[OpenID] FB Connect, OpenID and UX

[Martin Atkins]

Chris Messina wrote:
> 
> I think in order to advance this situation, we need to do much more 
> research about reality, about how much protection is *actually* afforded 
> by browser chrome affordances and derive some recommendations about the 
> threat model in delegated authentication models and inform OPs and RPs 
> on how best to communicate to users the risks, but also the benefits of 
> the new system, and how to teach users and communicate with them about 
> what to expect and what to look for when signing in to remote sites.
> 

Another datapoint that might be worth considering is that I've noticed a 
bunch of e-commerce sites include the "Verified by Visa" (3D-SECURE) UI 
in an iframe within their checkout process, thus suppressing the browser 
chrome UI about who owns the cert, etc.

Given that I'm a geek I immediately balked at this and started 
right-clicking in the iframe to try to get the real cert out of it, but 
the fact that VbV is deployed in this way and yet users of these sites 
manage to complete checkout suggests that users simply don't care.

I agree that it'd be useful to do some real user testing here and see 
how many folks will happily give away their Facebook credentials to 
anyone who asks. Does anyone in the community have the resources to do 
such testing?