The OpenID community has recognized that the User Experience (UX) is not acceptable. People from several points of interest have come together to discuss and share ideas to improve the experience. There is currently growing consensus around certain ideas that I feel is risky and other areas I feel there is a missed opportunity. Before I get to my point of disagreement with the community, I'll highlight what I think we can all agree on.

Where We Agree ...

Current Directed Identity UI implementations do not scale.

Directed Identity lets users specify an OpenID Provider (OP) as their OpenID URI without having to specify their actual OpenID URI upfront (ie: using "myspace.com" instead of "myspace.com/{user}").  This is a really great idea but it has led to a user-friendly yet un-scalable UI trend with provider buttons.

The web has already seen this concept with content sharing through third-party services. There are hundreds of services that users can share content through. The explosion of these sharing-capable services has led to ad-hoc interface "solutions" which ultimately aren't very usable and don't necessarily provide the user with tools that are relevant to their needs. Ironically, user-centric identity has the ability to resolve this issue for content sharing services. Unfortunately, the dilemma is shifted from one type of service to another which could further introduce confusion. I have already witnessed a case where a user was told they could login via Facebook Connect and mistakenly clicked on a "Share with Facebook" link because they saw the Facebook icon.

The bad news is there may be no direct solution to this problem. The good news is there may be indirect solutions by educating the user about OpenID, better introductory UX, and bringing identity to the browser (which I will elaborate on in future articles).

The UX needs a consistent look-and-feel and functional flow.

Modern web design philosophy dictates that a unique and memorable experience is highly desirable. Purple, Rock, Scissors employs this philosophy religiously through various look-and-feels. The important concept to grasp here is that the OpenID UX is an abstract idea just as headers, site navigation, and footers are abstract ideas. They may appear different and there may be radically experimental iterations of these ideas, but overall they follow the same principles (header is at the top and should contain the site name, site navigation should be available to every page and accurately depict page hierarchy, footers should contain extraneous information pertinent to the site).

Since OpenID (and other user-centric identity systems) are going to be a brand new concept to most users, innovation in look-and-feel should be kept to a minimum otherwise it will impede upon user acclimation rates. Fortunately, there seems to be a lot of agreement in this space within the community.

There are three areas within this space that need agreement: Login, Action Prompts, and Logout. The login look-and-feel is currently pathetic and wildly inconsistent. Action Prompts are any point the user is paused during the functional flow to make a decision and currently I have yet to see a single provider faithfully communicate to the user exactly what is going on. I'm well versed in user-centric identity and even I felt unsure exactly when I was about to share information from one domain to another (such as the portable contacts flow with Google). Typography and design elements must be bold and clear to ensure the user knows they are about to open their identity information up to a third party. Logout has yet to be a focus of UX discussions but there is disagreement on what "Logout" should mean. Does it mean logout of this site or does it mean logout of all sites? Whatever the answer may be, this information needs to be clearly communicated to the user.

These concepts may seem very basic, and they are, but you would be surprised just how much variable room exists even within these basics. This aspect of OpenID is very, very important and must be consistent across domains!

Where We Disagree ...

I believe pop-ups are dangerous and intrusive.

Facebook Connect has provided the OpenID community with a fairly solid model for how to improve the UX. There are many things I absolutely love about the Facebook Connect UX. Unfortunately, the Facebook Connect UX was invented under assumptions that do not apply to OpenID and the community needs to carefully consider what those differences may be.

Modal dialogs are XHTML+CSS overlays that appear, stylistically, as windows on top of page content. When the user is presented a modal dialog, they are under the correct assumption that they are still dealing with the same site. The OpenID community is intending to recommend both modal dialogs and pop-up windows. This is dangerous behavior! Pop-ups are even suggested to take on a similar size and shape as their modal counterparts which makes things even worse! A little CSS-trickery can duplicate the pop-up window effect. We all know this, it's already used by spammers to trick users. Why are we considering something even remotely similar to how websites trick users?

The OpenID community puzzles me on this issue. On the one hand, there is extreme pessimism toward the standard users' ability to comprehend what OpenID is all about. On the other hand, they are suggesting we employ a tactic traditionally used by malicious and fraudulent phishing sites to trick standard users' into providing credentials when they should not! We can't have it both ways. Confusion will be our fault if we go forward with this idea. As a side note, I would also like to point out the pop-up approach is usually not very good for mobile devices but I'll save that conversation when I address identity in the browser in a later post.

My recommendation is to present the user with modal dialogs only. If the user needs to be redirected to their provider for any reason, the user should be informed of this requirement and then either given a link or automatically redirected after a countdown. The link can open a new window if desired (which in my browser would open a new tab, far less intrusive than a pop-up). This will further encourage smart behavior on the users part to never supply credentials unless they are confident they are on their provider site.

I believe OpenID should NOT be hidden from the user.

We have what can be called a good problem. Directed identity for popular brands has been proven to work with impressive click-through rates. This revelation has inspired a lot of people to suggest OpenID should be pushed to the background. Even though I disagree with this, I do want to concede for a moment that all the arguments are very sound and follow good reasoning.

The problem I really have with this is that it is a missed opportunity. Researchers have discovered that displaying a popular brand on a button that says, "Use {brand} to login!" has been very well received by users. I'm not sure why this comes as a surprise. People have built an affinity with popular brands. They naturally gravitate towards what is familiar. We are passing up a perfect opportunity to use popular brands as a means to bootstrap the OpenID brand into familiarity.

The following brands are identity providers and this is how I would say I relate to them:

• Google means search.
• Yahoo! means web portal.
• MySpace means social network.
• AOL means chat room (sorry, AOL).

None of these brands mean "login" and the closest brand that comes to "identity" is probably MySpace. OpenID, however, can easily mean "login" to users. By always displaying the OpenID brand to users regardless of how they login, they will eventually learn to associate that brand with login mechanisms. Why is this mental association important? Because it means eventually the OpenID brand can stand on its own. Don't see "Google" up there? No worries, you can type what you don't see into this box that you've come to know as login mechanism.

I do not fault relying parties on this as much as I fault identity providers. In my opinion, it is the identity providers responsibility to let users know they have an OpenID. Create a standardized design like a drivers license looking box with an OpenID logo in it with their URI. Display it prominently on their account page or profile page. They don't even need to immediately understand what OpenID is. Simply showing them something they feel they own (their URI) alongside the brand (the logo and the term "OpenID") will start to build an association in their mind. This is important.

Most of the counter arguments to this will, in one form or another, be built upon an embedded pessimism toward users that I do not share. Sometimes talking to technical people leaves me with the impression that standard users probably put corks on their steak knives so they don't mistakenly jab themselves in the eye when they're hungry. Let's give people the benefit of the doubt. E-mail addresses and URL's are geeky too, remember? Typing "blah dot something dot com slash doodah dot wut" is not a natural human impulse but apparently a lot of us have figured out how to do that.

This is not the part of my post where I go on to explain how I caught my Mom copying and pasting an SQL injection attack on a website because it allowed her to force people to add her as a friend (although it's a great story and I really, really want to). That's not the point. This is geeky stuff. I'm just saying, it is possible to make OpenID easy to understand without having to hide it under a rock. Make the UX clean, clear, and include no surprises and people will adopt it.