I’m at Facebook headquarters in Palo Alto for the OpenID Design Summit that was announced last week along with the big news of Facebook joining the OpenID Foundation. I’ll be blogging it with photos and words, as I have at previous Open Stack events. The event starts at noon, and Facebook is live streaming it via Ustream. Folks are beginning to arrive. I see representatives from Facebook, MySpace, Google, Microsoft, Yahoo, AOL, PayPal, Plaxo, Six Apart, JanRain, and Vidoop. Isn’t it great that all of these companies can work together in the open toward a common goal that is good for the web?
Luke Shepard and Dave Morin kicking it off. “The core problem we’re trying to solve is the user experience for OpenID,” says Luke, who is Facebook’s representative to the OpenID Foundation Board.
Julie Zhuo from Facebook’s user experience team is our first speaker, talking about Facebook Connect’s approach to making the experience something users can understand. How can the user understand the value? Value: Skip filling out this form or having to register if you have a Facebook account. Showing CitySearch, citing that Facebook logo is present in the UI, but acknowledging the scalability issue (number of options, logos). What is the relationship between the RP and the OP. Problem: we want to message “Hey, these two sites are going to be tied togethr somehow.” Because the popup design was so simple, we could port it to the iPhone easily. What’s being shared? Instead of describing in text, an illustration of the two sites, with arrows representing flows of sharing. Simplification is a big theme of Julie’s talk. Philosophy: keep the first screen really simple; delay deeper stuff (like extended permissions) to later flows, in context. As a community, we need to figure out how to message and simplify. Showing auth screens for various providers. Can we simplify? Can we standardize?
Next up is Max Engel of MySpace. Sharing results of testing of OAuth, OpenID, and a hybrid of the two. First, OAuth by itself. An arrow linking AOL and MySpace was found to work better once the MySpace logo was moved from the right to the left, as users thought it meant something different when it was on the right. People were generally comfortable, but the experience was not always what they expected. OpenID standalone tested with Yelp (with hacked HTML, not fully working code). Users were confused. “When ‘open’ was in the term, people had security concerns,” says Max. Another confusion point, “When we gave hint URLs, people tried putting those in, instead of their own.” People felt less secure in the logged in pop-up than the logged out pop-out. Point of confusion in Yelp example: user logs in with a MySpace URL but was then prompted to create a Yelp URL.
Max continues. OpenID/OAuth Hybrid test was done using Netflix. Big security concerns, perhaps made worse by the commerce aspects of Netflix. Nice user quote, “Once you see it and once you get it, it seems really innovative and useful.” Users liked the hybrid experience in general. Tested “granular scoping” with lots of choices. This was the “crowd favorite” but no one missed it when the choices weren’t there.
Next, Brian Ellin from JanRain (says he doesn’t have a Twitter account; gasp). About to give a history of OpenID interfaces. “The benefit of OpenID? Sign in with an account you already have.” Most users (78%) have not heard of OpenID. Brian is showing what people have been typing into OpenID sign-in boxes. OMG, “elderly,” “I HATE YOU LADY GAGA,” “Hotmail,” their email address, or far to common: nothing. This is great. Showing all different UIs. Some that show canonical examples. Interactive versions, like TypePad’s, idselector, Clickpass, and MapQuest.
Now on to OpenID 2.0, where you can input provider, like yahoo.com. Showing brand power, with results from RPX. The demographics of the site shift the mix of which providers users choose for signup. Showing RPX and Plaxo ui now. Max Engel asks if JanRain has metrics for dropoff between the RP and the OP. Brian says not yet. I whisper to Max, “Stay tuned.” (As I know that Joseph Smarr of Plaxo has that in his presentation, coming after lunch.) Brian points out two key observations:
1) Brand selectors are good at letting users express preference, but at the time of choice, user has no idea which OpenID experience will be better.
2) Knowing which one the user chose, allows that brand to be more prominent in subsequent signin.
3) Once you add a button to your interface, you can never remove it.
Google is up next, with Eric Sachs, Breno de Medeiros, and Dirk Balfanz. Not sure if all will talk, but they’re all working to set up a demo. While we wait, I observe that almost every laptop in the room is a Mac (including mine). The Google team is going to demo the OpenID Popup that they released yesterday. Ooh, that is sweet. Love the “smoky” background. Can’t wait to roll that into the Plaxo/Google hybrid experiment! Funny quote, “If you have good feedback, channel it to Plaxo, who will beat us up.” :)
Interesting question about the consent page. Has Google experimented with granular permissions, vs. having all the items consented to at once? “Yes. It was horrible,” says Eric Sachs. “People cursed at us when we did it one by one. They want it in a single step.” Wow. Important insight.
