[OpenID] FB Connect, OpenID and UX

Steven Livingstone-Perez weblivz at hotmail.com
Mon Dec 15 20:20:37 UTC 2008 

Ahhhh - thanks Luke and that makes complete sense.  I read the following in
that article (not a quote from anyone at FB of course) :

 

"It uses an in-page pop-up containing the login dialog. The user, therefore,
never really leaves the page, making the experience almost seamless."

 

Such an innocent line with huge implications. BUT really wish I had more
time to play - a million apologies J

 

Hmmm, writing a similar OpenID "lightbox" should be trivial as well - food
for thought, although I use OpenID mainly just for auth just now, so the
"lightbox" data sharing situation isn't something that concerns me too much
(yet).

 

Still, I hope the built-in identity comes soon!

 

steven

http://livz.org

 

 

From: Luke Shepard [mailto:lshepard at facebook.com] 
Sent: 15 December 2008 19:55
To: Steven Livingstone-Perez; general at openid.net
Subject: Re: [OpenID] FB Connect, OpenID and UX

 

Hey Steven-

I totally agree that identity should eventually be built into browsers and
devices. I would love to work on that.

For Facebook Connect, the user's credentials aren't ever entered into an
iframe. If the user is not logged into Facebook, then they will get a normal
browser popup. I believe browser popups are supported by OpenID as well:




Only if the user is logged in (which is detected behind the scenes) do they
see an iframe lightbox. But in that case, they are not asked for their
username or password.

On 12/15/08 11:49 AM, "Steven Livingstone-Perez" <weblivz at hotmail.com>
wrote:

Been on other things so apologies if this was discussed in the previous
thread on FB Connect .
 
Perhaps I am mistaken on how FB Connect works, but today I read [1] that one
"issue" with OpenID is that you need to GO to the provider web site to log
in and so it's a hassle for users, whereas with FB Connect you can log in on
that page and no redirect is required.
 
I think we all agree that UX is one issue other than phishing that OpenID
has had to deal with over the last few years.
 
However, I'm slightly perturbed that FB Connect is perceived to be *easier*
when it seems to me it is potential phishing security nightmare (worse than
anything thrown at OpenID) in the works. Let me first apologize if I am off
base here as I have read some of the doco and admit the devil can be in the
detail sometimes.
 
However, I can't imagine any secure manner (possibly, beyond something like
CardSpace integrated into the OS) in which you can ask a user to log in via
an *inline* browser window. I can ONLY see an absolute requirement that you
go to your provider and get redirected back - that the web site you are
entering the details into is the one shown in your address bar.
 
In no time at all many of us could hack a image popup that looks like the FB
Connect login screen. In fact even if you were 100% sure (say via a browser
button) that the script added WAS that of FB Connect, it is trivial using a
DIV and CSS's z-index and any number of other methods to put another
identical window on top of that one.
 
I am seriously seriously missing something here? I love the UX on FB Connect
but all I see are potential security holes.
 
IMHO OpenID should be build *into* the browsers if we want to get this kind
of inline authentication mechanism.
 
steven
http://livz.org
 
[1] http://tinyurl.com/5puo96

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081215/de98975d/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 49070 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081215/de98975d/attachment-0002.png>

More information about the general mailing list