I saw a post a few weeks ago on Planet OpenID describing the difficulty a tech savvy user had trying to login to an OpenID-enabled site using a Yahoo!-provided OpenID.
In the problem described in iwoman’s post, a tech savvy user gets confused by the fact that Yahoo tells you “your OpenID is xyz, but you don’t have to remember xyz, you can just type ‘yahoo.com’.” The engineers here (like the ones at Google) are probably thinking, “We should not encourage users to enter account-identifiable information on third-party sites.”
If this is their goal, why do they even bother to tell people their OpenID? Everyone else that uses OpenID either their personal OpenID directly on the rely-party or clicks on a button (eg: Google) that allows them to enter it on the identity provider site. Furthermore, have they not tried to follow their own instructions? Saying “You don’t have to remember it [your personal OpenID]” means “You can remember it, but you don’t have to remember.” This implies that you should be able to use your OpenID directly.
We ran into a similar problem developing the OpenID login our Pay4Bugs software testing market. Initially, we had a button to support login via Yahoo! OpenIDs, but found out just before launch that they imposed additional requirements on rely-parties beyond those imposed by all other major OpenID providers. Yahoo! decided to require the use of an infrequently used section of the OpenID 2.0 specification that checks to make sure the URL you are sent back to is an approved and advertised entry point for the rely party. It is as if they just read the specification and developed their OpenID support based on that without looking at how OpenID is used in the real world. (I will go into more detail about the specific problems we encountered in the last post of my Radical Technology Decisions series)
Yahoo! seems to suffer from a cultural problem where engineers design new features with little to no thought to either usability or how various technologies are used in the real world. Their OpenID support is a case-and-point demonstration of this problem and far from the only example.
Let’s look at Yahoo! Mail as an example. Anyone that has developed a new webapp has probably run into the problem where all email sent by your server goes to Yahoo! Mail’s spam box even if you follow every rule and standard to (sign with DKIM, publish SPF records, sign with DomainKeys) demonstrate your email is legitimate. DomainKeys was even developed by Yahoo! and yet they still send DomainKey-verified emails to spam. How useful is an email box where email of only big known providers gets through and emails from the latest and greatest startups get sent to spam? To a tech person or a business person, not very useful. But surely, if Yahoo! engineers actually used their own email system, they would be aware of this problem?
Neither Google’s Gmail and OpenID implementation suffer from these deal-breaker problems. In the one place where Google’s OpenID implementation departed from common practice (ie. its use of directed identity), Google clearly explains how its implementation works and how to make it work with your rely party. Is it any wonder that Yahoo! keeps losing marketshare? At this rate, perhaps they should consider changing their name to Ya…Who?