toward a common goal that is good for the web?
Luke Shepard and Dave Morin kicking it off. “The core problem we’re trying to solve is the user experience for OpenID,” says Luke, who is Facebook’s representative to the OpenID Foundation Board.
Julie Zhuo from Facebook’s user experience team is our first speaker, talking about Facebook Connect’s approach to making the experience something users can understand. How can the user understand the value? Value: Skip filling out this form or having to register if you have a Facebook account. Showing CitySearch, citing that Facebook logo is present in the UI, but acknowledging the scalability issue (number of options, logos). What is the relationship between the RP and the OP. Problem: we want to message “Hey, these two sites are going to be tied togethr somehow.” Because the popup design was so simple, we could port it to the iPhone easily. What’s being shared? Instead of describing in text, an illustration of the two sites, with arrows representing flows of sharing. Simplification is a big theme of Julie’s talk. Philosophy: keep the first screen really simple; delay deeper stuff (like extended permissions) to later flows, in context. As a community, we need to figure out how to message and simplify. Showing auth screens for various providers. Can we simplify? Can we standardize?
Next up is Max Engel of MySpace. Sharing results of testing of OAuth, OpenID, and a hybrid of the two. First, OAuth by itself. An arrow linking AOL and MySpace was found to work better once the MySpace logo was moved from the right to the left, as users thought it meant something different when it was on the right. People were generally comfortable, but the experience was not always what they expected. OpenID standalone tested with Yelp (with hacked HTML, not fully working code). Users were confused. “When ‘open’ was in the term, people had security concerns,” says Max. Another confusion point, “When we gave hint URLs, people tried putting those in, instead of their own.” People felt less secure in the logged in pop-up than the logged out pop-out. Point of confusion in Yelp example: user logs in with a MySpace URL but was then prompted to create a Yelp URL.
Max continues. OpenID/OAuth Hybrid test was done using Netflix. Big security concerns, perhaps made worse by the commerce aspects of Netflix. Nice user quote, “Once you see it and once you get it, it seems really innovative and useful.” Users liked the hybrid experience in general. Tested “granular scoping” with lots of choices. This was the “crowd favorite” but no one missed it when the choices weren’t there.
Next, Brian Ellin from JanRain (says he doesn’t have a Twitter account; gasp). About to give a history of OpenID interfaces. “The benefit of OpenID? Sign in with an account you already have.” Most users (78%) have not heard of OpenID. Brian is showing what people have been typing into OpenID sign-in boxes. OMG, “elderly,” “I HATE YOU LADY GAGA,” “Hotmail,” their email address, or far to common: nothing. This is great. Showing all different UIs. Some that show canonical examples. Interactive versions, like TypePad’s, idselector, Clickpass, and MapQuest.
Now on to OpenID 2.0, where you can input provider, like yahoo.com. Showing brand power, with results from RPX. The demographics of the site shift the mix of which providers users choose for signup. Showing RPX and Plaxo ui now. Max Engel asks if JanRain has metrics for dropoff between the RP and the OP. Brian says not yet. I whisper to Max, “Stay tuned.” (As I know that Joseph Smarr of Plaxo has that in his presentation, coming after lunch.) Brian points out two key observations:
1) Brand selectors are good at letting users express preference, but at the time of choice, user has no idea which OpenID experience will be better.
2) Knowing which one the user chose, allows that brand to be more prominent in subsequent signin.
3) Once you add a button to your interface, you can never remove it.
Google is up next, with Eric Sachs, Breno de Medeiros, and Dirk Balfanz. Not sure if all will talk, but they’re all working to set up a demo. While we wait, I observe that almost every laptop in the room is a Mac (including mine). The Google team is going to demo the OpenID Popup that they released yesterday. Ooh, that is sweet. Love the “smoky” background. Can’t wait to roll that into the Plaxo/Google hybrid experiment! Funny quote, “If you have good feedback, channel it to Plaxo, who will beat us up.” 🙂
Interesting question about the consent page. Has Google experimented with granular permissions, vs. having all the items consented to at once? “Yes. It was horrible,” says Eric Sachs. “People cursed at us when we did it one by one. They want it in a single step.” Wow. Important insight.
Next up, Joseph Smarr of Plaxo. Hilarious intro. (I’m biased.) “Hi! I’m Plaxo, and I’m in an open relationship with all of you. But it hasn’t always been easy. Sometimes it’s been confusing. And you haven’t met all my needs (for user data). By lately I’ve been spending a lot of time with…Google.” (Lots of laughs). “Experimenting with a new technique, that leverages more of the Open Stack.”
