[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
Martin Atkins
mart at degeneration.co.uk
Thu Oct 23 00:11:46 UTC 2008
Chris Messina wrote:
>
> Delegation seems possible with email identifiers, but unlikely.
People quite often use delegation on their vanity domains today. I don't
see that being any less attractive once my identifier is
mart at degeneration.co.uk rather than http://mart.degeneration.co.uk/; I
still don't want to run my own OpenID provider.
It could be argued that delegation from vanity domains is one of the key
reasons why OpenID attracted so many early adopters.
> I also think that the case of account collision (where a user attempts
> to login to an RP with an identifier from an OP where active session
> has been established for a different user), is both likely and common.
> However, in terms of user experience, there are a number of things
> that could improve this flow:
> 2. should a collision occur, there is a possibility that the end user
> will actually sign off from the current session ("Oh, that's not my
> account... hmm") and sign in under their own account, and complete the
> return_to RP with either the original identifier as the claimed
> identifier, or with a directed identity. In either case, this flow
> would be rather intuitive, but also supports the case where the
> presented email identifier is not [always] returned to the RP.
>
Indeed. It would be acceptable for the OP to say to the user "You're
Fred, not John. Would you like to log in as John instead?" or something
to that effect.
That way the switch to a different account is not a surprise to me. If I
typed John into the RP, it's quite likely that it's John I intended to
authenticate as.
More information about the general
mailing list