Address Bar

Johannes Ernst jernst+openid.net at netmesh.us
Thu Mar 26 00:19:05 UTC 2009


This is really interesting.

It seems to me that we are struggling with a problem that is in no way  
specific to OpenID. It sounds like we should try and get everybody in  
a room that has the same problem -- like Visa in this example --  
regardless of whether they have ever heard of or like OpenID, and come  
up with:

1. this is the best we can do with existing browsers, and we all  
educate the user the same way about the flow

2. a wish list for the browser companies how to offer better browser  
support natively for this particular pattern. Some generic pattern  
markup (not OpenID-specific, but for the redirect pattern) might be  
advantageous.




On Mar 25, 2009, at 10:57, Martin Atkins wrote:

> Allen Tom wrote:
>> Do you have more details about the verified by visa process? I'm  
>> not familiar with it.
>> I actually bought something online this morning, and I noticed that  
>> the merchant's checkout confirmation page mentioned something about  
>> portions of the screen being rendered by my credit card issuer in  
>> an iframe, which I thought was a weird thing to tell to the end user.
>
> I'm by no means an expert on 3D-Secure (which is the technology  
> underlying Verified By Visa), but the flow seems very similar to  
> OpenID:
>
> * Merchant does "discovery" on your credit card to find out who your  
> provider is.
>
> * Merchant sends you to that provider where the provider  
> authenticates you by some means -- in my case, I get asked to enter  
> three letters out of a secret word and some other security  
> questions, but I assume this varies from provider to provider -- and  
> sends an assertion back to the merchant.
>
> * The merchant recieves the assertion and processes the transaction.
>
> The ever-reliable Wikipedia tells me that the Verified By Visa brand  
> of the protocol recommends loading the provider's UI in an iframe in  
> order to *stop* users seeing the address bar, because many savvy  
> users mistook it for a phishing scam:
> http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/
>
> (one might argue that this would be less of an issue if the issuing  
> banks served the data in their own domain rather than outsourcing  
> it, but I digress.)
>
> The "criticism" section of the Wikipedia page on 3D-secure details a  
> bunch of problems that OpenID implementors have also encountered.
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience



Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090325/71ceb125/attachment-0004.gif>
-------------- next part --------------
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090325/71ceb125/attachment-0005.gif>
-------------- next part --------------
  http://netmesh.info/jernst





More information about the user-experience mailing list