[OpenID] popup protocol UX? Re: FB Connect, OpenID and UX

Peter Watkins peterw at tux.org
Mon Dec 15 20:32:16 UTC 2008


On Mon, Dec 15, 2008 at 11:54:50AM -0800, Luke Shepard wrote:

> I totally agree that identity should eventually be built into browsers and devices. I would love to work on that.
> 
> For Facebook Connect, the user's credentials aren't ever entered into an iframe. If the user is not logged into Facebook, then they will get a normal browser popup. 

More on the observation that the Connect popup isn't (always?) served
via a secure (encrypted/authenticated) https address...

It's nice that the real Connect API opens a popup with the Location bar
intact so the user gets some hints as to the legitimacy of the popup asking
for their credentials. Has Facebook done any usability testing to see how
users would react to 
 1) the popup omitting the Location bar
 2) the popup being served with a non-facebook.com URL?
 3) the difference between responses to http and https popups?

I probably don't spend enough time on social networking sites -- I find
it interesting to note that while almost all banks and online retailers
now only ask for username+password on https URLs, many of the most 
oft-cited social networking sites (Facebook, MySpace, YouTube, LiveJournal, 
Meetup) ask for login credentials on insecure pages, although some other
prominent "social" sites use https -- LinkedIn, Flickr, Last.fm, imeem, Plaxo.

-Peter




More information about the general mailing list