Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Pragmatic Designer’s Guide to




Identity
Introductions
A fable
People (are tricky)
Past
Present
Future
Introduction
Usable
Security Systems
YOU?
Identity
Identifiers
Logging in to stuff.
Being logged in to stuff.
Logging out of stuff.
Scylla
(Security & technical stuff)
                                              Charybdis
                              ...
Fable
“Facebook wants to be
 your one true login.”
So what?
Fuzzy
logging in (make fuzzy)
People
are tricky.
They share
computers.
 95% had at least one shared computer
 45% of computers were shared
 (35% single profile / 28% shared...
They share accounts.
They make up names.


“At the Fieldston School in the Bronx, a class
on Tolstoy resulted in some students adding
Russian p...
They have multiple
    accounts.

   38% of twitter users
    have 2+ accounts
They reuse passwords.

Average user has ~25 password accounts
Average user types ~8 distinct passwords / day
Average passw...
They ignore security
    advice. (Rationally.)

Estimated cost of phishing: $90 million.
Estimated cost of following anti-...
The past
Login UI
Username or email address?
How do you navigate to the login?
Where is the login in the site?
How is it laid out o...
Usernames vs. email addresses (vs. real names)

What you log in with isn’t necessarily what you display to
the user or to ...
Almost a Security Slide
 Login on home page vs.
 login on every page vs.
 login on special page

 Sadly, an operations vs....
I know what this means.     And what this means.




              But what does this do?
No checkbox!
12345$


/0-$0.$


 /0-,.$                                                          67$
                                  ...
Present
An Irreverent History of
     Authentication Weirdness
1. First, there was OpenID, which was a funny way to
   log in with...
Authentication Options

The old-fashioned way
“Logging in” via another service
Implicitly being “logged in” via another
se...
Control.

Choice (and the paradox of).

Communication.

Access.
Future
“Identity” is an intimate and often contentious
topic. One common refrain that interviewees
mentioned was that people who ...
conclusions
questions?


             James Reffell
             @jreffell
             designcult.org
             james.reffell@gmai...
References
Identity in general
Online Identifiers in Everyday Life (forthcoming), Ben Gross (http://bengross.com/)

ReadWri...
Past
                                    References
Web Form Design: Filling in the Blanks, Luke Wroblewski (http://www.ro...
Creative Commons Credits

 phil.d                                                     Joe Shlabotnik
 http://www.flickr.com...
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Upcoming SlideShare
Loading in …5
×

Pragmatic Designer's Guide to Identity on the Web

3,758 views

Published on

This talk was presented at Webvisions 2010 in Portland, Oregon.

When you're designing for the web, you have to think about identity. This includes the nuts and bolts of login fields and passwords, as well as fancy technologies like Facebook Connect, OAuth, and OpenID.

This talk presents a pragmatic approach to identity on the web, focused on best practices and a reality-based understanding of user behavior.

I'll cover:
* How users really handle accounts and passwords, and what that means for your site.
* Best practices for login/logout.
* Shared accounts, shared computers, and other messy realities.
* What designers needs to know about OpenID, OAuth, Facebook Connect, and other identity platforms.
* What might happen next: future-proofing your design without a crystal ball.

