Account Management Best PracticesOpenID for Mobile

Webfinger

Allen TomYahoo! Membership Architect

atom@yahoo-inc.com@atom

The NASCAR is just the beginning….

After logging in….

• Now what?

“Soft Registration”

• First time visitors should be presented with a soft registration form

• Collect additional data if necessary– Terms of Service– Data that was not provided via OpenID• Birthday (for COPPA)• Location• Display Name

• Don’t Ask for:• Username, Password, account recovery info

Multiple accounts

• Preferable to have the user link their OpenID with an existing account if they already have one

• Existing account probably has data that the user wants to use– Purchase history– Ratings and reviews– Profile– Reputation

Does the user already have an account?

• Ask the user– Cons: Can be confusing and lower success rates

• Check the email address– Most sites already have the user’s email address– Suggest that the user link their OpenID with their

existing account of the user’s email address is already on file

Account Linking

• Verify the user’s password to link accounts• Account linking should be optional– User might not want to link– User might have forgotten the password

• After the account has been linked, the user can log in using either their username/password or their OpenID

Account Unlinking

• Users should be able to add and remove OpenIDs to their accounts

• Same thing as adding/removing email addresses to an account– But with a much better UX!

Account Linking call to action

Most users don’t know their Yahoo or

Google OpenIDs

OpenID Login is like Email account recovery

• Many websites allow users to reset their password via email

• User needs to prove that they can access their email to reset their password

• Password reset is the same thing as logging in

Account Recovery

• Many websites allow Account Recovery via email• Outsourced Account Recovery to the user’s Email

provider

Email account recovery is like Logging In

• Sites that allow password reset via email have already outsourced their authentication to the user’s email provider

OpenID on Mobile

• Account registration has high friction on the desktop, and is virtually impossible on Mobile

• Use OpenID!• User is very likely to be already be logged into

the their OP’s mobile site– Can sign in to via a few clicks

Registration is challenging on Mobile

Yahoo OpenID Mobile

Google OpenID

Webfinger

• Find a profile page for a user given an email address

• Example:allentomdude@yahoo.com

http://profiles.yahoo.com/allentomdude

“Well Known” discovery document

• $ curl http://yahoo.com/.well-known/host-meta

<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> <Host xmlns='http://host-meta.net/xrd/1.0'> yahoo.com

</Host> <Link>

<Title>WebFinger</Title> <Rel>http://webfinger.info/rel/service</Rel> <Rel>describedby</Rel> <URITemplate> http://webfinger.yahooapis.com/?id={%id} </URITemplate> </Link> </XRD>

Webfinger

• $ curl http://webfinger.yahooapis.com/?id=allentomdude@yahoo.com

<XRD> <Subject>acct:allentomdude@yahoo.com</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>

Webfinger

<XRD> <Subject>acct:allentomdude@yahoo.com</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>

• Other services can be published via Webfinger– Calendar/Photos– IMAP/SMTP settings– Other public info– OpenID service discovery? (NASCAR replacement)