Use Case: should RPs remember identifiers?
Dick Hardt
dick at sxip.com
Tue Nov 28 23:50:40 UTC 2006
I think the soft vs hard authentication decision is best left to the
site to decide what UX they want to have. What we should do is assist
them in how to migrate from an existing process to using OpenID.
On 28-Nov-06, at 3:48 PM, Dan Lyke wrote:
> On Tue, 28 Nov 2006 14:35:34 -0800, Dick Hardt wrote:
>> Scenario "E" is a different use case where there is "soft auth" until
>> a critical function is needed.
>
> I always have an internal struggle here when I'm trying to resolve the
> notion of late authentication (give them the comment box, ask 'em to
> login if they decide to use it) with the idea of not confusing the
> user with too many options. I've also recently had some automated spam
> systems take advantage of this because by randomly mashing stuff into
> input fields they managed to create a page full of links in my wiki,
> and then create a user whose name and password were more fields of
> links. I'm not sure that doing things user-first would have prevented
> that, but it might have disconnected the notion of authentication from
> that of the operation enough that the automated approach wouldn't have
> swamped my system.
>
> So to the specifics of Johannes's example, if Alice leaves the public
> terminal and Bob comes back, then Bob gets the notion that he can
> rollback wiki changes, only to be blocked when he goes to do so. I
> guess a big "I'm not Alice" button solves this problem, I just think
> that the implementors have to be careful to not give away anything
> critical when Bob comes in afterwards.
>
> I'd hate, for instance, to have some deeply religious fundamentalist
> use a web browser after I've bought something from Amazon.
>
> Dan
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>
More information about the user-experience
mailing list