Upload
devin-dean
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
How is OpenID helping Google?
Steven BazylDeveloper Advocatehttp://goo.gl/L9oK5
Google users
• 50% Google Account users = Gmail users• Other 50% = people with Email from Yahoo, Hotmail,
AOL, Comcast, etc.
Google login is basic
Our goals as an RP are basic
As copied from the recent OpenID Retail Summit description...
• Higher customer registration and login success rates• Login sooner in the online process to allow targeted
experiences and communcations• Increased referral traffic, search engine optimization,
and brand projection by leveraging social networks• Collecting rich customer profile information• Improved mobile customer experience• Federated login across multiple websites
Two other big goals
1. Use OpenID to improve the experience for our EXISTING users
2. The use of OpenID should NOT increase per-user support costs
Google's Sample OpenID Store
Visit openidsamplestore.comImportant: Read the FAQ to learn about those two hard problems
How far has Google gotten as an RP?Our end goal is something close to federatedux.appspot.com• That is a prototype, not a live system• OpenID signups supported• OpenID logins supported• OpenID upgrades supported• Research indicates customer support costs won't
increase
But what is live today?
OpenID for Email Verification
Live for Yahoo, AOL, and other email domains
Lessons learned
• Increases the # of users who both signup AND verify their email address
• Developing OIX Trust framework for this use-caseo Search for "OAuth Goog" site and then search for "certification"
• Usability tests indicate that more "real users" will start the signup flow if they see an icon for a brand they use
Move OpenID earlier in signup
NASCAR UI is same as "second-tab" of two-tab login box
Launching on Google in a few weeks
• Email pre-filled (users won't need to verify it)
• Other attributes can be pulled (name, location, etc.)
• Suggest dropping CAPTCHA
• Still not using OpenID for login (user is asked to set a password)
Our advice
• Using OpenID for signup flows is a great way to "dip your toes in the water"
• Allows controlled experiments with measurable results
• Try out a NASCAR style signup flow yourself...o but only if you can do OpenID style flows for
domains that cover 50%+ of your users
What about OpenID login?
SAML RP login has been live for awhile...
OpenID login (v.5) is live• Demonstrated at Fall IIW• Steps to enable it
o Need to be logged in to a Google service using a Yahoo or AOL mail address (NOT a Gmail address)
o Visit the Google MyAccount settings pageo Look for Change Federated Login option and click it
Testing phase
• Requires SAML style login, sorry :-(• We need testers
o not a lot of Google employees use Yahoo mail for their personal accounts
• Other email domains will be supported soono Longer term we will rely on trust frameworks to support more
IDPs
So what about the login box?
If you are not a big email provider, use two-tab login box from the sample sites
Whats the problem with it?
Which tab is the default?
2nd tab works great if 60%+ of your users won't need to type a password on your siteCheck your account database to see what % of your users have mail from Google, Yahoo, Microsoft, AOL
Unfortunately 50% of Google users are Gmail users, and will have to type a password on our site :-(Google also has an advanced feature called multiple-login
Next step beyond two-tab is an Identity Selector
Windows Live Identity Selector
Google Identity Selector research
• If user clicks a Gmail identity, they are asked for password
• If they click an OpenID/SAML identity, they are redirected
• If they need to use another identity, they click + ...
Add Account
• Used for EITHER signup OR signin• NASCAR UI is not used for login, so it no longer
needs to be consistent• It can vary per machine to show likely IDPs
If you want to try this on your website• openidsamplestore.com has FAQ with details
o You can watch Google to see what we do, and we will keep publishing results
• There is still a lot of variance across OpenID IDPs. We suggest using a vendor who hides some of that varianceo Janrain, Gigya, Ping, Azure ACSo Google also has a toolkit available
Pros: It exposes the exact same APIs used by Google itself to be an RP
Cons: It only supports Gmail, Yahoo mail, Hotmail, AOLmail, and Google Apps mail
Vendors like Janrain are integrating this approach as an option as well.
Contact me or Janrain if you want to learn more about these offerings
Q&A
To find our published research, just search for "OAuth Goog"
Steven BazylDeveloper [email protected]
Eric SachsSenior Product [email protected]