Joseph described the exeriment Plaxo and Google did, using hybrid OpenID/OAuth plus Google Contacts. Trying to prove that Open Stack onramping can be strictly better for all parties than traditional registration flows via a two-click signup.
Demo just went *great* and we’re looking at the final step. After the onramping, the new user is shown an “education lightbox” reminding the user where to look for the “sign in with Google” link.
Now, to the results. Drum roll, please. But wait! The RP/OP round trip, a.k.a “the Chasm of Death.” Asking the audience to guess the percentage of people who would survive. The crowd guesses 35%, 45% , 50%. The real answer is 92%! The crowd is wowed.
That means we lose 8% to the chasm of death. Of those that return, 8% choose “no” to the Google account signup option/consent. 92% say yes and automated address book import. Joseph says, they get higher conversion rates, higher import rates, more connections per user, and no drop-off in return visits.
“In other words, our business guys won’t let us turn off the experiment!”
Joseph says, “This is an historic movement. I’ve been evangelizing this stuff for two years, but all of the experiments before this were worse for our business. This is no longer about selling this as good for the web. This is about the Open Stack being measurably better for your business than traditional registration.”
Here’s Joseph’s presentation.
We’re back and Chris Messina of Vidoop and the open community at-large is up, sharing views about various contexts that OpenID will need to survive and thrive in, including web, mobile, desktop, API, and headless. Now, Chris is walking us through various OpenID UIs, pointing out points of confusion, also showing alternatives with better user experience. I’ll add a link to his slides when I have it.
We’re going to breakout groups now. One for Relying Party concerns, one for Providers. I’ll let the working sessions proceed without live blogging. I’ll return to the task when the groups convene to share results.
Update: ReadWriteWeb wades in on the implications of the Plaxo/Google experiment.
Summary from the OP breakout
Julie is talking. Agreement on popup as the way two go; two states: signed in or not. Have a high-level outline. Next steps real wireframes. On the white board now. Site name at the top. Below that something illustrating “what is happening”. Below that Options. Then ID and password (for not signed in). Legaleze, preferably small. Below that Okay or Cancel. Second step (optional) for getting access to more data. What’s interesting to me is it sounds like the OPs ended up with strong consensus about key elements. Max Engel from MySpace adding commentary, along with Angus Logan of Microsoft, and now Allen Tom of Yahoo. Consensus = goodness here. Second screen for the signed in state: site name, who you are, what is happending, options, okay/cancel. Same as first screen but simplified. Agreed that canceling just closes the pop-up and returns you to the site. Discussion around how to handle the different states (like cancel). Max chiming in, plus Breno from Google. Unresolved is sign-out implications between the sites. Breno sharing the need for getting RP logos from the web, with simple discovery; upload from the RP to the OP is not scalable. A little bit of back and forth on some corner case questions, but *great* to hear how MySpace, Facebook, Google, Yahoo, and Microsoft emerged from a room all “on the same page”. Facebook, MySpace, and Google “magically converged” on the same width for the ideal popup, says Julie. (450 pixels, I think.) Breno says that there should be a hard requirement that the popup can be re-sized.
Summary of the RP breakout
Luke Shepard from Facebook is sharing the findings. The big question is what to show the user: box vs. buttons vs. smart typeahead. Joseph Smarr from Plaxo chiming in: we have a set of contexts (like Chris Messina talked about before: organic signup, viral signup, return signin, lightweightm download/desktop, mobile, email validation, OAuth-only, prove affiliation, personalization, “connect”). To do these right, we have a wishlist for what we want from the OP (button, email, data access via OAuth/hybrid, discovery of services, is user logged in?, streamlined UX, email to OpenID lookout). Luke is now talking about one of the big concepts/issues: How can an RP? Eric Sachs of Google talked about doing a “third-party cookie system than (opted-in) users could reveal their identity provider. Breno says it’s like DNS. Neutral third-party. Eric had said there’s an existence proof for something similar for advertising systems for compliance with various privacy laws around the world. Joseph talking “RP Verticals” worth exploring for thinking through differing needs and UX approaches (media sites, e-commerce sites, blogs, social sites).
The Real McCrea 
The beat goes on…and I’m following it closely, looks like the gears are meshing smoothly into second….
Thanks for posting this up. I’m personally interested in seeing where OAuth/OpenID interfaces head for mobile smartphones (specifically ones with embeddable webkit support) as well as headless/API contexts.
Hopefully, there will be some discussion of that.
