
Yet Another Sign Up (Why Isn't Open ID More Popular By Now?) - Nurdok
http://blog.amir.rachum.com/post/25950218796/yet-another-sign-up
======
StavrosK
It's common knowledge now that OpenID has severe usability problems. As much
as I wanted it to work, none of my apps' visitors (hell, back in 2006) could
understand what it was or how to use it.

BrowserID, however, has now fixed most of these issues, and it's _very_
straightforward to use. To try it out, you can have a look at
<http://www.yourpane.com/>

~~~
razwall
"To log in, just enter your email address below and click the link that we
send you. To log in again, you can save the link and use it directly (you
don't have to request a new one)."

In what world is that more usable than "Click here to login with Google /
Yahoo"?

~~~
callahad
StavrosK has a hybrid auth system -- that's not a part of Persona (née
BrowserID). Which is actually kind of cool -- because we use email addresses
as identifiers, it's really easy to add Persona support alongside traditional
auth mechanisms, and without giving up ownership of your users.

If you want to see a more "pure" Persona implementation, our standard example
site is at <http://123done.org/> (and you can preview the "Persona" redesign
at <http://dev.123done.org/>).

As for as being as easy for first-time users as "Click here to log in with
Google / Yahoo," well, we've got some tricks up our sleeves. Look for a blog
post next month at <http://identity.mozilla.com/> :)

~~~
StavrosK
When are you guys going to add browser support already?!

Also, I love how I can integrate Persona with Django in (quite literally)
three minutes, with _zero_ changes to any existing auth mechanism.

~~~
callahad
Native browser support is slated for Firefox 17, though it'll be disabled by
default for a while, much like with our SPDY support. Of course, native
support in Gecko is a hard requirement for our Boot2Gecko phones, and the
first big code freeze for that is rapidly approaching (mid-August, IIRC?), so
it's absolutely on its way!

------
dredmorbius
And why _wouldn't_ I prefer to have a set of fully independent, unlinked
accounts at different sites?

If I understand correctly, using OpenID means that Site A can confirm that
User X is the same as User X on Site B, using OpenID?

I can see where that's a win for sites A & B. I can also see many instances
where that is _not_ a win for me.

~~~
goodside
If you use the same e-mail address to sign up for both sites, they can already
determine this. The only way to get the anonymity you want is to create new
throwaway accounts for each service. (I realize GMail lets you do things like
+ aliases, but these should be stripped when trying to match up users across
databases.)

~~~
earl
Or run your own mailserver and hand out email addresses like servicename @
[yourmailserver].com

Everything gets forwarded to the same inbox.

tuffmail.com is awesome and cheap; I'm a happy subscriber.

~~~
StavrosK
I like 33mail.com.

~~~
scoot
or 33m.co for those quick to type throwaways.

~~~
StavrosK
That works? That's awesome, thanks!

------
pisipisipisi
Take this as a few bitter words from an "grumpy OpenID early adopter":

* because the user experience really requires you to have the "nascar effect" of several well-known icons. OpenID could scale horizontally technically but in fact it doesn't work that way. Except for a few providers (like Google) it is not "peer to peer" (many to many) but more like "business to customers" (one to many) relation

* because the "like"-generation beloved blue button talks something else (and is "way more important" than some technical nice thing)

* because it requires putting too many eggs in one basket (one ID to rule them all. And even "the few big ones" are these days hacked without problems)

* because your database of users is your asset (at least in the US). In EU it is more often a liability. * As this is an asset, nobody wants to _pay_ anything for a secure identity as a TTP service.

* because it forbids "sensible" use on mobile devices (I have a phone and a PC, I would like to link my phone(s) to my services through numbers rather than on-phone cumbersome username or openid hack)

* pairing with a QR code works well for me. It even allows to establish a more meaningful key for further communication (I check the "green bar" of the browser than the underlying, semi-anonymous, DNS-depending OpenID)

* because OpenID does not really work for anything than medium-security _identification_ transport. I hope my bank will never use an OpenID to authenticate anything.

* just try a new service with a throwaway account. or a throwaway password. Maybe one day people build services, which do _not_ require pairing to "something" at all. Or Just use "click-the-link-in-e-mail-or-copy-token" approach.

~~~
Domenic_S
> _because the user experience really requires you to have the "nascar
> effect"_

Seriously. I love SO, but this is one of the scariest log in pages I've ever
seen:
[https://img.skitch.com/20120627-d49s8rqaeu5p5d3dkmn2p26tim.p...](https://img.skitch.com/20120627-d49s8rqaeu5p5d3dkmn2p26tim.png)

------
dazbradbury
At OpenRent [1], we use the google identity toolkit [2] and whilst it has a
few quirks and bugs, it's been received fairly well by even our non-tech
crowd. It uses email providers as identity providers - and is only as
intrusive as inputting your email into a traditional log in box, just with
much less friction, and without the requirement to remember another password!

I'm surprised it's not seen bigger adoption in the start-up crowd, but I guess
it was slightly more work and isn't quite in-line with the MVP culture.

It also places a reliance on a third party - but in this case I expect good
reliability from Google, and have a fallback option in place (both for
availability, and to support older browsers).

[1] - <http://www.openrent.co.uk>

[2] - <https://developers.google.com/identity-toolkit/>

------
jasoncrawford
"It boggles my mind that this is apparently a big question for techies and, to
me, is a perfect example of the Silicon Valley mindset that doesn't understand
how to build products that real people want to use.

"The short answer is that OpenID is the worst possible 'solution' I have ever
seen in my entire life to a problem that most people don't really have. That's
what's 'wrong' with it."

[http://www.quora.com/OpenID/What-s-wrong-with-
OpenID/answer/...](http://www.quora.com/OpenID/What-s-wrong-with-
OpenID/answer/Yishan-Wong)

The real question is why these guys didn't let you signup with Facebook.

------
tomschlick
The reason you dont see it mainstream is because for someone like my mom its
too difficult to understand. She does however understand "Login with
Facebook/Google/Twitter" because it is simple, one click, approve permissions
and done. Anything more is just a hassle for them to remember and they will
fallback to email/password instead.

~~~
izak30
And when you have more than one option, your users will start to make more
than one account for your site.

~~~
tomschlick
Nothing is stopping them from doing that with Username/Password or OpenID. In
fact I would argue that it probably happens more with the username method
because users forget they have an account. With Google/Facebook/Twitter signin
they click and that service remembers everything for them and sends it to the
app for authentication.

------
ams6110
There's no way to make everyone happy, but pretty much all the options suck.
Setting up yet another account sucks. OpenID sucks because nobody intuitively
understands it. My login is a URL?? WTF? Facebook/Google/whatever login sucks
because some people don't have it and some people who have it don't trust it.

I don't have any answers.

------
drivebyacct2
BrowserId is another option that I'm rather fond of.

