» Knowing your audience trumps… everything

»
S
I
D
E
B
A
R
«

Knowing your audience trumps… everything

January 14th, 2009 by masukomi

A little while ago Jason Kester wrote a post complaining about the fact that he had to sign up with an OpenID provider in order to get an account on StackOverflow. He went on to point out the value of having a frictionless sign-up process. And, while everything he says is true. He’s missing a crucial fact.

You see, StackOverflow knows their audience. They know them really well. It’s a safe bet that the vast majority of StackOverflow’s users are web developers, and any web developer worth their salt has experimented with OpenID by now, which means they already have an account with an OpenID provider. Those who don’t are almost guaranteed to have an account with one of the many OpenID providers listed on StackOverflow’s login page:

openid options

So, for StackOverflow’s audience, signing up is a matter of typing in the right url, and signing in with the password they’ve probably been using for years. No remembering a new password or reusing an old one and thus making it more vulnerable. Just enter your url and go.

So, yes, Jason’s right, signup should be as close to zero friction as possible, but knowing your audience trumps it, because when you know your audience well you can make things better than you ever could when trying to make things easy for absolutely everyone.

The fact that Jason had to go sign up with an Open ID provider speaks to a couple possibilities:

Jason’s totally out of touch with the internet and doesn’t have any accounts on any major site (unlikely)
StackOverflow didn’t have this list of providers on their site in October when Jason Posted and Jason was ignorant that the ones of these he used were OpenID providers (possible)
OpenID providers like those listed above have been doing a piss-poor job of informing their users that they HAVE an OpenID account, and why they should care. (definitely)

—

P.S. On a related note. Many of us have learned that if you have your own domain name it means you never have to send out e-mails to everyone when you change who’s providing your e-mail, because your address will never change. Honestly I’m amazed that so many developers are handing our their Gmail addresses. Anyway, you can do the same thing with OpenID by adding 2 tags to the html on your home page. Now, I just enter http://masukomi.org on any OpenID site (that’s where I put the tags) and I’ll never have to change my logins if I decide I don’t want to use MyOpenID.com as my provider anymore. Just like never having to send out updates about a new e-mail address.

P.P.S. Google has totally failed with their OpenID implementation. The whole idea is to give an url that’s easy to remember and has the user’s name in it. Technically you can use your gmail address (since @ signs are valid in urls (it’s an obscure login thing no-one uses anymore)) but all the OpenID consumers are asking for URLs not addresses, so users won’t know they could use their gmail address, nevermind the fact that Google hasn’t told anyone their e-mail address will work as an OpenID url. AND, WTF is with that google.com/accounts/o8/id who the hell is going to remember that if they wanted to use an URL instead of the e-mail no-one told them about?! I think there’s also an even more obscure google address you can use with a long string of random characters that you’ve even less hope of remembering.

[Update] Apparently many of you don’t believe me that your Gmail address is a valid OpenID url. I would point you to this article on Google’s blog that confirms my claim. And, I’d like to point out that www.example.com needs http:// prepended to it, just as <username>@gmail.com would need in order to be a valid url. The wget manual puts it succintly:

You can also encode your username and password within a url:
     ftp://user:password@host/path

http://user:password@host/path
Either user or password, or both, may be left out. If you leave out either the http username or password, no authentication will be sent. If you leave out the ftp username, ‘anonymous’ will be used. If you leave out the ftp password, your email address will be supplied as a default password.

6 Responses

Anonymous writes:
January 14th, 2009 at 9:11 pm

No developer worth their salt chases technologies with no future, of which OpenID is one. They leave that to the brainless buzzword chasers without the understanding and experience to sort the “technology wheat” from the “technology chaff”. No developer worth their salt would expose an account they value to the security risks of OpenID.

Since launching, StackOverflow has received a lot of negative attention for their OpenID requirement. Many people even going to the lengths of creating specific OpenID accounts just for StackOverflow, thus defeating the entire point of OpenID. That doesn’t sound like knowing the audience to me, it sounds more like the typical “enterprisy software developer” irrational choice of a hyped solution over a logical solution.
N writes:
January 15th, 2009 at 9:48 am

I just created an account on StackOverFlow last week and was happy to see they only took OpenID for authentication. But that’s maybe because I’m a fan of OpenID. Sites that actually use it are so rare that I get excited when I get to use it.

