How is OpenID helping Google?

Steven BazylDeveloper Advocatehttp://goo.gl/L9oK5

Google users

• 50% Google Account users = Gmail users• Other 50% = people with Email from Yahoo, Hotmail,

AOL, Comcast, etc.

Google login is basic

Our goals as an RP are basic

As copied from the recent OpenID Retail Summit description...

• Higher customer registration and login success rates• Login sooner in the online process to allow targeted

experiences and communcations• Increased referral traffic, search engine optimization,

and brand projection by leveraging social networks• Collecting rich customer profile information• Improved mobile customer experience• Federated login across multiple websites

Two other big goals

1. Use OpenID to improve the experience for our EXISTING users

2. The use of OpenID should NOT increase per-user support costs

Google's Sample OpenID Store

Visit openidsamplestore.comImportant: Read the FAQ to learn about those two hard problems

How far has Google gotten as an RP?Our end goal is something close to federatedux.appspot.com• That is a prototype, not a live system• OpenID signups supported• OpenID logins supported• OpenID upgrades supported• Research indicates customer support costs won't

increase

But what is live today?

OpenID for Email Verification

Live for Yahoo, AOL, and other email domains

Lessons learned

• Increases the # of users who both signup AND verify their email address

• Developing OIX Trust framework for this use-caseo Search for "OAuth Goog" site and then search for "certification"

• Usability tests indicate that more "real users" will start the signup flow if they see an icon for a brand they use

Move OpenID earlier in signup

NASCAR UI is same as "second-tab" of two-tab login box

Launching on Google in a few weeks

• Email pre-filled (users won't need to verify it)

• Other attributes can be pulled (name, location, etc.)

• Suggest dropping CAPTCHA

• Still not using OpenID for login (user is asked to set a password)

Our advice

• Using OpenID for signup flows is a great way to "dip your toes in the water"

• Allows controlled experiments with measurable results

• Try out a NASCAR style signup flow yourself...o but only if you can do OpenID style flows for

domains that cover 50%+ of your users

What about OpenID login?

SAML RP login has been live for awhile...

OpenID login (v.5) is live• Demonstrated at Fall IIW• Steps to enable it

o Need to be logged in to a Google service using a Yahoo or AOL mail address (NOT a Gmail address)

o Visit the Google MyAccount settings pageo Look for Change Federated Login option and click it

Testing phase

• Requires SAML style login, sorry :-(• We need testers

o not a lot of Google employees use Yahoo mail for their personal accounts

• Other email domains will be supported soono Longer term we will rely on trust frameworks to support more

IDPs

So what about the login box?

If you are not a big email provider, use two-tab login box from the sample sites

Whats the problem with it?

Which tab is the default?

2nd tab works great if 60%+ of your users won't need to type a password on your siteCheck your account database to see what % of your users have mail from Google, Yahoo, Microsoft, AOL

Unfortunately 50% of Google users are Gmail users, and will have to type a password on our site :-(Google also has an advanced feature called multiple-login

Next step beyond two-tab is an Identity Selector

Windows Live Identity Selector

Google Identity Selector research

• If user clicks a Gmail identity, they are asked for password

• If they click an OpenID/SAML identity, they are redirected

• If they need to use another identity, they click + ...

Add Account

• Used for EITHER signup OR signin• NASCAR UI is not used for login, so it no longer

needs to be consistent• It can vary per machine to show likely IDPs

If you want to try this on your website• openidsamplestore.com has FAQ with details

o You can watch Google to see what we do, and we will keep publishing results

• There is still a lot of variance across OpenID IDPs.  We suggest using a vendor who hides some of that varianceo Janrain, Gigya, Ping, Azure ACSo Google also has a toolkit available

Pros: It exposes the exact same APIs used by Google itself to be an RP

Cons: It only supports Gmail, Yahoo mail, Hotmail, AOLmail, and Google Apps mail

Vendors like Janrain are integrating this approach as an option as well.

Contact me or Janrain if you want to learn more about these offerings

Q&A

To find our published research, just search for "OAuth Goog"

Steven BazylDeveloper Advocatesbazyl@google.com

Eric SachsSenior Product Manageresachs@google.com