In September/October both Google and Yahoo posted some Usability Research on Federated Login:
at OpenID Foundation on September 18, 2008
Both companies have been asked for suggestions on how to merge the feedback from these two sets of research. Here is one way to merge the set of conclusions:
Based on the test Yahoo & Gmail have done earlier in the year, we
already both believe that any "login" buttons have to include the brand
of the IDP and must be right next to the login box. That does not scale, nor does it promote the OpenID technology brand, so far that we use the other features in this lsit.
For RPs who currently use E-mail
based logins, they can maximize adoption by using either the Google or
Yahoo UX suggestions along with education/re-education screens.
However this requires that the Google/Yahoo IDP also verifies the
The Google UX option will enable RPs to
trust the most IDPs, but the Yahoo UX suggestion will make the process
the simplest for users of the few IDPs that are listed below the login
box. So the best solution may be for RPs to combine our two UX
suggestions by using the Google UX for the login box, but still include
buttons for a very small number of IDPs under the login box. Note that even if the RP displays buttons, users do not tend to notice them, however the Google UX option allows the RP to promote the federated login option, and if the user chose an IDP who has a button on the RP webpage, then the RP can tell users that they can use the button in the future.
From the data we have gathered, buttons work best if they are (1) just
below the login box (either the password or sign-in button), (2)
contain the full name of the E-mail provider (not just logo), and (3)
the set of buttons is no wider then the login box. That generally
means a max of 2 buttons for a regular username/password login box, and
a max of 3 buttons for the buy.com
style login box Google suggests. For example, the RP might show buttons for the 2-3 biggest social networks in their country. One of those buttons could be an OpenID branded button if the RP was okay with the usability of that approach, and the fact that most IDPs will not be able to provide an E-mail address for which that IDP is authoratative.
An RP can use one-off protocols for a few big IDPs (like @hotmail.com
), but OpenID is a good fit for RPs that want to support a large number of IDPs
research we publicized.
After reading the details of Yahoo's research, I realized that this old study was half-way between the suggested UX of Google and Yahoo's published reports. The only difference between this old study and Google's suggested UI is that we changed the login box to the new style described in our research. However that technique still uses an education/re-education screen, and it had the same % of users who forgot the education the first time. That technique also uses the idea of prompting existing yahoo/gmail users to "upgrade" to federated login, as well as looking for new accounts that users try to create for yahoo/gmail addresses, and redirect them to the federated login flow. So the list of conclusions above suggests how these different user studies could be merged.
Product Manager, Google Security