I’m also using the delegation feature that you described to use my own domain name to delegate to my OpenID provider of choice (myopenid.com at the moment). Not a lot of people seem to be aware of it.

It seems like most of the criticisms of OpenID are due to lack of understanding of how it works. The security risks are no greater than what you have without OpenID.

I think that OpenID is probably not going to take off in the mainstream any time soon (though maybe after some time it or something very similar will take off), but I completely agree that its appropriate for developer sites like StackOverflow to use it. In fact, I’m currently developing a developer-focused site that I’m only going to use OpenID authentication for.
masukomi writes:
January 15th, 2009 at 9:59 am

> It seems like most of the criticisms of OpenID are due to lack of understanding of how it works.

I couldn’t agree more.

>The security risks are no greater than what you have without OpenID.

Yes, I don’t know what security risks Anonymous is referring to. I’ve been through the spec and there’s nothing obvious. I think it more likely that he just misunderstands how it works.

> I think that OpenID is probably not going to take off in the mainstream any time soon (though maybe after some time it or something very similar will take off), but I completely agree that its appropriate for developer sites like StackOverflow to use it. In fact, I’m currently developing a developer-focused site that I’m only going to use OpenID authentication for.

Yeah, the roadblocks it presents are primarily to non-geeks, and those are only because of ignorance. I think StackOverflow’s list of providers on their signup page is a good move, but they could probably add a note to the effect of “You already have an OpenID account, but you may not know it.”

Mostly, we just need education. It’s not hard to use, people just don’t know they already have it or what it is.
Twylite writes:
January 16th, 2009 at 7:12 am

OpenID has no security. It was designed without security in mind – read the FAQ.

Better still read Stefan Brands’s “The problems with OpenID” (http://www.idcorner.org/?p=161).

OpenID puts your authentication credentials at the mercy of DNS and web site hacks. If you wouldn’t keep your passwords in a hidden .txt file on your web server, don’t use OpenID.
masukomi writes:
January 16th, 2009 at 8:10 am

the security problems Twylite points to are the potential for Phishing style attacks which could screw you if you get sucked in and used openid everywhere, but is easily mitigated by checking the url of the site you’re signing in at to make sure it’s what it should be.

The privacy problems listed on the same page is an issue where, apparently, some stupid OpenID providers recycle unused logins, which would give the new owner of the login access to the old users data, if they happened to use the login on the same site. That’s definitely a problem, although I don’t know what OpenID provider has done that. HOWEVER if you do what I recommended and use your own domain as your OpenID url (by adding a couple tags to your home page) then you’ll never be susceptible to that problem.

It also points to the fact that an OpenID provider knows what sites you log in to and thus could, in theory, log in as you at any of them. But, this is your password folks, it’s as valuable as cash. Do you let the alcoholic homeless guy down the street act as your bank? No, because he might use your money. In the same way you shouldn’t use an untrustworthy OpenID provider.

HOWEVER, the article she links to does bring up important points that OpenID users should be aware of.
Twylite writes:
January 16th, 2009 at 9:35 am

Umm … the four most important security problems are:
- A DNS attack on the site that requests authentication completely subverts OpenID, allowing the attacker to masquerade as anyone using OpenID for login.
Username+password is not susceptible to this attack.
- An attack on your cheap web host, or the poorly installed or poorly written blog software you use on that web host, will allow the attacker to modify the OpenID tags at your identification URL, and redirect them to give the attacker full access.
In the case the hacker may be the underpaid IT guy at your cheap web host, which makes the hack kindof simple.
Username+password is not susceptible to this attack, unless you store your passwords in a .txt file on your web site.
- XSS can make phishing attempts almost impossible for the average user to identify.
- If you have authenticated to your OpenID provider, then a CSRF/XSRF attack can target any site on which you use that OpenID, even if you haven’t visited that site this session (or this day, week, month, etc). Since most sites are susceptible to XSRF attack this is a major problem.

On the issue of trust: name a service provider you would trust with your banking login password?