Comments for Comcast Property Sees 92% Success Rate With New OpenID Method

Comcast Property Sees 92% Success Rate With New OpenID Method

2009-02-10T22:33:13Z

The most-watched geek event of the day has to be the OpenID UX (User Experience) Summit, hosted at the Facebook headquaters. The most discussed moment of the day will surely be the presentation by Comcast's Plaxo team.

Plaxo and Google have collaborated on an OpenID method that may represent the solution to OpenID's biggest problems: it's too unknown, it's too complicated and it's too arduous. Today at the User Experience Summit, Plaxo announced that early tests of its new OpenID login system had a 92% success rate - unheard of in the industry. OpenID's usability problems appear closer than ever to being solved for good.

]]> This experimental method refers to big, known brands where users were already logged in, it requires zero typing - just two clicks - and it takes advantage of the OpenID authentication opportunity to get quick permission to leverage the well established OAuth data swap to facilitate immediate personalization - at the same time, with nothing but 2 clicks required of users.

Plaxo, primarily known for the noxious flood of spam emails it delivered in its early days, is now an online user activity data stream aggregator owned by telecom giant Comcast. The Plaxo team has been at the forefront of the new Open Web paradigm best known for the OpenID protocol.

The Flow

The method Plaxo has been testing is called an OpenID/OAuth combo, in collaboration with Google. What does that mean, in regular terms? It means that Plaxo told users they could log in with their Gmail accounts as OpenID by clicking a link to open a Gmail window, then Google asked for permission to hand over user contact data using the OAuth standard protocol. Once login was confirmed, whether contact data access was granted to Plaxo or not, the Gmail window closed and users were returned to Plaxo all logged in. No new accounts, no disclosure of Gmail passwords to Plaxo, no risky account scraping and no need to import or find friends on the new service before immediate personalization could be offered.

This is a very different flow than most OpenID "relying parties" have followed before - but it won't be for long.

The Success Rate

Plaxo reported today that it has seen a staggering 92% of users who clicked on the "log-in with Gmail" button come back to Plaxo with permission to authenticate their identities via Gmail granted. Of those who returned, another 92% also granted permission for Plaxo to access their contacts list. Only 8% of the people who clicked to log in with a standards based 3rd party authentication ended up deciding to bail instead. That's the kind of ease-of-use that people presumed only Facebook Connect could provide.

When Plaxo engineers moved to turn off the short-term experiment, the business team said no way.

We expect to see this basic flow get iterated on even further. We hope it will ensure that every OpenID provider has some exposure and not just the big email providers, and we expect the pop-up action to be made increasingly unobtrusive.

This could be the day when OpenID became a far more realistic prospect than it has seemed before.

What an "RP" Wants

View more presentations from johnmccrea. (tags: josephsmarr #openidux)

Comment from Alberto López on 2009-02-10

2009-02-10T23:40:38Z

I don't really see the utility of OpenID. Lately everything with the "Open" prefix sounds cool, even if there's no use for it =)

Managers Magazine

Comment from bkkissel.myopenid.com on 2009-02-10

2009-02-10T23:52:20Z

Very exciting demonstration of compelling benefits for end users, website operators, and OpenID providers. Well done to Google and Plaxo.

Comment from jeremiah on 2009-02-10

2009-02-11T01:02:28Z

Maybe I don't entirely understand the innovation here, but isn't most of the simplicity in the user interface being achieved by concentrating on a single OpenID provider? In other words, isn't this just swapping Facebook for Google, rather than Facebook for OpenID?

Comment from Marshall Kirkpatrick on 2009-02-10

2009-02-11T01:07:01Z

jeremiah, if that's the case then the big news is just the oauth integration. I don't think this has to be a case of "simple because choice is removed" - I think that multiple known brands could be offered as choices with room for any provider. The innovation is in the simple clicks to authorize information, the use of known entities, etc.

Comment from ndk on 2009-02-10

2009-02-11T01:20:07Z

This presentation -- and some of the comments left above -- feels much more like marketing than research. Who cares what the protocols under the covers are? The demonstration could've been done with LDAP.

There's nothing new here. Of course it's possible to improve the user experience by requiring(or at least, making it exceptionally difficult not to use) a few major providers. That's been done a thousand times over.

We're no closer to solving truly distributed federated identity than we were, and this if anything pushes us actively further away. I want to see interface work can serve the world, not the one or two big players in one sphere.

