OpenID: OK idea, bad implementation

Shortly I will remove OpenID login from Cinema Minima’s sites. I think it will be too confusing for users.

Kyle Neath explains why he does not like OpenID:

It’s not that I think any part of the technical implementation of OpenID is flawed in any way: that part of it is rock solid. My problem is how OpenID full on assaults user experience. If you choose to implement OpenID on your site, I really don’t have a problem with it at all — what I do have a problem with are sites that force you to use OpenID. It’s a perfectly valid authentication option, but not a valid alternative. So this is my rant on OpenID.

The article articulates the concerns which are raised by pretty much every instance of OpenID.

OpenID looks good on paper, but it is not so easy to use. And the OpenID providers are flaky. I’m still shocked to have discovered that did not adequately test its own site: I can’t tell you how many times I’ve been redirected to my own OpenID page on the site, and not found a clue as to what to do to complete the authentication. I have figured it out, but it is so non-obvious that I have forgotten it, and had to guess again the next time.

To have major flaws in the interface is OK for me — I am in the trade, and it comes with the territory — but not OK for users. Users deserve — have the right to expect, and ought* insist upon — clear and simple tools. I say ‘tools’ — rather than the abstract, nearly collective-noun-ish ‘interface’ or ‘user experience’ — to emphasize the utility of such things. When people talk ‘interface’ they mean dashboards, sets of buttons, etc. ‘Tool’ is right to the point: I do this, and it does that.

Current implementations actually introduce Fear, Uncertainty, and Doubt (FUD) into the very places where safety, clarity, and certainty are most desired. I am amazed that the salient thing the many implementations of OpenID have in common, is poor execution — mostly, as far as I have observed, poor user-experience design.

Yahoo offers OpenID but with these terrible alternatives: use a URI which is long and incomprehensible and safe, or a short and easy-to-remember URI which Yahoo cheerfully warn you is unsafe. What were they thinking?! had a security certificate that failed in common browsers (maybe they have fixed it by now?). Didn’t anyone bother to test? Or at least provide some error-trapping so that the hapless user wouldn’t find herself in a neverland of error messages?

The WordPress plugin has some flaws: the first version’s acknowledging, but not coping with the bad-certificate problem; the reliance upon a math library — GMP for PHP — which many, if not most, WordPress users would not have, nor have any way of installing since the majority of WordPress instances run on hosted sites which do not permit root access (GMP is not required but without which, a strain upon the server’s CPU ).

User login ought to be overflowing with simplicity, safety, and certainty.

*Yes — I omitted the ‘to’ after ‘ought’. This is good, sound, idiomatic English — and time-tested, too.