Using email as OpenID
August 22, 2008
One of the most common comments/questions I get while talking about data portability is ‘The OpenID User Experience sucks – how do we make it more user friendly?’.
The problem is two fold. First, users do not understand why they need to provide a URI to log in. Second, users get confused by bouncing around to a 3rd party site.
I’ve given a lot of thought to this problem.
The only answer I’ve had so far is that while the OpenID user experience is difficult to explain to users who expect an email address and password log in, the data portability value proposition may help justify the added cognitive load for users and vendors.
It’s probably true – but it’s not a good enough answer.
More recently I’ve been thinking about another potential solution.
I believe the 3rd party site bounce is actually becoming common place. Passport, Facebook, Google use it and, as such, users are becoming more comfortable with it.
The question of using a URI as a ‘username’ however, is a more difficult pattern to explain to users at a login screen.
Mapping email addresses to OpenIDs
The purists among us will argue that identity should not be tied to messaging. That is, uniquely identifying people by email address is a bad idea. It encourages spam and other unhealthy activity.
Putting that aside for a moment, however, imagine this.
Rather than asking for a user’s OpenID, ask them for their email address:
Now imagine the application refactoring the address on the fly to something like this:
The point here is that we take everything before the @ and place it after a slash. Remove the @ and put HTTP:// at the start and you end up with a well formed URI.
Now imagine that Gmail provided OpenID functionality for each email account in this way.
There are a number of challenges to pulling this off. Not the least of which is getting major email providers to support OpenID, and get existing OpenID consumers to refactor email addresses (if provided) on the fly.
It’s certainly worth thinking about though.