Live Blogging the OpenID/OAuth UX Summit

From the OpenID/OAuth UX Summit

I’m at Yahoo for the OpenID/OAuth UX Summit. The room is packed with 40 or so folks. Companies with representation include Yahoo, Google, Microsoft, Facebook, MySpace, Plaxo, AOL, SixApart, JanRain, Vidoop,, and Magnolia, and projects including Internet2 and DiSo. The Summit is a response to recent usability studies by Yahoo and Google that show the current state-of-affairs with OpenID and OAuth is quite poor, and we need together to find a user experience for the “open stack” that works for consumers.

I’ll be sharing observations over the course of the day.

First up: Facebook’s Julie Zhuo, sharing experience from Facebook Connect. Idea originated in 2006 with the Facebook API. Initial version didn’t have any flow back to Facebook. Clunkiness of UI. One question for the Facebook Connect UI: How much text is really needed? Showing evolution of the UI to address the fundamental question, “What is Facebook Connect?” Final version includes user’s profile photo (if user is logged in), and thumbnails for both Facebook and the site user wants to connect.

From the OpenID/OAuth UX Summit

Good discussion about what usability revealed, about informed consent and user confusion, and about whether this passes EU privacy laws. (Answer: yes.) Facebook research showed that users had little or no understanding or savvy about phishing and URLs.

By the way, I have to say it — great to see not only is Facebook attending this “open stack” summit, but that they’ve got four people here (including Dave Morin, Josh Elman, and Mike Vernal) and leading the opening session! That’s awesome.

From the OpenID/OAuth UX Summit

Now talking about the Connect Button. First version had tagline “Bring your friends,” but users didn’t know it was a button. Second version said “Register.” Third version said “Connect” and experimented with the user’s profile photo on the button. Final version is just the Facebook “f” and “Connect” or “Connect with Facebook”.

Discussing logout options: unified, per-site, hybrid. Unified is secure, but unintuitive. Per-site is intuitive, but not necessarily secure. Chose unified out of security. Question for the future, if Facebook Connect takes off, may be strange to log out from one site and be instantly logged out of Facebook and all other Connect sites. A good laugh, as Joseph Smarr suggests a slightly more complex alternative. Julie says, “But then you’d make the user have to think.” Joseph’s aside, “That’s spoken like a true mainstream consumer site.” Incredibly active session. Key takeways slide: streamlined login is important. Explain what is going on. Err on the side of security. Flexibility is important.

Next up: Max Engel of MySpace. “The Hybrid Login: OpenID and OAuth.” MySpace will support OpenID, OAuth, and a hybrid of the two. Will use a pop-up iframe. Allows the user to stay in context. Max is showing screens of the experience they are planning. Every MySpace user has a vanity URL, which will be their OpenID. Still trying to figure out whether to support logging with just “”. Key design elements will be similar to Facebook Connect.

Data types: content, address book, registration, profile, friends, activity. Big laugh as Max shows the original OAuth screen, that has so much fine print that it looks like it was designed by a lawyer! Lots of discussion about whether email address should be passed to the site. Why it matters: not just for communicating, but also to avoid duplicate account problem Plaxo has experienced as an OpenID Relying Party and Yahoo OpenID. Chris Messina advancing the idea of email address as OpenID, something under consideration for OpenID 2.1.

Max revisiting that MySpace Data Availability originally was to have zero cacheability of the data, which was not going to fly with anyone. Now planning a “portable profile” plus some cacheable MySpace-specific data. Allen Tom of Yahoo raises the point that the “cacheable” data is all on public pages already, so why not just mark it up with microformats and remove the caching restriction. “If Relying Parties don’t get the data they need, OpenID only creates complexity.” Max just mentioned Portable Contacts in his presentation. Drink!

So many tough questions about complexity and confusion vs. simplicity but lack of clear, informed consent. Good discussion about whether participating sites can use the profile data they pull in to do targeting (including ad targeting). Facebook team says that they allow the site to use the data for targeting on the site, but not to redistribute the data (to an ad network, for example). Makes sense.

Max says that the sell to major websites is much stronger for combination of OpenID, OAuth, XRDS-Simple, Portable Contacts, and OpenSocial. Question from the back of the room, “What do you call all of that?” Answer popping up from Max, Joseph, Chris Messina, and me, “The ‘Open Stack’!”

Rising chorus for coming together to develop a common UI spec for OpenID. A call for five volunteers. Hands raised include Chris Messina (Vidoop), Joseph Smarr (Plaxo), Eric Sachs (Google), Max Engel (MySpace), and, drumroll, Julie Zhuo (Facebook). That’s great!