Comment from Marshall Kirkpatrick on 2009-02-10

2009-02-11T01:30:24Z

ndk - thanks for putting that out there. I'd like to see what some of the folks involved have to say about your comment.

Comment from David Recordon on 2009-02-10

2009-02-11T01:40:29Z

@jeremiah, while this experiment was done specifically between Plaxo and Google, I agree with Marshall that multiple known brands could be involved and that the real innovation was simplifying and combining the steps of logging in and granting access to your data.

This experiment combines 1) creating a new account on Plaxo and entering profile data, 2) verifying your email address and 3) granting Plaxo access to your address book. Before the combination of OpenID and OAuth, you would be sent to Google two or three times: first to login with your Google Account, second (if you didn't use OpenID) to Gmail to verify your email address and third to grant Plaxo access to your Gmail address book.

Rather, this experiment with a hybrid of OpenID and OAuth combines these steps so that the creation of a new account always includes the verification of your email address and you're telling Google that you wish to provide Plaxo with access to your address book.

Comment from David Recordon on 2009-02-10

2009-02-11T01:45:36Z

@ndk, I'd love to see an example of this being done with LDAP, including the granting ongoing access to an API resource (the address book). I obviously strongly disagree with your view that, "we're no closer to solving truly distributed federated identity than we were," but doubt that comments are going to be the best way to understand each other's viewpoints.

Comment from rick on 2009-02-10

2009-02-11T01:49:37Z

I agree with ndk. Sure this could be done for other well-known brands... but note that caveat carefully. Now tell me how having a few known brands be the ones that make OpenID easy to use is a good thing.

OpenID is still a solution in search of a problem for most individuals. We use our browsers' ability to remember credentials combined with cookies and a limited set of passwords to address this. If I only have 1 or 2 username/password combinations to remember anyway... what's the advantage of OpenID again?

Comment from John McCrea on 2009-02-10

2009-02-11T01:51:22Z

I think this is a really big deal. (But I'm biased, as I'm involved in it.)

This is the first time we're seeing OpenID that is driving our core business metrics. It's good for users, good for Plaxo, good for Google, and implemented in a way that can be replicated by any other sites of the web.

Comment from ndk on 2009-02-10

2009-02-11T02:26:52Z

I obviously strongly disagree with your view that, "we're no closer to solving truly distributed federated identity than we were," but doubt that comments are going to be the best way to understand each other's viewpoints.

You're probably right, David, but I'll restate my point more fully for posterity here. Because:

1) It's extremely difficult to craft a good UX for N providers, making the button path -- used by social bookmarks and the demonstration above alike -- very appealing;
2) The data necessary to build a value proposition, like a contact book, is not available consistently from all providers;
3) There is no trust framework to support a diversity of providers.

Whatever the protocol under the seams, if the three above points are not comprehensively addressed, I see an inexorable drift towards the "Top 4" that Joseph describes. Discovery is the toughest and most important.

I'd love to see an example of this being done with LDAP, including the granting ongoing access to an API resource (the address book).

This is tangential; I'm just pointing out that I'm not emotionally attached to protocols. They grow, evolve, and die, but in the end aren't always that different from each other.

If you wanted to get imaginative with LDAP, perhaps one would provision a service DN for each application, do LDAP auth of the user at the login page, change the user's contact list ACL to permit reading by the service DN, transmit the username + timestamp to the service in a query string encrypted using the service's public key, and then perform a simple LDAP query(an API for retrieving data about a username, after all).

Obviously a dirty hack inferior to application of OAuth + OpenID, vulnerable to a few more attacks by the service, and LDAP isn't viable for inter-realm use, but it'd work.

Comment from ndk on 2009-02-10

2009-02-11T02:37:03Z

the username + timestamp

Brainfarted the slightly important "signed" word, sorry. :D But I'd rather not let that distract from the core issue that rick articulated better than I: the UX being demonstrated here naturally constricts the OP's to a select few, so I really don't think of it as progress.

Comment from Kevin Marks on 2009-02-10

2009-02-11T07:34:35Z

Jeremiah and ndk what you're missing is that the bridge from identity to authorization to use the contacts was done through a set of open protocols, Being able to go from an email address to a known OpenID endpoint was a small part of the steps saved here.
If users can pick an identity provider from a list of obvious suspects or a known highly correlated one for that site, as well as having a type-in box, this flow means that they will be able to connect to a rich source of profile and contact information in one go, ratehr then the multiple stage back and forth currently needed.

