Popup flow
Chris Messina
chris.messina at gmail.com
Tue Sep 22 00:12:09 UTC 2009
Sure — but you're the user I'm worried about — I'm worried about the folks
who are susceptible to phishing and other exploits — who will put their
password into any username/password combo...
How do protect them? Can we? Should we bother trying?
On Mon, Sep 21, 2009 at 4:10 PM, David Recordon <recordond at gmail.com> wrote:
> Hey Darren,
> Yeah, you're right. My philosophy is that I'd rather give an
> application which I trust to some degree my password once and have it
> throw it away, rather than either a poor user experience bouncing me
> through a browser or it keeping my password forever.
>
> --David
>
> On Mon, Sep 21, 2009 at 4:02 PM, Darren Bounds <darren at cliqset.com> wrote:
> > Hey David,
> >
> > Not speaking about iframes specifically in this case but rather the
> > fact that the use if UIWebView controls being used within iPhone
> > applications is generally considered 'ok' for OAuth handshakes. Both
> > suffer from credential interception weaknesses and rely on user trust
> > due to the lack of a visible address bar.
> >
> > Darren
> >
> >
> > On Mon, Sep 21, 2009 at 6:36 PM, David Recordon <recordond at gmail.com>
> wrote:
> >> Hey Darren,
> >> I'm confused. The OAuth protocol doesn't use embedded iframes either.
> >> It supports redirects like OpenID and now via the OpenID User
> >> Experience Extension combined with the OpenID and OAuth Hybrid
> >> protocol, popups.
> >>
> >> --David
> >>
> >> On Mon, Sep 21, 2009 at 1:28 PM, Darren Bounds <dbounds at gmail.com>
> wrote:
> >>> I find it curious that these compromises have been embraced by the
> >>> OAuth community to support a greater UX but they are not being
> >>> embraced by OpenID. After all, isn't an iPhone UIWebView control just
> >>> a different type of iFrame? You're still trusting parent application
> >>> not to do something malicious.
> >>>
> >>> On Mon, Sep 21, 2009 at 12:24 PM, Chris Messina <
> chris.messina at gmail.com> wrote:
> >>>> 2009/9/21 Steven Livingstone Pérez <weblivz at hotmail.com>
> >>>>>
> >>>>> I would have thought an IFrame injected into the page woudn't cause
> popup
> >>>>> issues.
> >>>>
> >>>> Injected iframes are a bad idea — especially ones that ask you to
> enter your
> >>>> credentials.
> >>>> Indeed, while the injected iframe approach has certainly usability
> benefits
> >>>> (i.e. no new windows to lose track of) they present untenable security
> >>>> issues that, ultimately, mean that they cannot be used.
> >>>> Facebook has been somewhat erratic in its enforcement of the popup
> flow —
> >>>> making exceptions for certain partners. The problem is not the good
> actors
> >>>> who implement the technology correctly, though, it's that users don't
> >>>> develop an expectation to look for the popup, which affords them
> certain
> >>>> security-enhancing signals, like the URL bar, the presence of the
> HTTPS
> >>>> indicator and so on.
> >>>> Even if most people ignore these things, for those who *know* to
> inspect
> >>>> them, the popup is an order of magnitude more security-preserving.
> >>>>
> >>>>>
> >>>>> Is the popups generally going to be new window instances? I'd be
> surprised
> >>>>> if the is the suggested way.
> >>>>
> >>>> I think we'll go through a transitional period. The big OpenID
> provider
> >>>> would likely prefer the popup method — which is less obtrusive than
> the full
> >>>> window redirect, which can be confusing for some users.
> >>>> More usability research is needed here — and that research needs to be
> >>>> shared with the wider community so that we understand what the typical
> user
> >>>> mental model is of signing in — and whether they can comprehend why
> they're
> >>>> sent back to their provider, rather than logged in directly.
> >>>> Chris
> >>>>
> >>>>>
> >>>>> steven
> >>>>> http://livz.org
> >>>>>
> >>>>> ________________________________
> >>>>> Date: Sun, 20 Sep 2009 17:38:19 -0700
> >>>>> Subject: Re: Popup flow
> >>>>> From: chris.messina at gmail.com
> >>>>> To: openid-user-experience at lists.openid.net
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman
> >>>>> <jonathan.coffman at gmail.com> wrote:
> >>>>>
> >>>>> Are there concerns over users with ad-blockers or pop-up blockers and
> >>>>> being able to reach the OpenID flow?
> >>>>>
> >>>>> There are some, yes. This needs to be widely tested, but we're able
> to get
> >>>>> around (read: interact with correctly) because the pop-up is launched
> by
> >>>>> user action, rather than automatically.
> >>>>> Facebook seems to use this method without a problem, so perhaps Luke
> has
> >>>>> some insights.
> >>>>> Chris
> >>>>>
> >>>>>
> >>>>> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:
> >>>>>
> >>>>> Jonathan Coffman wrote:
> >>>>>
> >>>>> In seeing Yahoo's announcement of their pop-up flow, and Google's
> previous
> >>>>> migration -- is this quickly becoming the defacto standard?
