220 likes | 360 Views
How is OpenID helping Google?. Steven Bazyl Developer Advocate http://goo.gl/L9oK5. Google users. 50% Google Account users = Gmail users Other 50% = people with Email from Yahoo, Hotmail, AOL, Comcast, etc. Google login is basic. Our goals as an RP are basic.
E N D
How is OpenID helping Google? Steven Bazyl Developer Advocate http://goo.gl/L9oK5
Google users • 50% Google Account users = Gmail users • Other 50% = people with Email from Yahoo, Hotmail, AOL, Comcast, etc.
Our goals as an RP are basic As copied from the recent OpenID Retail Summit description... • Higher customer registration and login success rates • Login sooner in the online process to allow targeted experiences and communcations • Increased referral traffic, search engine optimization, and brand projection by leveraging social networks • Collecting rich customer profile information • Improved mobile customer experience • Federated login across multiple websites
Two other big goals 1. Use OpenID to improve the experience for our EXISTING users 2. The use of OpenID should NOT increase per-user support costs
Google's Sample OpenID Store Visit openidsamplestore.com Important: Read the FAQ to learn about those two hard problems
How far has Google gotten as an RP? Our end goal is something close to federatedux.appspot.com • That is a prototype, not a live system • OpenID signups supported • OpenID logins supported • OpenID upgrades supported • Research indicates customer support costs won't increase But what is live today?
OpenID for Email Verification Live for Yahoo, AOL, and other email domains
Lessons learned • Increases the # of users who both signup AND verify their email address • Developing OIX Trust framework for this use-case • Search for "OAuth Goog" site and then search for "certification" • Usability tests indicate that more "real users" will start the signup flow if they see an icon for a brand they use
Move OpenID earlier in signup Launching on Google in a few weeks NASCAR UI is same as "second-tab" of two-tab login box
Email pre-filled (users won't need to verify it) • Other attributes can be pulled (name, location, etc.) • Suggest dropping CAPTCHA • Still not using OpenID for login (user is asked to set a password)
Our advice • Using OpenID for signup flows is a great way to "dip your toes in the water" • Allows controlled experiments with measurable results • Try out a NASCAR style signup flow yourself... • but only if you can do OpenID style flows for domains that cover 50%+ of your users
What about OpenID login? SAML RP login has been live for awhile...
OpenID login (v.5) is live • Demonstrated at Fall IIW • Steps to enable it • Need to be logged in to a Google service using a Yahoo or AOL mail address (NOT a Gmail address) • Visit the Google MyAccount settings page • Look for Change Federated Login option and click it
Testing phase • Requires SAML style login, sorry :-( • We need testers • not a lot of Google employees use Yahoo mail for their personal accounts • Other email domains will be supported soon • Longer term we will rely on trust frameworks to support more IDPs
So what about the login box? If you are not a big email provider, use two-tab login box from the sample sites
Whats the problem with it? Which tab is the default? 2nd tab works great if 60%+ of your users won't need to type a password on your site Check your account database to see what % of your users have mail from Google, Yahoo, Microsoft, AOL Unfortunately 50% of Google users are Gmail users, and will have to type a password on our site :-( Google also has an advanced feature called multiple-login Next step beyond two-tab is an Identity Selector
Google Identity Selector research • If user clicks a Gmail identity, they are asked for password • If they click an OpenID/SAML identity, they are redirected • If they need to use another identity, they click + ...
Add Account • Used for EITHER signup OR signin • NASCAR UI is not used for login, so it no longer needs to be consistent • It can vary per machine to show likely IDPs
If you want to try this on your website • openidsamplestore.com has FAQ with details • You can watch Google to see what we do, and we will keep publishing results • There is still a lot of variance across OpenID IDPs. We suggest using a vendor who hides some of that variance • Janrain, Gigya, Ping, Azure ACS • Google also has a toolkit available • Pros: It exposes the exact same APIs used by Google itself to be an RP • Cons: It only supports Gmail, Yahoo mail, Hotmail, AOLmail, and Google Apps mail • Vendors like Janrain are integrating this approach as an option as well. • Contact me or Janrain if you want to learn more about these offerings
Q&A To find our published research, just search for "OAuth Goog" Steven Bazyl Developer Advocate sbazyl@google.com Eric Sachs Senior Product Manager esachs@google.com