[OpenID] OpenID User Interface Working Group

Peter Williams pwilliams at rapattoni.com
Sun Mar 22 01:28:58 UTC 2009 

As folks have responded to a few simple challenges, two rationales have been stated or implied:

Openid usability studies  have suggested that openid adoption would be positively impacted by some optional protocol cues related to ui, as communicated between rp and op.

The cues become an enforcement mechanims by which mega ops can market their assured user uauth and trust networking services, ensuring that misguided rps do not contaminate the assurance gained from the due care shown by the op - which undermines the trustworthiness of the op brand shown at rp login forms.

On the one hand voters are encouraged to focus on the trivilaity of the protocol message enhacements' beggin for a rubber stamp response. On the other, others allude to ther being much bigger issues at stake,   related to cert trust (ev) in address bars, mandatory ssl, pape and phishability, and promoting/enforcing "safe design" via explicit governance of rps by ops (along with mandatory user education campaigns).

-----Original Message-----
From: Nash, Andrew <annash at paypal.com>
Sent: Saturday, March 21, 2009 3:53 PM
To: Allen Tom <atom at yahoo-inc.com>; general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID User Interface Working Group


Hi Allen,

Thanks for taking time to clarify the points of discussion (my apologies
for the late response - other responsibilities kept me from addressing
this).

As you folks at Yahoo are well aware, the biggest challenge from a UI
perspective is that the bad guys do not play by the rules. If there is
something that can be used as a visual queue - in almost all cases the
same visual queues can be replicated. The upshot is that we can create
an environment in which users are lulled into a false sense of security.

Providing the visual queues of an address bar may or may not be useful.
Do you expect that there will be a facility as part of your scheme that
will ensure that a site's SSL certificate (in PayPal's case an EV cert)
can be used to verify the address bar contents? If an address bar is
simply a visual queue with no supporting validation mechanism, then a
spoof RP will simply render an address bar with the correct URL for the
IDP and we have achieved nothing but ensuring that users are more easily
fooled.

This is the basis of my problem with the fundamental assumption of the
WG - I have yet to see a solution in this space that actually works -
and we have look at this problem on an almost daily basis.

If you have something that fundamentally changes the equation here in a
trusted fashion I would be delighted to hear about it. I am like
everyone else completely aware of the desirability of a more clean user
experience for authentication - not just with OpenID.

--Andrew

-----Original Message-----
From: Allen Tom [mailto:atom at yahoo-inc.com]
Sent: Thursday, March 19, 2009 7:07 PM
To: Nash, Andrew; general at openid.net
Subject: Re: [OpenID] OpenID User Interface Working Group

Hi Andrew,

I am in total agreement with you that phishing is a huge problem, and
the Yahoo Membership team (the same folks working on OpenID) devotes a
considerable amount of resources to fight phishing, and well as trying
to help users who have been phished.

We also put in a lot of effort to educate users about phishing, and we
strongly encourage our users to setup a personalized anti-phishing
Sign-in Seal, as well as to always check the address bar of the browser
before entering their Yahoo credentials.

http://security.yahoo.com/article.html?aid=2006102503
https://protect.login.yahoo.com/
http://openid.yahoo.com/ (Click on the OpenID Tour link to learn about
phishing and OpenID)

We are totally against the concept of allowing an RP to open a frame for
the user to enter their OP's password. As you pointed out, the user
would have no idea where the password is going, and this would be
extremely insecure. Earlier versions of Facebook Connect used to
demonstrate this behavior, and I'm very glad to see that Facebook has
since moved the password validation into a standalone popup window, with
the browser's addressbar clearly displayed.

One of Yahoo's primary security requirements with Federated SSO (OpenID,
OAuth, BBAuth, SAML) is that the user is able to recognize the Yahoo
Login screen. We do this by educating users to always check the address
bar and to create a customized Sign-in Seal.  The UI Working Group
believes that a popup authentication screen, in a standalone browser
window (not framed) and with the address bar clearly displayed,
providers users with the same ability to detect phishing compared to the
existing full browser redirect user experience that is used by OpenID
today.

 From a user experience perspective, eliminating the browser redirect
maintains the context of the RP's site, which is the biggest complaint
that we've received with BBAuth, OAuth, and OpenID.  Facebook, Yahoo,
many others have UX research showing that the redirect is a very jarring
experience, and the success rate can be dramatically improved by moving
to a popup flow.

As far as I can tell, an independent popup window, with the address bar
displayed, has the same characteristics with regards to phishing, as the
full browser redirect. The popup window does not prevent OPs from
deploying anti-phishing technologies, and I believe that the popup will
drive more widespread usage of OpenID, which will also increase demand
for anti-phishing solutions.

thanks
Allen


Nash, Andrew wrote:


> One of the ways that we have been able to reduce the incidence of
> successful account takeovers has been to drill into consumers that
> they should NEVER sign into an account on a domain that is not
> directly associated with the account provider. This is not perfect,
> but then none of the anti-phishing techniques are - it is why we have
> to spend so much money and utilize so many different strategies.
>
> As it reads, UI working group will be socializing the concept among
> users that it is perfectly fine to enter your authentication
> information at any site that pops up a frame asking for it. From an
> Internet trust perspective this is a REALLY BAD IDEA!
>
> OpenID is already criticized for its exposure to phishing and spoofing

> attacks. If this approach is taken in the way it seems to be
> described, we will pretty much ensure that no one that has medium to
> high value transactions or services will be interested in implementing
OpenID.
>
> --Andrew
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list