[…] And that leads us to the second thing that happened today. Facebook (of all players) hosted a workshop on improving OpenID’s UX (u… Its still early to tell if this effort paid off, but “My […]
[…] been able to follow just a bit of the initial presentations on the UStream but Plaxo’s John McCrea has a detailed live blogging post, moreover all the presentations are online at slideshare (plus here are the UStream recorded […]
What ??!! No Open ID logo/box/popup here ? 😉
[…] McCrea posted a liveblog account of the day — if you have any interest in this space, go read it. Now. In particular, note that all […]
[…] (all?) presentations of the summit are up on Slideshare. Also Plaxo’s John McCrea was live blogging the event and also provides a summary of the OpenID Providers and Relying Parties “working […]
[…] a couple of cool things today on the back of Safer Internet Day which was yesterday and the Open ID UX summit which took place in Silicon Valley […]
[…] McCrea for taking the photos below, giving them with a permissive Creative Commons license and for live blogging the meeting so extensively. All the photos below are his, with the exception of the photo of McCrea himself, which was taken […]
[…] Microsoft has announced a couple of cool things on Safer Internet Day and the Open ID UX summit which took place in Silicon […]
[…] McCrea for taking the photos below, giving them with a permissive Creative Commons license and for live blogging the meeting so extensively. All the photos below are his, with the exception of the photo of McCrea himself, which was taken […]
[…] Live-blogging the openid design summit – John McCrea from Plaxo did a great job of live-blogging the event. This is the best place to start because his post also embeds all the presentations. Thanks John! […]
[…] noticias en VentureBeat y ReadWriteWeb (I, II y III), seguimiento en vivo de las charlas por John McCrea y explicación de OAuth + OpenID por […]
Thank you so much for this detailed report — that is significantly faster to parse through than a video stream (although I would have enjoyed a fast audio version with each presentation). I’m very happy to see things getting together, and the experts finally realizing that a) a URL is a swearword, b) it should benefits every player c) we can make this simple. However, one detail still bothers me: the small-type-font light-grey legalese.
Stop thinking that you can use that trick, or that it protects you of anything, or that you have to do it that way, or. . . Just stop. If there are legal requirements, make them as easy to understand as the rest. And don’t write anything on the screen that you do not intend the users to read and grok. If it’s beta, just write: “This product is being tested on a large population; we do not guarantee that it will work; don’t put anything that you can’t replace in here; you cannot sue us for any failure.” No sentence with more then 10 words; no words that is not one of the 1500 most common in the English language.
You made a fantastic step forward in understanding that commercial relations are not exclusive romances and that all will benefit from well understood collaboration; users will be enjoying all that — don’t ruin these progress with yet another EULA. For the last time: those are legally as void as RIAA threatening letters, and barely more useful.
[…] I also recorded a bunch of video from the OpenID Design Workshop (which John McCrea did a great job liveblogging): […]
[…] the real McCrea had a great live blogging session on Feb 10th for the OpenID summit in Palo Alto. folks from Facebook, MySpace, Google, Microsoft, Yahoo, AOL, PayPal, Plaxo, Six Apart, JanRain, and Vidoop all appeared to give their “two-cents” worth on improving the user experience when it comes to OpenID. […]
[…] like Dave Morin, Luke Shepard, Josh Elman, and Julie Zhuo (and many more) through events like the OpenID Design Summit. Heck, I even got to build a relationship with Mark Zuckerberg, in part by accidentally stumbling […]
[…] terms. Luckily, there was a community ready and willing to help. The progress made at two OpenID Usability Summits helped us refine our implementation and allowed us to leverage the collective knowledge of other […]
[…] Speaking of the Usability Committee, at the last OpenID Foundation Board meeting, an official committee was formed to help continue spearheading the community efforts. Allen Tom of Yahoo! and Luke Shepard of Facebook agreed to co-chair this important new committee. They’re looking for volunteers, so if you’re interested, make sure to get in touch with them. With Breno de Medeiros of Google, Tom is proposing an OpenID User Interface Extension. This an exciting continuation of the work started at the Content Provider Advisory Committee as well as the past User Experience Summits hosted at Yahoo! and Facebook. […]
[…] that without prompting, users don’t really understand the value or what to write – in fact, they will type just about anything in there. You can see what this looks like here. Blank box offers infinite choice and […]
[…] use experience for all of our users. We made great progress at the Internet Identity Workshop, both OpenID Usability Summits, countless meet-ups, and […]
very sad that I capture the picture to take facebook
And some have at least one colorful Casio of their watch collections.
Since Casio watches come in a massive variety, they shall leave the consumer with a difficult choice about which watch to pick.
The newest generation Frogman may be the Tough Solar GW-200.
[…] without prompting, users don’t really understand the value or what to write – in fact, they will type just about anything in there. You can see what this looks like […]