Pragmatic Designer's Guide to Identity on the Web
by James Reffell
- 2,259 views
This talk was presented at Webvisions 2010 in Portland, Oregon. ...
This talk was presented at Webvisions 2010 in Portland, Oregon.
When you're designing for the web, you have to think about identity. This includes the nuts and bolts of login fields and passwords, as well as fancy technologies like Facebook Connect, OAuth, and OpenID.
This talk presents a pragmatic approach to identity on the web, focused on best practices and a reality-based understanding of user behavior.
I'll cover:
* How users really handle accounts and passwords, and what that means for your site.
* Best practices for login/logout.
* Shared accounts, shared computers, and other messy realities.
* What designers needs to know about OpenID, OAuth, Facebook Connect, and other identity platforms.
* What might happen next: future-proofing your design without a crystal ball.
Accessibility
Categories
Upload Details
Uploaded via SlideShare as Apple Keynote
Usage Rights
© All Rights Reserved
Statistics
- Likes
- 4
- Downloads
- 71
- Comments
- 1
- Embed Views
- Views on SlideShare
- 1,997
- Total Views
- 2,259
erin malone
1–1 of 1 previous next
This talk will be a series of stories, with some numbers and bold assertions thrown in for later use. I'll start with a simple story, and get to some more complicated ones later.
There will be some time travel involved.
I'm going to leave a lot of room for questions. It'll be up on SlideShare later, with my notes and a lot of links to sources.
BUT FIRST: I'd like a show of hands. Events seem to be busy happening right now. So, audience:
Nitty gritty how to build the perfect login box, or a live Facebook chat?
Now I work at a little startup called Usable Security Systems, where I’ve spent the past year or so thinking a lot about authentication and making user accounts and passwords nicer, which relates to this talk.
I'm a designer and I tend to emphasize the user experience and de-emphasize the technology, although there are some technical aspects to this talk which I'll atempt not to screw up.
I wrote this assuming you care about identity because it matters for something you're building, right now or very soon. I think you're also interested in the user experience aspects of identity on the web right now, but maybe a little wary of all the changes that have been happening.
Let's narrow down a little, maybe.
But we can be even more concrete for this talk.
It’s really hard to talk about this topic without turning it into a technical or security talk. I value security too much to be doing the talking -- I work with real security folks, and that’s some tricky stuff.
On the other side, the social implications of identity are huge. We’ll get into some of them, but I wanted to talk about things that are critical even for applications that aren’t primarily social.
Which as it turns out, a lot of people were using as a way to navigate to Facebook. (This is pretty normal, btw. Lot’s of people use search for navigation. )
[Read silly comment]
Silly users, right?
... and then it became and internet meme, and other folks started adding parody comments and a bunch of blog posts got writen and it became a Thing, briefly.
Better lesson: many people out there have a much less good grasp of the concepts we take for granted: URLs, search, websites, browsers, etc. than we expect. This is hard to keep in mind.
But there’s something else, too.
Those are Facebook pictures. And full names (which I’ve blurred).
Those users ARE logged into Facebook. They succeeded! Just not in the way they expected. Nor do they realize it. But they are, just the same. (Even better, some of them probably already were.)
Now, the fine print has some things to say about connecting and sharing, but really, it looks like a login page. So they log in.
Now, behind they scenes, they really are logged into Facebook. So, in some sense, they succeeded. If they went to Facebook, they wouldn’t have to re-enter their information.
People are tricky. So before we get to the time travel, let's talk about how tricky they are.
I'm going to throw some numbers and stories at you.
These numbers come from a Microsoft study of [[X number] of homes. They showed that sharing is common, but not universal, and that context of place (where the computer is) and task (long vs short tasks) both effect sharing.
Most OS's now have profiles that help a little with this, but not everyone uses them and those that do don't use them every time. It's all very fluid.
eBay history -- eBay, of course, has some very large businesses selling on it, and has for some time. But for YEARS, we'd get complaints from account owners, who might have a dozen employees using a single account, and were worried that one disgruntled employee could take down their entire business. I think even now you have to use 3rd party tools to deal with this.