Comment from Todd on 2009-02-11

2009-02-11T11:30:03Z

Oh sure, the meeting at Facebook as massive implications, our identities will finally be in our control, the companies that attented will make billions more with that hybrid oauth/openid thingy, yadda, yadda, yadda...

But without a doubt, the best thing to come from the meeting was this pic:

http://www.flickr.com/photos/wnorris/3270176733

Comment from Todd on 2009-02-11

2009-02-11T11:49:40Z

...oh yeah, and on the serious tip:

ndk said:

"...If you wanted to get imaginative with LDAP, perhaps one would provision a service DN for each application, do LDAP auth of the user at the login page, change the user's contact list ACL to permit reading by the service DN, transmit the username + timestamp to the service in a query string encrypted using the service's public key, and then perform a simple LDAP query(an API for retrieving data about a username, after all)."

Exactly! That's what I want to write an Oil Can script to do, for all Android phone's ( address books in Android phones automatically sync'ed to Gmail BTW ). Decentralized and spread out out, no single point of failure.

"...A distributed architecture for social networking? Existing social networks usually employ a "hub and spoke" model, where the website is the hub of all activity within the network, and where there is a "client" and a "server". Since all traffic must pass through the hub, that site may become a bottleneck. Furthermore, each transaction must pass up one spoke to the hub, and then down another spoke, when the people interacting may be much closer to each other (in network terms) than either is to the hub site...

There is the opportunity to create an architecture that distributes the load to the devices sitting in our coats and pockets, rather than solely on massively scalable Web sites. Such an architecture would require better interoperability between social networking sites and mobile devices than we have today, and should remove any dependence on an "always-on" network connection."

http://www.w3.org/2008/09/msnws/papers/nokia-mobile-social-networking.html

Comment from söve on 2009-02-11

2009-02-11T16:55:45Z

thanks.

Comment from Phil "Watching How This Goes" on 2009-02-11

2009-02-11T16:57:42Z

For some reason I seem to get nervous when something is so wonderful that everyone buys into it. Nothing is perfect. The real question is what are they not telling you about this new system. We need enough information to decide if we want something or not. If all we get is the good side, the other side could be worse than we can handle. This is the same mistake that too many people made when investing with Madoff! Stop trying to hussle us and tell us the real deal.

Comment from willnorris.com on 2009-02-11

2009-02-11T22:03:00Z

Prior to the work I'm currently doing with OpenID, OAuth, et al, I was deeply involved with LDAP, SAML, and worked with ndk (commenter above) directly for a number of years. He makes an excellent point based on this article. Unfortunately, this article covers only a small facet of what was discussed at the UX Summit yesterday.

I think the thing to take away from the Plaxo numbers that Joseph presented is this: if we can make the user experience as simple as two button clicks (that's really all it is), the ROI for relying parties is incredible. The beauty of the Plaxo/Google demonstration was made possible by open protocols (that really could have been anything, including LDAP), but more importantly intelligent OP discovery. It demonstrated ONE way of doing intelligent discovery -- that is, assuming that if the user used Google for their email, then there's a decent chance that they would want to use Google as an authentication provider. As their numbers show, this was a pretty accurate (although not 100% true) assumption.

The point is, if we can do intelligent discovery, the payback is huge. The true challenge, and this is what was left out of the article, but was discussed during the rest of the UX Summit, is how to do this discovery. No one is suggesting that the Plaxo/Google approach, or even the "big four buttons" approach is the end-all, be-all solution to discovery. No one is saying that. Plaxo's demonstration only underscores the importance of discovery, and it's problem we have yet to solve.

Comment from Nick O'Neill on 2009-02-11

2009-02-11T22:23:00Z

@willnorris said "if we can make the user experience as simple as two button clicks (that's really all it is), the ROI for relying parties is incredible"

I think that's the key. Until yesterday, there had been little public discussion about streamlining the OpenID login process for those not knowledgeable of what "OpenID" is. At the end of the day, most users won't know that they're interacting with something that is using the OpenID protocol, which is the way it should be.

Facebook Connect has proven that engagement rises and that there is a higher rate of new registrations. The Plaxo example confirms this even more. This is great to see and I think we are on the verge of a breakthrough which will make all registrations as simple as two-clicks. This is awesome. OpenID ftw

Comment from ndk on 2009-02-11

2009-02-11T22:28:26Z

No one is suggesting that the Plaxo/Google approach, or even the "big four buttons" approach is the end-all, be-all solution to discovery. No one is saying that. Plaxo's demonstration only underscores the importance of discovery, and it's problem we have yet to solve.

