Popup flow

Marc Canter marc at broadbandmechanics.com
Sun Sep 20 12:06:07 UTC 2009 

can we blog about this or wait?

On Sat, Sep 19, 2009 at 11:32 PM, Allen Tom <atom at yahoo-inc.com> wrote:

> Jonathan Coffman wrote:
>
>>
>> In seeing Yahoo's announcement of their pop-up flow, and Google's previous
>> migration -- is this quickly becoming the defacto standard?
>>
> Hi Jonathan,
>
> Yahoo's usability testing indicates that the new OpenID popup flow performs
> better than then old redirect flow, and this is also consistent with
> Facebook's experience with Connect.
>
> The popup flow is currently an extension, meaning that it's optional, and
> it's the RP's choice to invoke either the popup or redirect. If you have the
> resources to experiment with both flows in a production environment,
> definitely everyone would be very interested in the results.
>
>  Some of my stakeholders are asking for a templated/co-branded experience
>> so that users, when redirected, see a logo, etc from the RP on the
>> sign-up/log-in page for our OP. Obviously, that's not too difficult to do
>> but I feel like the whole argument might be overcome with a simplified OP
>> design by utilizing the popup draft spec.
>>
>>  Section 6 in the Draft User Interface spec defines a mechanism for the RP
> to pass its logos to the OP. Showing the RP's logos to the user on the OP's
> approval/login screens definitely is very helpful to users, and feedback
> from our testers in our usability labs was overwhelmingly positive when we
> did this.
>
> Speaking on behalf of Yahoo, there are issues with displaying metadata
> about the RP that was not manually reviewed for correctness by the OP. For
> instance, the RP could be a malicious site that is pretending to be a
> trusted site, such as a bank. The malicious RP could misrepresent itself by
> passing the bank logo to the OP.
>
> Other OPs that are planning to supporting the RP Icons portion of the UI
> Extension may have other opinions about how important it is for OPs to
> manually verify the RP's logos before displaying them to the user.
>
> An alternative approach for having the RP pass metadata about itself to the
> OP (including icons, name, description) would be to use the OpenID OAuth
> Hybrid Extension, and have all the RP metadata bound to the RP's OAuth
> consumer_key. Most OAuth service providers usually have certain
> business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case,
> business partners are allowed to have logos assocaited with their consumer
> key, and all of these logos are manually reviewed before being enabled.
>
> Thanks
> Allen
>
>
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090920/e42f19ee/attachment.htm>

More information about the user-experience mailing list