MySpace OpenID Popup spotted in the wild

Johannes Ernst jernst+openid.net at netmesh.us
Fri May 1 18:18:56 UTC 2009 

Seems there are two places where the browser could help:

1. Conveying the user's preferred OP to a new RP (or giving a choice  
of OPs)

2. Assisting the authentication ceremony between OP and user, in  
particular in the case where it is initiated by an RP.

When I posted, I just thought of the second one because of the  
potential for phishing. Good catch of the other.



On May 1, 2009, at 11:11, Evert | Rooftop wrote:

> On 1-May-09, at 1:35 PM, Johannes Ernst wrote:
>> If we could get the browser developers to add anything we wanted to  
>> their browsers, what *exactly* would we want them to implement?
>>
>> This is not outlandish. The Mozilla folks asked repeatedly in the  
>> past (and we never knew what to say in response) and the security  
>> of a billion OpenIDs is not a set of user requirements that's  
>> easily dismissed either.
>>
>> It appears that it would be some kind of user interface element  
>> (think "popup" for a minute) that could display the OP's  
>> authentication ceremony. But where the browser would somehow  
>> "certify" that it was not a phishing attempt and came from one of  
>> the user's trusted OPs. In a way that is better than having the  
>> user to do a string compare on the URL shown in the address bar.
>>
>> What would such a user interface element look like? That's not  
>> limited to what we can do without cooperation from the browser guys.
>>
>> In Firefox, it could be sitting in the side bar for example. (where  
>> the bookmarks are) Or ...?
>
> My $0.02.
>
> We recently allowed openid logins to our application, most people  
> don't care about it because their browser already had their username  
> + password stored.
> I want the browser to recognize openid on a page, and pre-fill it  
> with my default openid account information.
>
> Furthermore, a browser could indicate a site has enabled openid,  
> through an icon in the addressbar, much like rss.
>
> I personally don't know anyone who actively uses sidebars,  
> especially with the 'awesomebar', every operation goes into the  
> addressbar.
> I think openid id could use a slightly more 'in your face'-type  
> thing, not a sidebar, well-hidden in some submenu.
>
> Evert
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience

More information about the user-experience mailing list