Thanks, Will. Your entire message is very much the right one to carry forward here, and since I wasn't present, I'm glad to hear that more was present at the summit than just the "Top 4" buttons.

It'd be great to get more earnest communication on innovative techniques being proposed to prevent OpenID from falling further into the social bookmarking solution. No such details have leaked out of the inner circles, and when all we see is presentations like this, the discomfort of commentators not directly invested in the future of this technology is probably understandable.

Comment from Ian Hendry on 2009-02-12

2009-02-12T09:51:39Z

Some really interesting comments.

I have long predicted that the next wave of social networking will be ALL sites offering social elements so "friending" and commenting and the like is available everywhere.

This, to some degree, is already happening (I spend two hours every morning reading and commenting all over the web) but it typically requires a separate identity on each site. And if I wish to make my contacts aware of the article I need to drag their butts over to that specific site first. This is all a pain.

So socialising the web will become a lot easier if a SINGLE existing identity can be used by me across the whole web. OpenID offers this. What it doesn't do today, and what Facebook Connect DOES do, is enable me to easily share what I am doing across the whole web with my friends and contacts. Well, I say FBC does do it, no one is using it yet...

And a key reason is everyone would like to see something more "Open" allowing that so they aren't tied into Facebook, which doesn't have a great reputation for protecting investments for its third party developer partners.

What Plaxo and Google are showing is exciting, but is playing functional catch up with FBC and will only geat REALLY exciting once they issue some code which you and I can integrate into our sites to offer the same functionality.

By the way, I agree with the view that is arguably leading us down the wrong road ultimately, as I would prefer to see a trusted, independent, non-profit body holding identity and social graph information, which we then "lease" to sites we visit with a few clicks. Although W3C is putting together a team to investigate this, encouragingly, it is still some way off.

Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz

Comment from Khürt on 2009-02-15

2009-02-15T12:54:26Z

Intereting article and exciting developments between Google and Plaxo. But ... I found the comments more informative.

I agree with Ian Hendry, we need "a trusted, independent, non-profit body holding identity and social graph information, which we then "lease" to sites we visit with a few clicks."

"The Plaxo/Google approach, or even the "big four buttons" approach" will become the "the end-all, be-all solution to discovery." and I'll no longer be able to use my blog as a self-provisioned OpenID.

Sicne the the user experience weill be "as simple as two button clicks (that's really all it is), the ROI for relying parties is incredible." - @williamnorris

Comment from porno izle on 2009-05-21

2009-05-21T14:36:37Z

This is pretty cool way to collaborate, but to me "crowdsourcing" implies a lot more democracy and broad based collaborative input. This seems more like an edited collection of short stories with similar theme and I'm guessing it'll read

Comment from High Real Estate on 2009-05-23

2009-05-23T09:49:57Z

These new properties make the get() methods largely redundant but the set() methods can be still be useful as most of them take multiple parameters; for example the full setHours() syntax looks like this:High Real Estate www.highrealestate.net

Comment from porno izle on 2009-05-30

2009-05-30T19:59:15Z

Comment from High Real Estate on 2009-07-24

2009-07-24T12:53:55Z

Is there a blog or website which shows which towns have the lowest House rents…not apartments.

Comment from supra on 2009-07-28

2009-07-28T07:41:40Z

that is really good news for Comcast

Comment from Air Max on 2009-07-28

2009-07-29T01:25:27Z

great success; glad to hear that.

Comment from Air Max on 2009-08-03

2009-08-03T09:19:08Z

good idea; thanks for sharing!

Comment from Nike Air Max on 2009-08-05

2009-08-05T09:08:19Z

so kind of you! thanks a lot!

Comment from Louis Vuitton Bags on 2009-08-16

2009-08-16T22:24:03Z

Comment from movie on 2009-09-12

2009-09-12T21:40:21Z

Comment from China Wholesale on 2009-09-28

2009-09-28T08:14:13Z

Sessions will look at internal and external communications methods for both B2B and B2C companies and provide actionable takeaway items for attendees to immediately implement in their businesses. The forum targets business owners, executives, business communicators, key organizational stake holders, and anyone interested in gaining practical knowledge about social media.

Comment from http://news.fhvac.ru/author/administrator/ on 2009-10-02

2009-10-02T19:34:26Z

very good idea.

Comment from download movies on 2009-10-07

2009-10-07T13:51:43Z