Next up: Allen Tom of Yahoo. Over 300 million users have an OpenID from Yahoo. Question shouted, “How many have used it?” Answer: “It has exceeded our expectations.” 😉 But, yes, we’re all here because we know we need to improve the user exerience.

Launched BBAuth in 2006. Showing “Find Friends” on Facebook and LinkedIn, using BBAuth. BBAuth and OAuth is to grant long-lived credentials to third-party sites. “Cannot allow weaker credentials to be used to mint stronger credentials.” Talking about various security considerations. Login screen must never be framed. Anti-phishing sign-in seal must always be displayed.

Allen now showing the “scary screen” which users are shown to approve access via BBAuth. *Lots* of small print legaleze. “Based on the feedback on BBAuth, we changed our approach on OAuth, which is what we’ll be using going forward.” Now, been spending a lot of time looking at and talking through the OAuth permissions screen.

Allen now showing and talking about Yahoo’s implementation of OpenID. It is *much* improved over the version they went out the door with (shrinking 14 steps to two). Allen shares that “machine-generated” OpenID URLs have proven *way* more popular than user-selected. Surprised reactions.

Talking now about Plaxo’s experience as an OpenID Relying Party. The business rationale, the philosophical view, and the admission that OpenID experience is not yet today a clear net positive to the key metrics. But Plaxo remains optimistic that the situation can improve dramatically with what’s being discussed here today.

Next up, Magnolia’s Larry Halfft. They’ve used OpenID as a key part of their strategy to reduce spam accounts and have been generally pleased with the results.

Now, Eric Sachs of Google, who just showed what I think is the first public demo of Google as an OpenID Provider. Giving context: SaaS vendors get asked to be a SAML RP for enterprise IDPs. In parallel, Google Checkout folks had questions/issues with login. Giving examples of login on and, as an inspiration for a new/better? login experience for OpenID/OAuth. Now the challenge of desktop apps and OAuth. Seems like “No, help me sign in” is the key verbiage of this new “LSO” login model Eric is advocating. Now Google Accounts vs. accounts for Google AppsForYourDomain. Downside to this LSO login approach is that it does not work well for IDPs who are not email providers.

Lots of good-natured joking as we try to do a demo, that requires a Windows computer with .Net and IE as the default browser. Not easy to find in this crowd!

It’s 3:00pm. We’ve now finished the formal agenda and are discussing how folks would like to organize the last two hours.

It’s almost 4:00pm. Joseph Smarr of Plaxo is demoing the “Open Stack” end-to-end stuff that was developed by JanRain for the Portable Contacts Summit. OpenID, OAuth, XRDS-Simple, and Portable Contacts working together to enable simple and secure sign-up with access to user’s profile and address book. Good discussion underway. Joseph now explaining XRDS-Simple and answering a lot of questions.

Joseph Smarr demoing the "Open Stack"

Chris Messina now leading a discussion about the proposal to extend the OpenID spec to allow email addresses as OpenIDs. Mike Jones of Microsoft asserts this creates a major security vulnerability. Discussion underway.

Some discussion of how to handle if the Provider site is down. Mike Vernal of Facebook responding to that question vis-a-vis Facebook Connect. Good response.

5:15. That’s a wrap. What a great day. The UX working group got a bit larger at the end, which is good. Eager to see what they come up with!

Tagged , , , , , , ,

31 thoughts on “Live Blogging the OpenID/OAuth UX Summit

  1. Great post. Thanks for sharing

  2. That would have been me at the back of the room calling “what do you call that”.

    But I don’t like the answer I got. “The Open Stack” might also stand for, say, Ethernet plus TCP/IP. Or OpenOffice on Linux. It is not descriptive enough.

  3. Thanks for the post John – wish I was there too. Really great to see the FB guys participating in the Identity open space. Looking forward to seeing more information coming out in emails and blogs about the things that everyone agreed on and about what’s next.

  4. therealmccrea says:

    Johannes, Sorry the answer was not satisfying. With all things like this, the market will decide. My bet, as one of the few marketers in the room, is that “open stack” has staying power.

    Praveen and Edwin, you are welcome. Yes, let’s all hope that the next steps move the ball forward!

