UX best practice questions at RP Login with unknown OpenID

Breno de Medeiros breno at google.com
Tue Dec 2 17:48:22 UTC 2008


I vote for the second option. Explanation online.

On Tue, Dec 2, 2008 at 8:23 AM, Sebastian Küpers <pixelsebi at me.com> wrote:
> Hi there,
>
> I work right now on the implementation of OpenID as a RP and I came up
> with the following UX / best practice question:
>
> we offer at the startpage a "login" and an additional "sign-up new
> account" option.
> for both options we offer openid als alternative. (login with your
> openid) (sign up new account with your openid)
>
> atm it seems to be quite common, that if somebody logins (NOT signs
> up) with an unknown openid, the registration process starts
> automatically, instead of pointing out with a small hint, that this is
> an unknown openid and that he has now the option to sign up a new
> account for this service with the openid he just entered.
>
> I wonder now, what is the best practice?
>
> Option 1: Automatic signup with an unkown OpenID at login
> ---------------------------------
> PRO: it is quite likely, that he wants to signup a new account if we
> don't know his openid yet, therefore let's do it without any
> disrupting messages
> CON: people who have several OpenIDs in use, maybe just have picked
> the wrong one and realize pretty late, that they are about to sign up
> a new account instead of just logging in. (happens to me quite often
> to be honest)
>
> Option 2: Give people a hint, that this openid is unkown and ask them
> first if they want to sign up a new account instead
> ---------------------------------
> PRO: it's more transparent what happens and people don't accidently
> sign up a new account, although they just wanted to login in their
> existing account
> CON: might be an security issue, because this allows people to
> evaluate if openids are already registered for this service
>

This is a non-issue. If the user has an existing account he probably
has non-default customizations that would reveal the information
anyway. Note also that this attack already requires that the attacker
has an authenticated session with the OP for the identity he is
attacking, and under these assumptions much worse things have been
known to be possible.

> To be honest I tend to the solution that it would be better to give
> people the hint, instead of automatically start the signup, if the
> openid is unkown - what do you think?
>
> Thanks,
> Sebastian
>
> --
> Sebastian Küpers
> Freelance Consultant
>
> Virtual Worlds
> Semantic Web
> Social Web
>
> http://pixelsebi.com
>
> Paul-Linke-Ufer-44a
> 2HH, Aufgang A
> 10999 Berlin - Germany
>
> +49 (0)151 21 08 66 09 (mobile)
>
> +49 (0)30 616 273 26 (office)
> +49 (0)30 616 297 12 (fax)
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)



More information about the user-experience mailing list