Non-directed identity UX question

George Fletcher gffletch at aol.com
Fri Jan 15 14:58:15 UTC 2010 

On 1/14/10 9:19 PM, Allen Tom wrote:
>
> On 1/14/10 3:51 PM, "Breno de Medeiros"<breno at google.com>  wrote:
>
>
>    
>> You mean that the RP didn't perform discovery? Or that the user
>> mistyped a URL and it happened to be a valid OpenID URL for someone
>> else?
>>
>>      
> The user mistyped their url, but the RP was still able to discover the OP.
> For instance, the user might have typed in "me.yahoo.com/userid" even though
> they had not configured a vanity URL for their yahoo account.
>
> Another example is that the user didn't realize that Flickr OpenIDs start
> with "www." and typed in "flickr.com/photos/username" when the correct
> OpenID url is "www.flickr.com/photos/username"
>
> At any rate, the RP did managed to discover the user's OP endpoint, so the
> string wasn't too badly mangled.
>
>    
I've done this (more on purpose than on accident) to test edge cases. 
Depending on the OP, it's one way of getting a directed identity like 
flow out of OpenID 1.1 :)

My biggest concern is that if the RP is storing their data based on what 
the user entered and not waiting for the response to see if that's 
valid, it opens a security and usability hole. Seems like something 
either for the security document or a best practices document for RPs 
(or maybe both).
>>> If the user initiated the login process by entering their email address,
>>> then I think it would more likely that the string is correct, since the user
>>> probably knows their email address and is able to type it correctly.
>>>        
>> I actually have doubts about that, because the email address space is
>> so densely used.
>>
>>      
> Yeah - also I've been noticing lately that many sites ask the user to enter
> their email address twice, to make sure that they didn't enter it
> incorrectly.
>    
If the user is initiating an authentication via their email address, 
then I think we need best practices around what to do at the RP if the 
resulting authN assertion and AX data does not match what the user 
typed. It seems like this should generate a UI to the user asking them 
whether they really meant what they typed? or what they used to login.

We should probably have best practices for the OP as well (which is 
really the direction of my original question).

Right now, at the OP, we tell the user that they are not currently 
authenticated as the OpenID they specified to the RP, and then allow the 
user to logout and sign back in as the requested OpenID. The user can't 
change the identity specified by the requested OpenID. However, this is 
not a consistent experience across other OPs.
>
> _______________________________________________
> user-experience mailing list
> user-experience at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-user-experience
>
>

More information about the user-experience mailing list