ClickPass: I Don’t Get It

I think they want to have your plaxo password to automatically associate your plaxo account with you newly created clickpass openid. Here is the old convenience vs. security dilemma again.

I think they want to have your plaxo password to automatically associate your plaxo account with you newly created clickpass openid. Here is the old convenience vs. security dilemma again.

I saw clickpass today and my first impression was that I was impressed.
-Very easy to just click on a button an skip the part where most users have a problem (entering the correct OpenID; I’ve seen people trying names as “bob” or “bob@mymail.com”, etc).
After a few minutes I realised that all we get from this is more and more buttons on each loginpage, and as you already have said, its ugly, unclear and confusing.

I did not realise though how clickpass worked in practice… That you had to enter your plaxo-password again, and I also find the “Which website do you use?”-part a bit confusing. Not so impressed anymore.

To summarize it; I dont like it either.

I saw clickpass today and my first impression was that I was impressed.
-Very easy to just click on a button an skip the part where most users have a problem (entering the correct OpenID; I’ve seen people trying names as “bob” or “bob@mymail.com”, etc).
After a few minutes I realised that all we get from this is more and more buttons on each loginpage, and as you already have said, its ugly, unclear and confusing.

I did not realise though how clickpass worked in practice… That you had to enter your plaxo-password again, and I also find the “Which website do you use?”-part a bit confusing. Not so impressed anymore.

To summarize it; I dont like it either.

I agree with you on this button spawning issue that surrounds OpenID logins. As each “big” player jumps in to the OpenID field, they attempt to brand it. This gives an uneducated user the impression that each of these OpenId providers have their own version of OpenID. In reality of course, OpenID is one open login method supported by different providers.

This button spawn business will hurt the adoption of OpenID in the mainstream, as it will become confusing to most. The better adaption method by service provides would be you use one open id login field, with explanatory text highlighting that openids from Yahoo, myopenid, Clickpass, and many more can be used.

I agree with you on this button spawning issue that surrounds OpenID logins. As each “big” player jumps in to the OpenID field, they attempt to brand it. This gives an uneducated user the impression that each of these OpenId providers have their own version of OpenID. In reality of course, OpenID is one open login method supported by different providers.

This button spawn business will hurt the adoption of OpenID in the mainstream, as it will become confusing to most. The better adaption method by service provides would be you use one open id login field, with explanatory text highlighting that openids from Yahoo, myopenid, Clickpass, and many more can be used.

Hi Carston,

I’m one of the founders of Clickpass and it’s very interesting and helpful to see your critique.

You mentioned directed identity. We are essentially doing directed identity but we built it in such a way that it’s OpenID 1.1 compatible as we we knew that a lot of people wouldn’t yet have OpenID 2.0 libraries.

We also made sure that people could use both their own OpenID and one from the other major providers (in the drop-down box next to the button). As more providers appear we’ll be adding them into that drop-down so that site owners don’t have to provide the list themselves.

We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server – they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.

In time we’ll do this step via OAuth but we knew that at the start almost no sites would be supporting OAuth and that the OpenID installation barrier was already very challenging for sites to overcome.

We really wanted to help break OpenID through into the mainstream and have tried to do that with the best practices possible. We’re still working to get those things right though and really appreciate analysis like this – it helps focus us on the bits that still need to improve. Please do contact me directly if there are any other things you’d like to see us doing – peter dot nixey at clickpass dot com.

Peter Nixey

Hi Carston,

I’m one of the founders of Clickpass and it’s very interesting and helpful to see your critique.

You mentioned directed identity. We are essentially doing directed identity but we built it in such a way that it’s OpenID 1.1 compatible as we we knew that a lot of people wouldn’t yet have OpenID 2.0 libraries.

We also made sure that people could use both their own OpenID and one from the other major providers (in the drop-down box next to the button). As more providers appear we’ll be adding them into that drop-down so that site owners don’t have to provide the list themselves.

We spent a lot of time talking about the ‘asking users for passwords’ problem. In actuality we don’t even pass the credentials through our server – they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.

In time we’ll do this step via OAuth but we knew that at the start almost no sites would be supporting OAuth and that the OpenID installation barrier was already very challenging for sites to overcome.

We really wanted to help break OpenID through into the mainstream and have tried to do that with the best practices possible. We’re still working to get those things right though and really appreciate analysis like this – it helps focus us on the bits that still need to improve. Please do contact me directly if there are any other things you’d like to see us doing – peter dot nixey at clickpass dot com.

Peter Nixey

Peter,

Thanks for the informative comment. It helps understanding how things work and what you’re trying to achieve with Clickpass. It’s especially good to know that the login credentials are not only stored on your servers but are not even passed through them. Maybe add an explanation to your site. I am sure users appreciated this.

Of course, you’re right that OAuth is not widely deployed yet. Would be great if you switched to it later.

I will watch Clickpass.

Carsten

Peter,

Thanks for the informative comment. It helps understanding how things work and what you’re trying to achieve with Clickpass. It’s especially good to know that the login credentials are not only stored on your servers but are not even passed through them. Maybe add an explanation to your site. I am sure users appreciated this.

Of course, you’re right that OAuth is not widely deployed yet. Would be great if you switched to it later.

I will watch Clickpass.

Carsten

Thanks Carston – very please the thinking makes sense.

Good call on the documentation – there was such a lot to write that it didn’t occur to us to explain the passwords issue. We’ll get on putting a section our docs.

Best wishes,
Peter

Thanks Carston – very please the thinking makes sense.

Good call on the documentation – there was such a lot to write that it didn’t occur to us to explain the passwords issue. We’ll get on putting a section our docs.

Best wishes,
Peter

As far as I can see it Clickpass is a win-win situation. You have the ability to continue to use your previous OpenID, or switch to them as a provider and make things even slicker. You’re not compromising any of your other passwords but you’re gaining single one-click sign-in without hardwiring any information to a specific plugin on your machine.

Ok, its going to be even better when more sites adopt, but I think this looks exciting enough that I’ll be watching it very closely.

Definitely a fan, good luck Clickpass!

As far as I can see it Clickpass is a win-win situation. You have the ability to continue to use your previous OpenID, or switch to them as a provider and make things even slicker. You’re not compromising any of your other passwords but you’re gaining single one-click sign-in without hardwiring any information to a specific plugin on your machine.

Ok, its going to be even better when more sites adopt, but I think this looks exciting enough that I’ll be watching it very closely.

Definitely a fan, good luck Clickpass!

[...] Carsten Pötter has a more in depth post on this bizarre behaviour of Clickpass. He ends with this thought: There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users. [...]