> >>>>>
> >>>>> Hi Jonathan,
> >>>>>
> >>>>> Yahoo's usability testing indicates that the new OpenID popup flow
> >>>>> performs better than then old redirect flow, and this is also
> consistent
> >>>>> with Facebook's experience with Connect.
> >>>>>
> >>>>> The popup flow is currently an extension, meaning that it's optional,
> and
> >>>>> it's the RP's choice to invoke either the popup or redirect. If you
> have the
> >>>>> resources to experiment with both flows in a production environment,
> >>>>> definitely everyone would be very interested in the results.
> >>>>>
> >>>>> Some of my stakeholders are asking for a templated/co-branded
> experience
> >>>>> so that users, when redirected, see a logo, etc from the RP on the
> >>>>> sign-up/log-in page for our OP. Obviously, that's not too difficult
> to do
> >>>>> but I feel like the whole argument might be overcome with a
> simplified OP
> >>>>> design by utilizing the popup draft spec.
> >>>>>
> >>>>> Section 6 in the Draft User Interface spec defines a mechanism for
> the RP
> >>>>> to pass its logos to the OP. Showing the RP's logos to the user on
> the OP's
> >>>>> approval/login screens definitely is very helpful to users, and
> feedback
> >>>>> from our testers in our usability labs was overwhelmingly positive
> when we
> >>>>> did this.
> >>>>>
> >>>>> Speaking on behalf of Yahoo, there are issues with displaying
> metadata
> >>>>> about the RP that was not manually reviewed for correctness by the
> OP. For
> >>>>> instance, the RP could be a malicious site that is pretending to be a
> >>>>> trusted site, such as a bank. The malicious RP could misrepresent
> itself by
> >>>>> passing the bank logo to the OP.
> >>>>>
> >>>>> Other OPs that are planning to supporting the RP Icons portion of the
> UI
> >>>>> Extension may have other opinions about how important it is for OPs
> to
> >>>>> manually verify the RP's logos before displaying them to the user.
> >>>>>
> >>>>> An alternative approach for having the RP pass metadata about itself
> to
> >>>>> the OP (including icons, name, description) would be to use the
> OpenID OAuth
> >>>>> Hybrid Extension, and have all the RP metadata bound to the RP's
> OAuth
> >>>>> consumer_key. Most OAuth service providers usually have certain
> >>>>> business/legal criteria to issue an OAuth consumer_key, and in
> Yahoo's case,
> >>>>> business partners are allowed to have logos assocaited with their
> consumer
> >>>>> key, and all of these logos are manually reviewed before being
> enabled.
> >>>>>
> >>>>> Thanks
> >>>>> Allen
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> user-experience mailing list
> >>>>> user-experience at lists.openid.net
> >>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>>>
> >>>>> _______________________________________________
> >>>>> user-experience mailing list
> >>>>> user-experience at lists.openid.net
> >>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Chris Messina
> >>>>> Open Web Advocate
> >>>>>
> >>>>> Personal: http://factoryjoe.com
> >>>>> Follow me on Twitter: http://twitter.com/chrismessina
> >>>>>
> >>>>> Citizen Agency: http://citizenagency.com
> >>>>> Diso Project: http://diso-project.org
> >>>>> OpenID Foundation: http://openid.net
> >>>>>
> >>>>> This email is: [ ] bloggable [X] ask first [ ] private
> >>>>>
> >>>>> ________________________________
> >>>>> Hotmail: Powerful Free email with security by Microsoft. Get it now.
> >>>>> _______________________________________________
> >>>>> user-experience mailing list
> >>>>> user-experience at lists.openid.net
> >>>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Chris Messina
> >>>> Open Web Advocate
> >>>>
> >>>> Personal: http://factoryjoe.com
> >>>> Follow me on Twitter: http://twitter.com/chrismessina
> >>>>
> >>>> Citizen Agency: http://citizenagency.com
> >>>> Diso Project: http://diso-project.org
> >>>> OpenID Foundation: http://openid.net
> >>>>
> >>>> This email is: [ ] shareable [X] ask first [ ] private
> >>>>
> >>>> _______________________________________________
> >>>> user-experience mailing list
> >>>> user-experience at lists.openid.net
> >>>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>> Thank you,
> >>> Darren Bounds
> >>> _______________________________________________
> >>> user-experience mailing list
> >>> user-experience at lists.openid.net
> >>> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>>
> >> _______________________________________________
> >> user-experience mailing list
> >> user-experience at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-user-experience
> >>
> >
> >
> >
> > --
> > darren bounds
> > darren at cliqset.com
> > _______________________________________________
> > user-experience mailing list
> > user-experience at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-user-experience
> >
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
--
Chris Messina
Open Web Advocate
Personal: http://factoryjoe.com
Follow me on Twitter: http://twitter.com/chrismessina
Citizen Agency: http://citizenagency.com
Diso Project: http://diso-project.org
OpenID Foundation: http://openid.net
This email is: [ ] shareable [X] ask first [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090921/8d39fcd3/attachment-0001.htm>
More information about the user-experience
mailing list