ClickPass: I Don’t Get It

March 11, 2008 in OpenID by Carsten Pötter | View Comments

One of the major obstacles of OpenID is certainly usability. Most people are not used to a URL as a method of login. This prevents OpenID from mass adoption. So any tool, service, or application making the login procedure easier and more comfortable is welcome.

Today ClickPass has launched which promises one-click signin to OpenID enabled websites. As far as I understand it, it aims to reduce transfers which happen behind the scenes between the OpenID provider and the relying party. Well, I have tried it, so here is a small guide of how to use it.

Using ClickPass

Currently ClickPass just works with a small number of websites, one being Plaxo. It is not really suprising that Plaxo is one of the sites. Everytime some company is offering a new service making things easier for users, it seems like those companies are calling Joseph Smarr of Plaxo and asking him to implement it quickly. And faster than I could add a new plugin to WordPress, Joseph implements those services to Plaxo. It’s strange, but not surprising at all anymore. Oh yeah, other sites currently supported include Disqus and Hacker News; also a WordPress plugin is available.

Since I have a Plaxo account already I have tried logging in to it with ClickPass; I have created a ClickPass account before. On the Plaxo sign in page there is a new button now: the ClickPass button. If you click on the OpenID image, a list of popular OpenID providers is dropping down. Anyway, clicking Enter I am forwarded to ClickPass to set things up.

clickpass plaxo

Once forwarded to ClickPass I am asked which websites I want to use with it. I only choose Plaxo.

websites

Next I have to connect Plaxo to ClickPass and something strange happens: I am asked for my Plaxo login credentials! Although it says, those credentials are not stored on ClickPass I feel rather uncomfortable giving away my login details. Luckily I can skip this step.

connect

After choosing a username (which is part of my ClickPass OpenID) my ClickPass profile is build.

profile

ClickPass appends a unique ID to each site. This is directed identity, right? So ClickPass will only work with OpenID 2.0 enabled websites since it is not supported by OpenID 1.1.

openid settings

So can I use Plaxo with ClickPass now? Let’s see. Back at Plaxo I click on the ClickPass button, magic happens…

authenticating

…and then I should merge my existing Plaxo account with ClickPass. It wants my Plaxo login credentials again! And this time I can’t skip the step.

merge accounts

Stop!

Solution?

I don’t give passwords to any third party website anymore. That’s simply not cool! The ClickPass guys are probably totally sound people and even Scott Kveton is on their board. But I refuse to do that.

There have to be better solutions for making the OpenID experience more comfortable for mainstream users. OpenID is here to overcome the password dilemma of many people, even trying to be more secure. Giving away passwords to third party sites is contradictory and is giving the wrong signal to users.

Also it is not really looking good to have another button on relying parties’ sites. Yahoo! has introduced a signin button already. Now there is ClickPass. How will websites look if every provider had their own signin button? Ugly, unclear, confusing even.

I don’t like it. But maybe I just totally missed the point of it. Maybe…

Tags: Joseph Smarr, Scott Kveton, Yahoo

  • David Weston
    As far as I can see it Clickpass is a win-win situation. You have the ability to continue to use your previous OpenID, or switch to them as a provider and make things even slicker. You're not compromising any of your other passwords but you're gaining single one-click sign-in without hardwiring any information to a specific plugin on your machine.

    Ok, its going to be even better when more sites adopt, but I think this looks exciting enough that I'll be watching it very closely.

    Definitely a fan, good luck Clickpass!
  • Thanks Carston - very please the thinking makes sense.

    Good call on the documentation - there was such a lot to write that it didn't occur to us to explain the passwords issue. We'll get on putting a section our docs.

    Best wishes,
    Peter
  • Carsten Pötter
    Peter,

    Thanks for the informative comment. It helps understanding how things work and what you're trying to achieve with Clickpass. It's especially good to know that the login credentials are not only stored on your servers but are not even passed through them. Maybe add an explanation to your site. I am sure users appreciated this.

    Of course, you're right that OAuth is not widely deployed yet. Would be great if you switched to it later.

    I will watch Clickpass. :)

    Carsten
  • Hi Carston,

    I'm one of the founders of Clickpass and it's very interesting and helpful to see your critique.

    You mentioned directed identity. We are essentially doing directed identity but we built it in such a way that it's OpenID 1.1 compatible as we we knew that a lot of people wouldn't yet have OpenID 2.0 libraries.

    We also made sure that people could use both their own OpenID and one from the other major providers (in the drop-down box next to the button). As more providers appear we'll be adding them into that drop-down so that site owners don't have to provide the list themselves.

    We spent a lot of time talking about the 'asking users for passwords' problem. In actuality we don't even pass the credentials through our server - they are submitted directly to the relying party but nonetheless is would be better not to ask for them at all.

    In time we'll do this step via OAuth but we knew that at the start almost no sites would be supporting OAuth and that the OpenID installation barrier was already very challenging for sites to overcome.

    We really wanted to help break OpenID through into the mainstream and have tried to do that with the best practices possible. We're still working to get those things right though and really appreciate analysis like this - it helps focus us on the bits that still need to improve. Please do contact me directly if there are any other things you'd like to see us doing - peter dot nixey at clickpass dot com.

    Peter Nixey
  • Fernando
    I agree with you on this button spawning issue that surrounds OpenID logins. As each "big" player jumps in to the OpenID field, they attempt to brand it. This gives an uneducated user the impression that each of these OpenId providers have their own version of OpenID. In reality of course, OpenID is one open login method supported by different providers.

    This button spawn business will hurt the adoption of OpenID in the mainstream, as it will become confusing to most. The better adaption method by service provides would be you use one open id login field, with explanatory text highlighting that openids from Yahoo, myopenid, Clickpass, and many more can be used.
  • I saw clickpass today and my first impression was that I was impressed.
    -Very easy to just click on a button an skip the part where most users have a problem (entering the correct OpenID; I've seen people trying names as "bob" or "bob@mymail.com", etc).
    After a few minutes I realised that all we get from this is more and more buttons on each loginpage, and as you already have said, its ugly, unclear and confusing.

    I did not realise though how clickpass worked in practice... That you had to enter your plaxo-password again, and I also find the "Which website do you use?"-part a bit confusing. Not so impressed anymore.

    To summarize it; I dont like it either.
  • I think they want to have your plaxo password to automatically associate your plaxo account with you newly created clickpass openid. Here is the old convenience vs. security dilemma again.
blog comments powered by Disqus