As part of my work on the Identity project at Mozilla, I’ve been taking a look into how the average person thinks about single sign-on. It’s a complex system, so not surprisingly, it’s most often misunderstood at a fundamental level.
I ran an unmoderated user test with usertesting.com with five users. Their task was to go to Buyosphere, a site that implements Facebook Connect, create an account, then log out. Then I asked them a series of questions. All five indicated they had used Facebook to log into sites before.
“When you log out of Buyosphere, do you think it logs you out of Facebook also? Why or why not and how would you tell for sure?” Incorrect answers are red and bold.
The goal of this research was to determine if users had a mental model that would allow them to correctly log out of a single sign-on system in places where there are security concerns like a shared computer or public terminal. The answer is no. Disclaimer: Do not be tempted to extrapolate that this means 60% of people would get this question wrong. This is qualitative research, not quantitative and should not be regarded as having statistical significance.
The last little gut-wrenching nugget comes from the last 20 seconds of one test. Watch and weep.
You caught it, right? She believes she could use her Facebook user and password to log into this site. sigh It’s horrifying how easily a bad actor could build a honeypot to collect Facebook credentials.
In addition to confusion over when/where/how to log-in and log-out, we know that sites have big percentages of users with multiple accounts. This video clearly illustrates how that can happen.
What are sites to do? I don’t think there is a good answer. As much as your business case allows, use only one identity provider. If you’re using Facebook Connect, don’t have a standard log-in. Too often, two log-in systems are less than the sum of their parts. LukeW’s article details experiments to mitigate these problems. Some of them have security concerns that wouldn’t fly with many sites. I’m not confident any of them work massively better than only supporting one way of logging in. However, many site will feel it necessary to have a standard log-in plus Facebook Connect. Clearly more thinking and testing needs to be done in this direction.
Of course, my biased view is that we can build better solutions for single sign-on.