Federated authentication systems such as Shibboleth and OpenID exist to solve identity management problems but they both suffer from similar usability problems when users login and logout.
Who am I today?
Who wants to maintain multiple personalisation logons on different websites?
How many usernames do you have? Do you really keep different passwords for all of those sites? And do you trust all of the sites you’re registered with to keep your password secure, given that it could be used to log in to many other websites (unless you really do keep different passwords for each site)?
The only way of mitigating this problem is to move the user sign-on and registration processes away from individual websites to centralised systems designed specifically to manage your online identity information.
A single centralised identity provision service for the whole internet can clearly never exist; consequently we have to live with the fact that there have to be multiple identity providers. But within this why should publishers proliferate their own tiny personalisation islands, often not even allowing users to share personal information and preferences between a single publisher’s own different websites, let alone across different publisher websites?
Informal evidence from librarians suggests that most users will not use the personalisation features that publisher platforms provide at all if they require a separate registration process.
Where am I from today?
Given the fact that multiple identity management systems exist, the login process for any website supporting devolved or federated authentication needs to allow the user to select which identity provider to use in order to allow the user to login. And this is the first part of the usability challenge – designing a good user interface for selection between multiple providers is hard because the whole concept of identity providers being separate from individual websites is alien to most users’ web experience.
When I login I expect a website to ask me my username and password. I don’t expect to be first asked where I come from. This confusion is further compounded by the large number of identity providers in the Shibboleth system (740 in the UK Federation alone). Asking a user to select from a list of 740 places where they could be from is clearly a massive barrier to usability. Only the most determined user will survive the logon process!
OpenID based systems don’t have the problem of large federations as potentially anyone can set up an identity provider service. The usability challenge here is to pick the best (shortest) list of providers and give the user a way of entering a (very long) text string if their provider is not on the list. Again another usability challenge for all but the tech heads amongst us.
How can I logout of the web?
Many web users find the concept of logging out of a web site hard to understand. The continuing growth in usage of social networking sites means the problems of leaving yourself logged in to a site on a public terminal have to be spelt out very clearly on all courses for internet safety taught to young adults. Think what could happen if you leave your Facebook profile open to the next stranger to walk up to a terminal.
The Shibboleth and OpenID systems both suffer from logout issues. Because these systems offer the benefit of a single sign on process, once you’ve authenticated with your chosen identity provider you can enter any number of participating websites without having to type your credentials again. This sounds like a benefit, until you realise that on a public terminal your identity will be used to enter these other sites. The Facebook problem again, this time replayed in the context of a publisher provided site.
Surely the designers of these technical systems thought this through? Well, theoretically Shibboleth supports the idea of federated logout, but OpenID has no support for this at all. And the Shibboleth system has serious technical problems which have not yet been overcome.
Currently the only practical solution is to educate users to close down and exit their web browser when leaving a public terminal. Hardly intuitive or a good user experience.
I like how the public terminals at my area library operate. You have to log into the computer. Eventually you will log out or your time will run out, then the computer reboots. Too bad I cannot personalize my library login.
Back in the 1990′s I visited a friend at the University of Michigan. When he logged on to any of the university computers, it was already personalized. Maybe we can develop a computer log-in system that connects with our personal settings in the cloud. Besides, we’re moving more toward cloud computing in any case.
There is a presentation on how they implemented single log out there. It also highlights some of the usability issues.
Looking at it, I’m still not sure how they figure out the list of sites that you’re also logged in to. I’m assuming that the IdP knows. I don’t know what the security consequences of making that information available to 3rd party sites is though. Is it right that we can see (and record) what other sites a user is logged in to?
Excuse me, that should read:
Feide.no have a presentation on how they implemented single log out there. It also highlights some of the usability issues.
Hi Richard, you might be interested in the following slides on single log-out from the Feide presentation: http://rnd.feide.no/content/single-log-out-presentation-tnc2009. Also, keep an eye out for the upcoming release from JISC regarding a publisher interface study and federated access
What we need is the single-single-sign-on system. First thing we need, of course is a WWAYF (Which WAYF Are You From).
interessant f?r mich.