Published in: Design

Pragmatic Designer's Guide to Identity on the Web

  1. 1. Pragmatic Designer’s Guide to Identity
  2. 2. Introductions A fable People (are tricky) Past Present Future
  3. 3. Introduction
  4. 4. Usable Security Systems
  5. 5. YOU?
  6. 6. Identity
  7. 7. Identifiers
  8. 8. Logging in to stuff. Being logged in to stuff. Logging out of stuff.
  9. 9. Scylla (Security & technical stuff) Charybdis (Social stuff) Odysseus (This talk)
  10. 10. Fable
  11. 11. “Facebook wants to be your one true login.”
  12. 12. So what?
  13. 13. Fuzzy logging in (make fuzzy)
  14. 14. People are tricky.
  15. 15. They share computers. 95% had at least one shared computer 45% of computers were shared (35% single profile / 28% shared profile/ 38% mixed) Public vs. private areas Short tasks vs. long tasks
  16. 16. They share accounts.
  17. 17. They make up names. “At the Fieldston School in the Bronx, a class on Tolstoy resulted in some students adding Russian patronymics like -ovich and -ovna to their names.” - NY Times
  18. 18. They have multiple accounts. 38% of twitter users have 2+ accounts
  19. 19. They reuse passwords. Average user has ~25 password accounts Average user types ~8 distinct passwords / day Average password used ~6 different sites Correlation between password strength and reuse
  20. 20. They ignore security advice. (Rationally.) Estimated cost of phishing: $90 million. Estimated cost of following anti-phishing advice: $15.9 billion. Opportunity cost of reading all privacy policies: $781 billion / year.
  21. 21. The past
  22. 22. Login UI Username or email address? How do you navigate to the login? Where is the login in the site? How is it laid out on the page? What UI elements do you need to include? Sign in or log in? (Or login or log on?)
  23. 23. Usernames vs. email addresses (vs. real names) What you log in with isn’t necessarily what you display to the user or to other users. Usernames can be pseudonyms, which can be good and bad. Usernames are more easily forgotten, email addresses are more easily lost. Most systems only support one username, but many support multiple email addresses. The bigger you are, the bigger a namespace collision problem. With email addresses, it’s somebody else’s problem. Over time, most systems end up with usernames and email addresses (and real names and pictures).
  24. 24. Almost a Security Slide Login on home page vs. login on every page vs. login on special page Sadly, an operations vs. security vs. usability tradeoff Banks pick every page as they’re all https anyway Most other sites pick special page Some have https forms but not pages ...
  25. 25. I know what this means. And what this means. But what does this do?
  26. 26. No checkbox!
  27. 27. 12345$ /0-$0.$ /0-,.$ 67$ 6+$ /0-$,.$ +,-.$,.$ !"!!#$ %!"!!#$ &!"!!#$ '!"!!#$ (!"!!#$ )!"!!#$ *!"!!#$
  28. 28. Present
  29. 29. An Irreverent History of Authentication Weirdness 1. First, there was OpenID, which was a funny way to log in with URLs. (Almost) no one used it. 2. Then came mashups, and sites started asking for other sites’ passwords. This Was Bad. 3. Then came OAuth ...
  30. 30. Authentication Options The old-fashioned way “Logging in” via another service Implicitly being “logged in” via another service Combinations Multiple options
  31. 31. Control. Choice (and the paradox of). Communication. Access.
  32. 32. Future
  33. 33. “Identity” is an intimate and often contentious topic. One common refrain that interviewees mentioned was that people who maintained multiple online “identities” primarily used them for deviant purposes. These initial assumptions of deviance did not match my own findings... Not only do people have multiple identities for different public and private spheres, but they may also conduct a substantial portion of their interactions, online as well as offline, in different spheres. the combinations of public, private, online, and offline are often intermixed. - Ben Gross, Online Identifiers in Everyday Life
  34. 34. conclusions
  35. 35. questions? James Reffell @jreffell designcult.org james.reffell@gmail.com
  36. 36. References Identity in general Online Identifiers in Everyday Life (forthcoming), Ben Gross (http://bengross.com/) ReadWriteWeb story Facebook Wants to be Your One True Login, ReadWriteWeb (http://www.readwriteweb.com/archives/facebook_wants_to_be_your_one_true_login.php) People are tricky An Online Alias Keeps Colleges Off Their Trail, NY Times (http://www.nytimes.com/2010/04/25/fashion/25Noticed.html) A Large-Scale Study of Web Password Habits, Dinei Florencio & Cormac Henley (http://research.microsoft.com/apps/pubs/?id=74164) So Long, And No Thanks for all the Externalities: the Rational Rejection of Security Advice by Users, Cormac Henley (http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.pdf) The Cost of Reading Privacy Policies, Aleecia M. McDonald & Lorrie Faith Cranor I/S: A Journal of Law and Policy for the Information Society, 2008 Privacy Year in Review (http://www.is-journal.org/) How Many Twitter Accounts Do You Have? Techcrunch (http://techcrunch.com/2008/01/09/how-many-twitter-accounts-do-you-have/) Family Accounts: A new paradigm for user accounts within the home environment Serge Egelman, A.J. Brush, and Kori Inkpen (http://research.microsoft.com/apps/pubs/?id=74234)
  37. 37. Past References Web Form Design: Filling in the Blanks, Luke Wroblewski (http://www.rosenfeldmedia.com/books/webforms/) Designing for Social Traction, Joshua Porter (http://bokardo.com/archives/designing-for-social-traction-slide-deck/) Present Data Reveals Trends Among Social Media, JanRain http://blog.janrain.com/2010/04/data-reveals-trends-among-social-media.html Log in or sign uo with OpenID, Leah Culver (http://blog.leahculver.com/2009/11/log-in-or-sign-up-with-openid.html) Future Meebo pushes xAuth.org as solution to social network toolbar clutter problem, Scobleizer (http://www.youtube.com/watch?v=-UjXswWs7xg) Facebook and Radical Transparency (a rant), danah boyd (http://www.zephoria.org/thoughts/archives/2010/05/14/facebook-and-radical-transparency-a-rant.html) Identity in the Browser (Firefox), Aza Raskin (http://www.azarask.in/blog/post/identity-in-the-browser-firefox/) Account Manager Coming to Firefox, Mozilla (http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/) OpenID Connect (http://openidconnect.com/)
  38. 38. Creative Commons Credits phil.d Joe Shlabotnik http://www.flickr.com/photos/phill_dvsn/393952186/ http://www.flickr.com/photos/joeshlabotnik/305410323/ NicksNotToShabby ryancr http://www.flickr.com/photos/nicksnottoshabby/4558725627/ http://www.flickr.com/photos/ryanr/142455033/ Jaume d'Urgell Roger Smith http://www.flickr.com/photos/jaumedurgell/740880616/ http://www.flickr.com/photos/rogersmith/3478145163/ bandita Kansas Sebastian http://www.flickr.com/photos/cosmic_bandita/2218419160/ http://www.flickr.com/photos/kansas_sebastian/4395356552/ jasohill c@rljones http://www.flickr.com/photos/jasohill/3711675312/ http://www.flickr.com/photos/_belial/414619731/

×