<HTML>
<HEAD>
<TITLE>Re: [OpenID] FB Connect, OpenID and UX</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hey Steven-<BR>
<BR>
I totally agree that identity should eventually be built into browsers and devices. I would love to work on that.<BR>
<BR>
For Facebook Connect, the user’s credentials aren’t ever entered into an iframe. If the user is not logged into Facebook, then they will get a normal browser popup. I believe browser popups are supported by OpenID as well:<BR>
<BR>
<BR>
<IMG src="cid:3312186890_535396" ><BR>
<BR>
Only if the user is logged in (which is detected behind the scenes) do they see an iframe lightbox. But in that case, they are not asked for their username or password.<BR>
<BR>
On 12/15/08 11:49 AM, "Steven Livingstone-Perez" <<a href="weblivz@hotmail.com">weblivz@hotmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Been on other things so apologies if this was discussed in the previous thread on FB Connect …<BR>
<BR>
Perhaps I am mistaken on how FB Connect works, but today I read [1] that one “issue” with OpenID is that you need to GO to the provider web site to log in and so it’s a hassle for users, whereas with FB Connect you can log in on that page and no redirect is required.<BR>
<BR>
I think we all agree that UX is one issue other than phishing that OpenID has had to deal with over the last few years.<BR>
<BR>
However, I’m slightly perturbed that FB Connect is perceived to be *<B>easier</B>* when it seems to me it is potential phishing security nightmare (worse than anything thrown at OpenID) in the works. Let me first apologize if I am off base here as I have read some of the doco and admit the devil can be in the detail sometimes.<BR>
<BR>
However, I can’t imagine any secure manner (possibly, beyond something like CardSpace integrated into the OS) in which you can ask a user to log in via an *<B>inline</B>* browser window. I can ONLY see an absolute requirement that you go to your provider and get redirected back – that the web site you are entering the details into is the one shown in your address bar.<BR>
<BR>
In no time at all many of us could hack a image popup that looks like the FB Connect login screen. In fact even if you were 100% sure (say via a browser button) that the script added WAS that of FB Connect, it is trivial using a DIV and CSS’s z-index and any number of other methods to put another identical window on top of that one.<BR>
<BR>
I am seriously seriously missing something here? I love the UX on FB Connect but all I see are potential security holes.<BR>
<BR>
IMHO OpenID should be build *<B>into</B>* the browsers if we want to get this kind of inline authentication mechanism.<BR>
<BR>
steven<BR>
<a href="http://livz.org">http://livz.org</a><BR>
<BR>
[1] </SPAN><FONT SIZE="2"><SPAN STYLE='font-size:10pt'><B><a href="http://tinyurl.com/5puo96">http://tinyurl.com/5puo96</a><BR>
</B></SPAN></FONT><SPAN STYLE='font-size:11pt'><BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>