Address Bar
Johannes Ernst
jernst+openid.net at netmesh.us
Thu Mar 26 00:19:05 UTC 2009
This is really interesting.
It seems to me that we are struggling with a problem that is in no way
specific to OpenID. It sounds like we should try and get everybody in
a room that has the same problem -- like Visa in this example --
regardless of whether they have ever heard of or like OpenID, and come
up with:
1. this is the best we can do with existing browsers, and we all
educate the user the same way about the flow
2. a wish list for the browser companies how to offer better browser
support natively for this particular pattern. Some generic pattern
markup (not OpenID-specific, but for the redirect pattern) might be
advantageous.
On Mar 25, 2009, at 10:57, Martin Atkins wrote:
> Allen Tom wrote:
>> Do you have more details about the verified by visa process? I'm
>> not familiar with it.
>> I actually bought something online this morning, and I noticed that
>> the merchant's checkout confirmation page mentioned something about
>> portions of the screen being rendered by my credit card issuer in
>> an iframe, which I thought was a weird thing to tell to the end user.
>
> I'm by no means an expert on 3D-Secure (which is the technology
> underlying Verified By Visa), but the flow seems very similar to
> OpenID:
>
> * Merchant does "discovery" on your credit card to find out who your
> provider is.
>
> * Merchant sends you to that provider where the provider
> authenticates you by some means -- in my case, I get asked to enter
> three letters out of a secret word and some other security
> questions, but I assume this varies from provider to provider -- and
> sends an assertion back to the merchant.
>
> * The merchant recieves the assertion and processes the transaction.
>
> The ever-reliable Wikipedia tells me that the Verified By Visa brand
> of the protocol recommends loading the provider's UI in an iframe in
> order to *stop* users seeing the address bar, because many savvy
> users mistook it for a phishing scam:
> http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/
>
> (one might argue that this would be less of an issue if the issuing
> banks served the data in their own domain rather than outsourcing
> it, but I digress.)
>
> The "criticism" section of the Wikipedia page on 3D-secure details a
> bunch of problems that OpenID implementors have also encountered.
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090325/71ceb125/attachment-0004.gif>
-------------- next part --------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090325/71ceb125/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the user-experience
mailing list