Next up, Joseph Smarr of Plaxo. Hilarious intro. (I’m biased.) “Hi! I’m Plaxo, and I’m in an open relationship with all of you. But it hasn’t always been easy. Sometimes it’s been confusing. And you haven’t met all my needs (for user data). By lately I’ve been spending a lot of time with…Google.” (Lots of laughs). “Experimenting with a new technique, that leverages more of the Open Stack.”
Joseph described the exeriment Plaxo and Google did, using hybrid OpenID/OAuth plus Google Contacts. Trying to prove that Open Stack onramping can be strictly better for all parties than traditional registration flows via a two-click signup.
Demo just went *great* and we’re looking at the final step. After the onramping, the new user is shown an “education lightbox” reminding the user where to look for the “sign in with Google” link.
Now, to the results. Drum roll, please. But wait! The RP/OP round trip, a.k.a “the Chasm of Death.” Asking the audience to guess the percentage of people who would survive. The crowd guesses 35%, 45% , 50%. The real answer is 92%! The crowd is wowed.
That means we lose 8% to the chasm of death. Of those that return, 8% choose “no” to the Google account signup option/consent. 92% say yes and automated address book import. Joseph says, they get higher conversion rates, higher import rates, more connections per user, and no drop-off in return visits.
“In other words, our business guys won’t let us turn off the experiment!”
Joseph says, “This is an historic movement. I’ve been evangelizing this stuff for two years, but all of the experiments before this were worse for our business. This is no longer about selling this as good for the web. This is about the Open Stack being measurably better for your business than traditional registration.”
Here’s Joseph’s presentation.
We’re back and Chris Messina of Vidoop and the open community at-large is up, sharing views about various contexts that OpenID will need to survive and thrive in, including web, mobile, desktop, API, and headless. Now, Chris is walking us through various OpenID UIs, pointing out points of confusion, also showing alternatives with better user experience. I’ll add a link to his slides when I have it.
We’re going to breakout groups now. One for Relying Party concerns, one for Providers. I’ll let the working sessions proceed without live blogging. I’ll return to the task when the groups convene to share results.
Update: ReadWriteWeb wades in on the implications of the Plaxo/Google experiment.
Summary from the OP breakout
Julie is talking. Agreement on popup as the way two go; two states: signed in or not. Have a high-level outline. Next steps real wireframes. On the white board now. Site name at the top. Below that something illustrating “what is happening”. Below that Options. Then ID and password (for not signed in). Legaleze, preferably small. Below that Okay or Cancel. Second step (optional) for getting access to more data. What’s interesting to me is it sounds like the OPs ended up with strong consensus about key elements. Max Engel from MySpace adding commentary, along with Angus Logan of Microsoft, and now Allen Tom of Yahoo. Consensus = goodness here. Second screen for the signed in state: site name, who you are, what is happending, options, okay/cancel. Same as first screen but simplified. Agreed that canceling just closes the pop-up and returns you to the site. Discussion around how to handle the different states (like cancel). Max chiming in, plus Breno from Google. Unresolved is sign-out implications between the sites. Breno sharing the need for getting RP logos from the web, with simple discovery; upload from the RP to the OP is not scalable. A little bit of back and forth on some corner case questions, but *great* to hear how MySpace, Facebook, Google, Yahoo, and Microsoft emerged from a room all “on the same page”. Facebook, MySpace, and Google “magically converged” on the same width for the ideal popup, says Julie. (450 pixels, I think.) Breno says that there should be a hard requirement that the popup can be re-sized.
Summary of the RP breakout
Luke Shepard from Facebook is sharing the findings. The big question is what to show the user: box vs. buttons vs. smart typeahead. Joseph Smarr from Plaxo chiming in: we have a set of contexts (like Chris Messina talked about before: organic signup, viral signup, return signin, lightweightm download/desktop, mobile, email validation, OAuth-only, prove affiliation, personalization, “connect”). To do these right, we have a wishlist for what we want from the OP (button, email, data access via OAuth/hybrid, discovery of services, is user logged in?, streamlined UX, email to OpenID lookout). Luke is now talking about one of the big concepts/issues: How can an RP? Eric Sachs of Google talked about doing a “third-party cookie system than (opted-in) users could reveal their identity provider. Breno says it’s like DNS. Neutral third-party. Eric had said there’s an existence proof for something similar for advertising systems for compliance with various privacy laws around the world. Joseph talking “RP Verticals” worth exploring for thinking through differing needs and UX approaches (media sites, e-commerce sites, blogs, social sites).