Twitter has a similar situation with its corporate accounts.
But even outside of business this happens. A friend of mine died recently, but his Facebook profile is still active. Two of his friends share his account and post things in his honor.
To be cute, but also to avoid college recruiters, who they are convinced troll FB for information on them during college application season. No idea if they're right or not.
More generally, while FB periodically cracks down on fake-seeming names (sometimes catching real people with fake-sounding names in the process), anecdotally name-changing on FB is pretty common. I think it usually happens after the "adding lots of people" phase is over, and folks can rely on familiarity + the profile picture to let their contacts know who's really there.
I'd estimate I have about a half-dozen partly or totally masked names on my friends list. And I'm old!
But it makes sense ... how many of you guys have more than one twitter account? More than one Gmail account?
Wonderful Microsoft Research paper by Dinei Florencio and Cormac Herley. They had a HUGE sample of user data to work with, using a widely sintalled toolbar. Here's what they found.
This stuff really maters for security. This isn't a security talk, but this is a pretty big issue for sites. Though not, necessarily, for users ...
He found that in most cases, it is rational for users to ignore many of the most common forms of advice.
E.g.: cost of pishing vs. cost of protection from being phishing by studying URLs.
Similarly, a paper from CMU Aleecia MacDonald and Lorrie Cranor said:
"We estimate that reading privacy policies carries costs in time of approximately 201 hours a year, worth about $3,534 annually per American Internet user. Nationally, if Americans were to
read online privacy policies word-for-word, we estimate the value of time lost as about $781 billion annually."
It’s not so much that they’re irrational, it’s that their rational behavior is often more complex than the simple boxes our software tries to put them in. So the break out of the boxes, or route around them, or ignore them.
What are norms? The norms I'm talking about are the affordances that people have learned to accept over time. They've formed their expectations around them.
These are kind of like design patterns, except design patterns are on purpose, and these aren't always.
So, norms. Let's take logging into a site. Simple, yes?
(If time, relate SAT story.)
The right, often. I don’t really get putting it in the middle, but some people do that. Top right is a big deal, only things that should be there are sign in, sign up, maybe search and help. So, do this.
Sometimes sites use clear language: “Remember my email on this computer” (which means if you log out or time out, when you log in again the email is filled in -- more common with banks) or “Keep me signed in for X amount of time”. But often they don’t -- they say “Remember me.”
Making the difference clear takes a lot of words, and still folks will get the wrong impression bc/ of the prevalence of both types. And the most common phrasing isn’t clear at all. (And this is before, say, Firefox’s password manager asks about remembering in a different way.)
Of course, there's more to it -- handling errors, forgotten passwords, and signing in. This book is a good guide to a lot of the nitty gritty issues, if you don't already have a copy, get one.
Folks complain that FB connect isn’t open, and isn’t following the dominant protocol (OAuth).
So Facebook launches their Open Graph API, which freaks everybody out.
It’s not really open, but it does use OAuth 2.0. Which can look like this ...
This is called Instant Personalization. And this, along with the “Like button everywhere” reflects Facebook’s newer model.
(I assume mostly comments, not new Typepad blogs).
Let’s talk about how you decide.
Control - do you control the information? (Do you want to? Control has risks!)
Choice - giving choice (and informed consent) to your users is good -- to a point. Overwhelming them with choices they are not equipped to make (due to lack of knowledge or time) is not good.
Communication. Getting the email vs. other paths.
Access. Sometimes you just want a lot of users, and access to their stuff.
Explain about XAuth from Meebo. Trying to kill this particular NASCAR problem. Note that some importan stuff happens BEFORE authentication.
You can get a plugin now, but it only slightly works. (Account Manager from Firefox)
I should be able to talk about this unprompted, I’ve been designing it for two years...
Wish I knew what the user experience would be like.
Know your audience -- and unless you’re really sure of them, be conservative and sparing.
In a year, this will all look different. But it’s important.