As part of my work on the Identity project at Mozilla, I’ve been taking a look into how the average person thinks about single sign-on. It’s a complex system, so not surprisingly, it’s most often misunderstood at a fundamental level.
I ran an unmoderated user test with usertesting.com with five users. Their task was to go to Buyosphere, a site that implements Facebook Connect, create an account, then log out. Then I asked them a series of questions. All five indicated they had used Facebook to log into sites before.
“When you log out of Buyosphere, do you think it logs you out of Facebook also? Why or why not and how would you tell for sure?” Incorrect answers are red and bold.
- User 1) “i believe that once i log out of buyosphere, i am also logged out of facebook. once i am logged out i cannot see any more information regarding my account after logging out.”
- User 2) “I think it does log me out because it gave me connect with Facebook, thus it mean it is not recognizing that I have a Facebook account. I’d tell if I am or not by opening up Facebook in a new tab and seeing if it is automatically logged in or not.”
- User 3) “No, I told facebook to remember me. I would open my facebook page in a different browser window? I don’t normally tell it to log me out, so that is only a guess.”
- User 4) “Yes. I do not see a separate window for my facebook site so I would assume that Buyosphere would have set it up to log me out when I’m done on their site. I think I can check to see if I’m logged out by opening facebook and seeing if the login boxes come up or if it takes me straight to my FB page. I will try it right now….I was wrong it didn’t log me out. I am surprised by that. That makes the process of logging off take longer if I have to log out of this site and then go to FB to log out of that site separately.”
- User 5) “I don’t think it would log me out. I have used other sites through facebook and usually the log in and log outs are separate. I can tell for sure by checking my facebook page which I just did and I am logged in.”
The goal of this research was to determine if users had a mental model that would allow them to correctly log out of a single sign-on system in places where there are security concerns like a shared computer or public terminal. The answer is no. Disclaimer: Do not be tempted to extrapolate that this means 60% of people would get this question wrong. This is qualitative research, not quantitative and should not be regarded as having statistical significance.
The last little gut-wrenching nugget comes from the last 20 seconds of one test. Watch and weep.
You caught it, right? She believes she could use her Facebook user and password to log into this site. *sigh* It’s horrifying how easily a bad actor could build a honeypot to collect Facebook credentials.
In addition to confusion over when/where/how to log-in and log-out, we know that sites have big percentages of users with multiple accounts. This video clearly illustrates how that can happen.
What are sites to do? I don’t think there is a good answer. As much as your business case allows, use only one identity provider. If you’re using Facebook Connect, don’t have a standard log-in. Too often, two log-in systems are less than the sum of their parts. LukeW’s article details experiments to mitigate these problems. Some of them have security concerns that wouldn’t fly with many sites. I’m not confident any of them work massively better than only supporting one way of logging in. However, many site will feel it necessary to have a standard log-in plus Facebook Connect. Clearly more thinking and testing needs to be done in this direction.
Of course, my biased view is that we can build better solutions for single sign-on.
11 comments
lloydhilaiel (@lloydhilaiel) says:
Feb 7, 2012
“Too often, two log-in systems are less than the sum of their parts” http://t.co/XpgV3Bfi
@noahmp says:
Feb 7, 2012
Great points rt @skinny: It’s horrifying how easily a bad actor could build a honeypot to collect Facebook credentials. http://t.co/7BlQw6mC
Lozzy says:
Feb 7, 2012
“If you’re using Facebook Connect, don’t have a standard log-in.” Unfortunately, this would exclude people like me. I’ve never used Facebook and plan to keep as far away as possible.
Indeed, I have had experience of this; unfortunately there are various online entities which only allow interaction through Facebook. Some websites rely exclusively on their comments system, another company promotes their Facebook wall as the only way to communicate with them.
Crystal Beasley says:
Feb 7, 2012
@Lozzy I empathize. Having Facebook become the de facto identity provider also gives me concern. It might sound cheesy, but Mozilla is perfectly positioned to build a federated identity provider. We’re non-profit and have no intention or motive for ever monetizing the service.
Danny Moules MQuack (@Rushyo) says:
Feb 8, 2012
How People *Think* Facebook Connect Log‑in and Log‑out Work http://t.co/iV1epUIC
Ian Thomas (@ianmthomasuk) says:
Feb 8, 2012
@Lozzy This is definitely a common concern, but one I think most users haven’t actually thought through carefully. Are you wary about using Facebook Connect because:
a) You don’t want the company behind to have the ability to log in to 3rd party sites as you and linking the accounts between those sites; or
b) You don’t want to start friending people and have your boss seeing unsuitable pictures of you.
If it’s the former, then that is a problem with any SSO system that involved a trusted third party, although there are some SSO systems let you choose from multiple TTPs or set up your own server.
If it’s the latter, then I don’t understand the problem. Just having a Facebook account doesn’t mean you’re automatically friends with any one. You can very easily set up an account in a fake name and not add any content at all – i.e. only use the SSO features, not the social network features.
(having said this, I wouldn’t restrict my site to Facebook Connect only, because I don’t want to have to have this argument with my users.)
Lili Van Hecke (@LiliVanHecke) says:
Feb 9, 2012
How People *Think* Facebook Connect Log‑in and Log‑out Work : http://t.co/Bcq3Wp34
Lozzy says:
Feb 10, 2012
@Crystal: Yes, I am incredibly keen on BrowserID and think it has quite the potential to spark a revolution in its field.
No, it’s not cheezy at all; Mozilla in in an unparalleled position to create trustworthy, unbiased, privacy preserving features for the web. This isn’t exclusive to Identity; projects such as Push Notifications and WebAPI are best left to Mozilla to keep them clear of Google, Microsoft and Apple’s respective agendas.
@Ian: In a nutshell, I have seen what Facebook has become and – as an outsider – I want no part in that behemoth. Your 2 points are both valid contributors to that view, but they don’t encompass the entirety of my concerns.
Overall, I’d feel much safer logging in with BrowserID so that I’m more in control and have many more options regarding who is involved in the transaction.
Lozzy says:
Feb 10, 2012
Missed one other critical importance of BrowserID; there’s a plethora of perks related to being incorporated in the browser. Aside from usability improvements, there’s other fundamental features which come with it; pressing one browser button to log out everywhere, being able to customize the experience with addons and protection from spoofing.
To expand upon the latter point, having browser specific chrome (like Firefox’s arrow panels) being used to log in and out would make it nigh impossible to replicate that experience in order to gather credentials as is mused at in Crystal’s article.
Tom Moor (@tommoor) says:
Mar 3, 2012
How People *Think* Facebook Connect Log‑in and Log‑out Work http://t.co/Ly2yXpe5 #UX
Caolan McMahon (@caolan) says:
Mar 4, 2012
How People *Think* Facebook Connect Log‑in and Log‑out Work http://t.co/TqSJ57Dj