  5. […] John McCrea has the play by play if you’re wanting to read more about what happened during the day, but I’m excited to see the sheer number of people and companies from various backgrounds (even those who compete with one another) collectively working to help improve OpenID and build a better Web. […]

  6. Great post, I feel I’m there. As a site owner, removing the barrier to entry (registration) is a big deal.

    We just launched Facebook Connect on Govit. Check it out at

    We like it for 3 reasons

    1) Easy to create account and sign in
    2) You can publish actions you take on govit to your facebook feeds
    3) You can invite and connect with your FB friends on Govit

    To early to give numbers for it’s success, but so far I like the FB Connect experience.

  7. etoychest says:

    Great post, it’s always interesting to read these sorts of liveblogs to see the perspectives of those in attendance.

    I am curious regarding the “major security vulnerability” concerns voiced Microsoft re: the potential use of email addresses as OpenIDs.

    Much of the discussion we’ve had at Vidoop points to this to be a major potential win for the adoption of OpenID, but as I mentioned, it’s valuable to see the impact from another perspective.

    And of course I’d be interested in hearing others’ thoughts as well.

  8. […] the historic summit was adjourned. For those who want a little more detail, see my post, “Live Blogging the OpenID/OAuth UX Summit.” CrunchBase Information Facebook OpenID Foundation Information provided by CrunchBase […]

  9. […] 5:00, the historic summit was adjourned. For those who want a little more detail, see my post, “Live Blogging the OpenID/OAuth UX Summit.” Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]

  10. […] 5:00, the historic summit was adjourned. For those who want a little more detail, see my post, “Live Blogging the OpenID/OAuth UX Summit.” Share and Enjoy: These icons link to social bookmarking sites where readers can share and […]

  11. Luke Shepard says:

    Thanks for the play-by-play John! Wish I could have been there.

  12. Indeed, thanks for sharing this.. Too bad all these events are always so far away.

    Is there a place where this conversation is ongoing after the summit?

  13. […] make it to one of these events, please say hi or come introduce yourself. After last week’s OpenID UX Summit, this is shaping up to be a very exciting span of several weeks for those of us who work on web […]

  14. Thanks for the post – most useful.

  15. […] The OpenID UX Summit Facebook Connect vs. OpenID Open Grid Protocol alternative Open Grid Protocol German podcast about the open web […]

  16. […] other large providers, including Yahoo and AOL. And more are on the way, based on who attended the OpenID UX Summit last week (and what they said and demoed […]

  17. Brian Kissel says:

    Excellent post John. I’ve shared some additional thoughts on the six OpenID user experience approaches that are in production or being considered. Would welcome feedback from readers on the pros & cons of each, or other recommendations for enhancement to the OpenID user experience:

  18. […] Jan Rain hast posted results to 6 general UX approaches for OpenID from the Open User Experience (UX) Summit. […]

  19. […] to have materialised yet (Twitter seem to have got rid of their experimental one). There was an OpenID / OAuth summit a few weeks […]

  20. […] OpenID has been a source of confusion and an impediment to broader adoption. That gave rise to an OpenID UX Summit a few weeks ago, hosted by Yahoo and attended by Google, Microsoft, MySpace, AOL, Plaxo, Facebook […]

  21. […] which they published for everyone to benefit from (they even went a step further by hosting an OpenID UX Summit on their campus). And Yahoo! is eating their own dogfood–they also recently streamlined and […]

  22. Never will understand why people *still* think OpenID needs to be “extended” to support email addresses when it *already* supports email addresses.

    Try entering a email address into any OpenID2 login form. Bam.

  23. […] team as slowing down their adoption of OAuth, but it seems to me that there’s been an open opportunity to engage with the OAuth and OpenID communities to address these issues, especially as they are at […]

  24. […] OpenID has been a source of confusion and an impediment to broader adoption. That gave rise to an OpenID UX Summit a few weeks ago, hosted by Yahoo and attended by Google, Microsoft, MySpace, AOL, Plaxo, Facebook […]

  25. […] OpenID has been a source of confusion and an impediment to broader adoption. That gave rise to an OpenID UX Summit a few weeks ago, hosted by Yahoo and attended by Google, Microsoft, MySpace, AOL, Plaxo, Facebook […]

  26. […] After all, Facebook has been getting more and more involved in the open community, attending the OpenID UX Summit last Fall and the Activity Streams meetup a few weeks ago. And Luke Shepard, from the Facebook […]

  27. […] participants in OpenID efforts. One of our user experience experts, Julie Zhuo, presented at the UX Summit in October. Several of our engineers have been participating in meetups, and one of them ran as a […]

  28. A Curtis says:

    itching to learn more as time is flying by to fast

  29. […] at the Content Provider Advisory Committee as well as the past User Experience Summits hosted at Yahoo! and […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: