Category Archives: Identity

Your first shell account

USF account
My first shell account.

You find the oddest things when you’re cleaning out old files. Like a printout for your first shell account. Mine dates from August 30th, 1993–only a short time after my arrival at New College (then part of the University of South Florida, they’ve since sensibly seceded). It was also only a few months after the 1.0 release of NCSA Mosaic, although I’m not sure I actually saw a web page in Mosaic until a few months later.

I don’t think sunflash.eng.usf.edu still exists. I know my account doesn’t.

When & where was your first shell account?

The secret origin of “log in”

We do it dozens of times a day, every day, but why do we call it logging in?

“Log in” is one of those phrases that sounds weirder the more you say it. It’s ubiquitous in online life, though it does seem like it’s being slowly overtaken by “sign in” [note 1]. But where does the phrase come from in the first place?

Clearly, a job for the Oxford English Dictionary. Luckily you can usually access the online OED through your local public library site. Thanks, libraries!

Old_terminal
Representative terminal, not actually a CTSS terminal, CC LevitateMe

The OED’s earliest listed usage of “log in” in the modern sense of “to open one’s on-line access to a computer” is from the 1963 publication Compatible Time-Sharing System from the MIT Computation Center. [2]  I’m not sure if this is truly the first usage of “log in”, but it would make sense if it was, as CTSS, started in 1961, was arguably the first time-sharing operating systems, and so possibly the first system that you needed to log in to. (Before that we only had batch processing systems).

Whether it was CTSS or a similar system, I envision an engineer, probably at MIT, somewhere between 1959 and 1961, needing to describe a new user command for the system they were creating.We get a lot of neologisms from these situations, and it’s very possible log in dates from just this moment in history.

Ctss_login
CTSS Timeshare: A Programmer’s Guide, MIT press

It’s also possible that “log in” was used in a non-computer sense before time-share systems, but I haven’t seen it in print. But of course the “log” part, meaning to record something or someone, predates computers by hundreds of years.

Whaling_log
Ship’s log CC David Churbuck

That usage is in turn a shortening from entering something into a “log-book”, or ship’s log, (or captain’s log, if you’re in Starfleet) which the OED defines as:

A book in which the particulars of a ship’s voyage (including her rate of progress as indicated by the log) are entered daily from the log-board.

The first listed usage of log-book or  logbook is from roughly 1689 ( J. Moore’s  New Syst. Math). By travelling back 250 years in time, we’ve gone from identifying ourselves within a computer system to entering the speed of a sailing ship into a book.

But why was it called a logbook? Because of this apparatus here, variously called a chip log, ship log, or log:

Log_line_1
Chip log log line, & reel, CC Kate’s Photo Diary

A log! Or at least, a piece of heavy wood, attached to a knotted rope. Which you throw overboard and time how many knots go by for a set period of time, or, as Wikipedia describes it:

When the navigator wished to determine the speed of his vessel, a sailor dropped the log over the stern of the ship. The log would act as a drogue and remain roughly in place while the vessel moved away. The log-line was allowed to run out for a fixed period of time. The speed of the ship was indicated by the length of log-line passing over the stern during that time.

This is also why we still measure nautical speed in knots. So, when you next log in to Facebook or Gmail, think about big hunks of wood being thrown off the side of a ship to measure speed.

P.S. This was fun and entertaining for me to put together, but I’m sure there are holes and inaccuracies. If you know more about the origins of “log in”, please chime in with comments, and I’ll update accordingly!

Update 8/6/11: In a comment, Andrew Durdin points to some non-computer uses of “log in” from the 1950s. Awesome!


Note 1:  A couple of years ago I did a survey of top websites in the US and UK and whether they used “sign in”, “log in”, “login”, “log on”, or some other variant. The answer at the time seemed to be that if you combined “log in” and “login”, it exceeded “sign in”, but not by much. I’ve also noticed that the trend toward “sign in” is increasing, especially with the most popular services. Facebook seems to be a “log in” hold-out. Login_survey

If the whole “sign in” vs. log in” debate is interesting to you, there are some debates here and here. My personal feeling is that either is fine, but “sign in” is marginally more friendly and probably the preferred usage, though I’ll miss the nautical association. On the other hand, I feel strongly that “login” as a verb is an abomination and not to be tolerated under any circumstances.

If you’re really interested, you might start noticing where sites show their own evolutions and inconsistencies of usage. For example, Twitter’s web UI uses “sign in” but the URL says “login”. But now we’re probably reaching the outer limits of obsession and should stop.

Note 2. Here’s a PDF of a CTSS manual from 1964. There’s an underlined “log in” on page 6.
Interestingly, CTSS is also the system that gave us the first email system, as described by Errol Morris in his history of his brother’s role in the creation of that system. The Wikipedia history of CTSS is pretty fascinating stuff as well, and contains links to oral histories of the creation of CTSS and Multics (the precursor to Unix).

 

 

 

Slides posted for Oauth, OpenID, Facebook Connect: Authentication Design Best Practices

I've posted slides (and notes) from the talk "Oauth, OpenID, Facebook Connect: Authentication Design Best Practices" I gave at SXSW Interactive 2011. I think it went well—I definitely had fun giving it.

(I'll try to never give a talk with a title that long and awkward again. I get tired just typing it out.)

Some pretty random thoughts about Internet stuff

These are unorganized thoughts that are bouncing through my head right now.

  • Facebook and Twitter could become less ephemeral. I first said should not could, but there's a trade-off there. The reason for becoming less ephemeral is to allow users to collect and re-assess their fleeting thoughts and links and conversations for later consideration. The reason not to, of course, is that sometimes you don't want that.
  • On balance, though, I'd rather have it than not. After all, I'm pretty sure that (in some abstracted sense at least), it's being done about my data for other reasons. Why don't I get to play?
  • I'm hearing more about Livejournal from outside the circle of people-who-have-been-using-it-all-along. I doubt it is going to have a renaissance in a business or growth sense, it's more that folks are figuring out some of what was right about  it all along. I tend to think about this in terms of UI details (like putting the "who this post will be exposed to" option very clearly under every post) that emphasize its flexibility on the public / friends / private axes. This person seems to think somehting similar. But it's not just about that axis, there's also something about navigating the line between intimacy (Facebook, at it's best) and publicity (regular blogs).
  • I'm pretty sure that last is at least one reason why Tumblr is taking off as it is. It has really nailed the feeling of connecting intimate communities while also constantly running into new things.
  • I wish it had a "friends-only" post feature, though. That's Livejournal talking again.
  • On a third axis (personal control), I was and am pretty skeptical of the chances of Diaspora's success. But this post on why gender is a text field on Diaspora is one of the finest things I've seen in a long time and pleases me muchly.

When OAuth Fails: A Visual Guide

If you rely on 3rd party authentication (like OAuth, Facebook Connect, or similar) for your site, or you are planning to, you should spend a little time thinking about what happens if those 3rd parties are unavailable.

Facebook has very good uptime (Twitter somewhat less so, though improving), but very good is not the same as perfect, as a lot of people found out on September 23rd, when they had their worst outage in 4 years. (It’s to their credit that their worst outage was only 2.5 hours long!)

While they were down, I grabbed some screenshots of what happened at sites that relied on facebook Connect for login. The results were interesting.

When you log in to Typepad, this is what you’re supposed to see. You can use your Typepad account (if you have one) on the left, or one of many alternatives on the right. The default alternative is Facebook, so Facebook Connect’s button appears:

Typepad_fb_connect

Except, of course, if it doesn’t:

Typepad_fb_connect_down

(Note: I actually still get this on Typepad sometimes, so it’s possible it’s an unrelated issue.)

On Hunch, the button was not an issue (probably because it wasn’t stored on a Facebook server):

Hunch_fb_connect_down

 

TheFacebook Connect screen the button led to, however, was down completely.

Hunch_fb_connect_down_2

 

Finally, Plaxo’s Facebook Connect screen gave me this fun warning, which I suspect means I caught it while facebook was in the process of coming back up.

Plaxo_fb_connect_down
What to do?

Well, relying on 3rd parties isn’t new, as anyone who’s worked on a payment flow with a 3rd-party payment processor can tell you. (And this is easier, because you probably aren’t in the middle of a financial transaction.)

You should think through what happens if the service is unavailable (including things like visual assets) and make sure your screen still makes sense to the user.To te extent possible you should try to avoid simply loading blank pages — if you can, detect the outage and give a message to the user. It’s nice if you have alternative means of logging in, but in most cases a simple “wait and try again” would be sufficient.

 

Identity Providers and 3rd -Party Authentication, Some Data

Inspired by Luke Wroblewski's Data Monday blog posts, I rounded up some numbers on identity and authentication on the web.

I'm particularly interested in the growth of third-party authentication, OAuth, OpenID, and Facebook Connect.

Here are some numbers from Gigya (a "social optimization" service), from May 2010:

  • Facebook is by far the most frequently used identity provider, with 46% of logins across the web, compared to 17% from Google, 14% from Twitter, 12% from Yahoo, 7% from MySpace, 2% from LinkedIn, and 1% from AOL.
  • Twitter does far better when looking at commenting on or sharing news stories, with 45% of the total compared to Facebook's 25% and Google's 16%.

Data from JanRain's RPX service, published in April 2010, shows a slightly different picture:

  • Google was picked for 39% of logins, compared to Facebook at 23%, Yahoo at 12%, Twitter at 6%, Windows Live at 3%, and all others totalling 15%.
  • JanRain had slightly different numbers for some verticals, with Facebook logins making up 45% of both logins at media company sites and on technology platforms.
  • When measuring publishing activites back to social networks using a sample set of sites, users shared to Facebook 54% of the time, Twitter 38& of the time, Yahoo 9%, and MySpace 8%.

Leah Culver measured logins and signups on TypePad's platform in September 2009 and found the following:

  • 73% were using Typepad accounts, but 27% were using another identity provider. The largest percentage were from Facebook (13%), followed by Google (5%), Twitter (4%), and Yahoo (2%).
  • When looking at signups (rather than logins), however, Typepad saw growth of 775% in non-Typepad identity providers from June to September. This growth is linked to redesigns that promoted use of alternative identity providers.

Facebook's own data contains a few tidbits about Facebook Connect:

  • A case study with SimplyHired showed that "users who log in with Facebook are twice as engaged as non-Facebook
    users."
  • They also state that "More than 150 million people engage with Facebook on external websites
    every month."

Sources:

Quora: How third-party auth can go horribly wrong

A while back, I requested an invitation to Quora, a newfangled question-and-answer service. Yesterday, I got my invitation email, and clicked on the link.

I vaguely knew that Quora was doing vaguely social things, so I wasn’t surprised to see the account creation flow lead up with a Facebook Connect prompt (with Twitter as an option). Here’s that page:

Quora_1

I clicked on the more link, and read some nice words about what Quora will and won’t do with their new powers over my accounts. I’m not sure a teeny-tiny more link really cuts it, but it’s something.

So, let’s connect with Facebook! So far, so normal, I’ve you’ve seen one of these before.

Quora_3
Next, I finish up the Quora side of account creation. Quora displays a Facebook-derived picture of me (plus my full name). The latter is clearly editable, the former — unclear? Anyway, this screen confirms what I suspected but wasn’t really clear on, which is that Quora has it’s own account for me which is linked to my Facebook account, rather than solely using my Facebook account. This could confuse folks: that Facebook logo in my picture is awfully close to the “New password” field, possibly leading to a misimpression that I’m changing my Facebook password. Let’s forge on.

Quora_5

I have no idea what this means, and the alert dialog is disconcerting. I sense trouble, but click OK and try again.

Quora_6

Oh my. Twitter too? Of course, since OAuth 1.0 works differently from Facebook Connect, I’m seeing a Twitter page rather than a wee pop-up dialog. But that’s “normal” these days. Why is this coming up, though, as I selected account creation with Facebook Connect? I did play with the toggle a bit, so it could be a bug, but it’s also possible Quora just wants both connections and is being heavy-handed about it.

What the heck. Let’s OK it, and forge on.

Quora_7

This stays up for a while. That’s probably not good. Eventually I click the “click here” link, with a distinct doom-ey feeling.

Quora_8

Yep, blank page showing code. Always good. Hey, I wonder if something is going on in another tab?

Quora_9

Well, that’s a little better. It’s an actual web page, with the logo of the site I dimly remember trying to create an account with. (Normal people would have given up long ago, of course. Designers, we take screencaps of the carnage. It’s an unsavory habit, like ambulance chasing.)

At this point I start doing the usual flail-ey reloading of this and that tab and etc. I get one of these:

Quora_10And, after more clicky flailing, I eventually I get a proper page which seems to indicate that I have created an account. Hooray!

Quora_11

Now, why is this interesting? It’s not that a startup might have some goofy bugs. That’s normal, and presumably Quora will fix them. (It’s also entirely possible that my setup was doing me some damage, as it’s often in the weird states that come with doing web work.)

Two things are interesting. First, that was twelve or so screens from invitation to a page I could do stuff on. Even removing about half of them as optional or caused by bugs or whatever, that’s a hugely long account creation flow. And so drop-off must be huge, why, I bet if Quora measured it …

Ah. But they can’t! At least, not completely or easily. And that’s the second thing. Because the flow is not entirely under their control. In fact, I just spent a good amount of time on other sites domains, with their branding and UI. Also, complexity. There were so many access tokens whizzing back and forth in the ether during this process it was like a snowball fight.

It’s hard enough designing and developing an account creation flow that you have complete control over. But when you hand over critical bits of it to third parties, you lose control, and you increase complexity. When you increase complexity and reduce control, you make it more likely something will go horribly wrong and simultaneously harder to diagnose and fix the thing that went horribly wrong.

There are lots and lots and lots of benefits to linking third parties to your application. But there’s a cost as well.

(Also, in case it’s not clear, this post isn’t meant to beat up on the fine folks over at Quora. I’m trying to make a general point, and they just had a blip at an opportune time.)

A Pragmatic Designer’s Guide to Identity on the Web

Quora:

I'm still not sure if I'm claiming to be a pragmatic designer with this title, or merely to be offering a guide for other people who might consider themselves pragmatic designers.

In any case, the title was largely a way to narrow what is potentially a huge topic—identity on the web—to something I could reasonably talk about in an hour. Really, it should have been called something like: "An idealistic designer trying very hard to be pragmatic about one subject and partially succeeding. The subject is the user experience of identifiers and authentication, and this is a partial picture at best, but it's possible that the audience will end up a little more educated after the presentation than they were at the beginning." But that's not very succinct.

I gave this talk in May at WebVisions 2010 in Portland. WebVisions is fabulous. I don't think I'm done with this topic—I assigned it to myself because I thought I had some learning to do, and learned, but there's more I'd like to learn. Plus, stuff keeps changing.

Missing from the SlideShare presentation are the breathless ranting and manic handwaving that are characteristic of my presentation style.