You're absolutely correct Steven.<div><br></div><div>This is something that was discussed at the OpenID UX Summit.</div><div><br></div><div>This tension to get the sign-in experience into the page (thus avoiding taking the user out of the current context to authenticate) versus forcing them out of the local context and into the context of the OP is the number one challenge facing OpenID.</div>
<div><br></div><div>Facebook Connect has an appreciable advantage because it rejects user choice. You click a button, and it executes an experience from Facebook.com on the current page. Though Sebastian Kupers has proposed applying the FB Connect experience to OpenID [1], by keeping the experience within an iframe-style interface, you lose certain affordances that are otherwise recommended to provide users context clues to determine whether or not to trust the webpage in front of them (i.e. the URL bar, the HTTPS lock, etc).</div>
<div><br></div><div>Now, at the UX Summit, it was agreed, and Facebook agreed to this as well, that all authentication should be done in popup windows. It certainly is an uncomfortable experience, but Facebook agreed that having those affordances that I mentioned visible and available were necessary to provide at least *some* aid in determining whether the sign in form was hosted at <a href="http://facebook.com">facebook.com</a> or not.</div>
<div><br></div><div>Unfortunately, since FB Connect has launched, it appears that they've waffled on this. I've tested the TechCrunch FB Connect integration and have seen both the popup AND the inline experience. Facebook does provide you with a mechanism to "pop" the sign in experience if you don't "trust" the current site, but it's unlikely that typical users will necessarily use that feature (or, to put it another way, phishing sites will obviously leave out that link).</div>
<div><br></div><div>Now, I've heard the argument before that if someone's going to want to connect their Facebook account to a site, they're going to trust it, regardless of the sign in experience. In other words, if someone is on a site that they frequent, and somehow that site has been compromised to point the FB Connect API to a phishing site, regardless of all the browser chrome that you throw at someone, it will already be too late and they'll provide their credentials to any interface put in front of them.</div>
<div><br></div><div>Unfortunately I think we're going to see people get burned with Facebook Connect before it gets better. At the same time, Facebook at least is in the position to legally confront such abuses, which is something terribly lacking in the OpenID ecosystem.</div>
<div><br></div><div>While legal remedy alone cannot stem abuse, it is one tool that would greatly enable us to innovate the user experience given all the concerns about phishing and privacy... just as people trust the postal service to transmit confidential documents with little more shielding than a sealed paper envelope.</div>
<div><br></div><div>I think in order to advance this situation, we need to do much more research about reality, about how much protection is *actually* afforded by browser chrome affordances and derive some recommendations about the threat model in delegated authentication models and inform OPs and RPs on how best to communicate to users the risks, but also the benefits of the new system, and how to teach users and communicate with them about what to expect and what to look for when signing in to remote sites.</div>
<div><br></div><div>Chris</div><div><br></div><div>[1] <a href="http://pixelsebi.com/2008-12-14/open-connect-a-ux-proposal-for-the-openstack/">http://pixelsebi.com/2008-12-14/open-connect-a-ux-proposal-for-the-openstack/</a><br>
<br><div class="gmail_quote">On Mon, Dec 15, 2008 at 11:49 AM, Steven Livingstone-Perez <span dir="ltr"><<a href="mailto:weblivz@hotmail.com">weblivz@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p>Been on other things so apologies if this was discussed in
the previous thread on FB Connect …</p>
<p> </p>
<p>Perhaps I am mistaken on how FB Connect works, but today I read
[1] that one "issue" with OpenID is that you need to GO to the
provider web site to log in and so it's a hassle for users, whereas with FB
Connect you can log in on that page and no redirect is required.</p>
<p> </p>
<p>I think we all agree that UX is one issue other than
phishing that OpenID has had to deal with over the last few years.</p>
<p> </p>
<p>However, I'm slightly perturbed that FB Connect is
perceived to be *<b>easier</b>* when it seems to me it is potential phishing security
nightmare (worse than anything thrown at OpenID) in the works. Let me first
apologize if I am off base here as I have read some of the doco and admit the
devil can be in the detail sometimes.</p>
<p> </p>
<p>However, I can't imagine any secure manner (possibly, beyond
something like CardSpace integrated into the OS) in which you can ask a user to
log in via an *<b>inline</b>* browser window. I can ONLY see an absolute
requirement that you go to your provider and get redirected back – that the
web site you are entering the details into is the one shown in your address bar.</p>
<p> </p>
<p>In no time at all many of us could hack a image popup that
looks like the FB Connect login screen. In fact even if you were 100% sure (say
via a browser button) that the script added WAS that of FB Connect, it is
trivial using a DIV and CSS's z-index and any number of other methods to
put another identical window on top of that one.</p>
<p> </p>
<p>I am seriously seriously missing something here? I love the
UX on FB Connect but all I see are potential security holes.</p>
<p> </p>
<p>IMHO OpenID should be build *<b>into</b>* the browsers if we
want to get this kind of inline authentication mechanism.</p>
<p> </p>
<p>steven</p>
<p><a href="http://livz.org" target="_blank">http://livz.org</a></p>
<p> </p>
<p>[1] <span><b><span style="font-size:10.0pt;color:black"><a href="http://tinyurl.com/5puo96" target="_blank">http://tinyurl.com/5puo96</a></span></b></span></p>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Technology Advocate-at-Large<br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>