Popup flow

Steven Livingstone-Perez weblivz at hotmail.com
Mon Sep 21 16:54:40 UTC 2009 

Cool ok. I had started to think about that the moment i sent it. Be interested in the discussions around the security issues if anyone has a pointer (happy to get a link offline).

Browser API's to do this stuff are screaming out surely but i know that's a big ask to get buy in from them.

steven
http://livz.org



From: Chris Messina 
Sent: Monday, September 21, 2009 5:24 PM
To: OpenID user experience 
Subject: Re: Popup flow


2009/9/21 Steven Livingstone Pérez <weblivz at hotmail.com>

  I would have thought an IFrame injected into the page woudn't cause popup issues.



Injected iframes are a bad idea — especially ones that ask you to enter your credentials.


Indeed, while the injected iframe approach has certainly usability benefits (i.e. no new windows to lose track of) they present untenable security issues that, ultimately, mean that they cannot be used.


Facebook has been somewhat erratic in its enforcement of the popup flow — making exceptions for certain partners. The problem is not the good actors who implement the technology correctly, though, it's that users don't develop an expectation to look for the popup, which affords them certain security-enhancing signals, like the URL bar, the presence of the HTTPS indicator and so on.


Even if most people ignore these things, for those who *know* to inspect them, the popup is an order of magnitude more security-preserving.


  Is the popups generally going to be new window instances? I'd be surprised if the is the suggested way.



I think we'll go through a transitional period. The big OpenID provider would likely prefer the popup method — which is less obtrusive than the full window redirect, which can be confusing for some users.


More usability research is needed here — and that research needs to be shared with the wider community so that we understand what the typical user mental model is of signing in — and whether they can comprehend why they're sent back to their provider, rather than logged in directly.


Chris


  steven
  http://livz.org


------------------------------------------------------------------------------
  Date: Sun, 20 Sep 2009 17:38:19 -0700
  Subject: Re: Popup flow
  From: chris.messina at gmail.com
  To: openid-user-experience at lists.openid.net 





  On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman <jonathan.coffman at gmail.com> wrote:


    Are there concerns over users with ad-blockers or pop-up blockers and being able to reach the OpenID flow?


  There are some, yes. This needs to be widely tested, but we're able to get around (read: interact with correctly) because the pop-up is launched by user action, rather than automatically.


  Facebook seems to use this method without a problem, so perhaps Luke has some insights.


  Chris





    On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:


      Jonathan Coffman wrote:


        In seeing Yahoo's announcement of their pop-up flow, and Google's previous migration -- is this quickly becoming the defacto standard?

      Hi Jonathan,

      Yahoo's usability testing indicates that the new OpenID popup flow performs better than then old redirect flow, and this is also consistent with Facebook's experience with Connect.

      The popup flow is currently an extension, meaning that it's optional, and it's the RP's choice to invoke either the popup or redirect. If you have the resources to experiment with both flows in a production environment, definitely everyone would be very interested in the results.


        Some of my stakeholders are asking for a templated/co-branded experience so that users, when redirected, see a logo, etc from the RP on the sign-up/log-in page for our OP. Obviously, that's not too difficult to do but I feel like the whole argument might be overcome with a simplified OP design by utilizing the popup draft spec.


      Section 6 in the Draft User Interface spec defines a mechanism for the RP to pass its logos to the OP. Showing the RP's logos to the user on the OP's approval/login screens definitely is very helpful to users, and feedback from our testers in our usability labs was overwhelmingly positive when we did this.

      Speaking on behalf of Yahoo, there are issues with displaying metadata about the RP that was not manually reviewed for correctness by the OP. For instance, the RP could be a malicious site that is pretending to be a trusted site, such as a bank. The malicious RP could misrepresent itself by passing the bank logo to the OP.

      Other OPs that are planning to supporting the RP Icons portion of the UI Extension may have other opinions about how important it is for OPs to manually verify the RP's logos before displaying them to the user.

      An alternative approach for having the RP pass metadata about itself to the OP (including icons, name, description) would be to use the OpenID OAuth Hybrid Extension, and have all the RP metadata bound to the RP's OAuth consumer_key. Most OAuth service providers usually have certain business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case, business partners are allowed to have logos assocaited with their consumer key, and all of these logos are manually reviewed before being enabled.

      Thanks
      Allen



      _______________________________________________
      user-experience mailing list
      user-experience at lists.openid.net
      http://lists.openid.net/mailman/listinfo/openid-user-experience


    _______________________________________________
    user-experience mailing list
    user-experience at lists.openid.net
    http://lists.openid.net/mailman/listinfo/openid-user-experience




  -- 
  Chris Messina
  Open Web Advocate

  Personal: http://factoryjoe.com
  Follow me on Twitter: http://twitter.com/chrismessina

  Citizen Agency: http://citizenagency.com
  Diso Project: http://diso-project.org
  OpenID Foundation: http://openid.net

  This email is:   [ ] bloggable    [X] ask first   [ ] private



------------------------------------------------------------------------------
  Hotmail: Powerful Free email with security by Microsoft. Get it now.

  _______________________________________________
  user-experience mailing list
  user-experience at lists.openid.net
  http://lists.openid.net/mailman/listinfo/openid-user-experience





-- 
Chris Messina
Open Web Advocate

Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina

Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net

This email is:   [ ] shareable    [X] ask first   [ ] private



--------------------------------------------------------------------------------


_______________________________________________
user-experience mailing list
user-experience at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-user-experience
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090921/2889a71a/attachment-0001.htm>

More information about the user-experience mailing list