{"id":609,"date":"2006-10-10T20:37:18","date_gmt":"2006-10-11T04:37:18","guid":{"rendered":"\/?p=609"},"modified":"2006-10-10T21:37:06","modified_gmt":"2006-10-11T05:37:06","slug":"bbauth-and-openid-move-identity-forward","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=609","title":{"rendered":"BBAuth and OpenID move identity forward"},"content":{"rendered":"<p>I read <a href=\"http:\/\/kveton.com\/blog\/2006\/10\/11\/bbauth-and-openid-discussions\/\" class=\"broken_link\">this piece<\/a> by <a href=\"http:\/\/kveton.com\/blog\" class=\"broken_link\">Scott Kvelton<\/a> and&nbsp;wanted to make it clear that my&nbsp;concerns about user experience&nbsp;when using protocols that redirect you from site to site to site&nbsp;were not meant to put down <strong>the positives<\/strong> that both those technologies&nbsp;represent.&nbsp;<\/p>\n<p>I think BBAuth and OpenID&nbsp;both move identity forward.&nbsp; Count me in as a supporting that.<\/p>\n<p><a href=\"http:\/\/developer.yahoo.com\/\"><font color=\"#000000\">I<\/font><\/a>&#8216;m just saying that I think we should co-operate to fix the redirection user experience, and replace it with something that is way less phishable.&nbsp;<\/p>\n<p>Scott says:<\/p>\n<blockquote><p>Lots and <a href=\"http:\/\/commented.org\/blog\/2006\/10\/10\/bbauth-security-lapse.html\" class=\"broken_link\">lots<\/a> and <a href=\"\/?p=607\">lots<\/a> and <a href=\"http:\/\/developer.yahoo.net\/blog\/archives\/2006\/10\/video_screencast_bbauth.html\" class=\"broken_link\">lots<\/a> of discussion going on regarding <a href=\"http:\/\/developer.yahoo.com\/auth\/\">BBauth<\/a> and <a href=\"http:\/\/openid.net\/\">OpenID<\/a>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.identityblog.com\/\">Kim Cameron<\/a> had an <a href=\"\/?p=608\">interesting post<\/a> today concerning the interface issues with BBauth as well as OpenID:<\/p>\n<div style=\"margin-left: 30px\">My concerns really originate with the user interface issues. And OpenID has the same problems to the extent that people end up with multiple identity providers (which they will).<\/div>\n<p>I appreciate Kim\u00e2\u20ac\u2122s passion about InfoCards and the concept of a consistent user interface. I think its a fantastic idea. So let\u00e2\u20ac\u2122s be pragmatic about it. We\u00e2\u20ac\u2122re here today: no consistent user interface, lots of usernames and passwords and phishing is a huge problem. We want to get here: consistent user interface, one username and password and phishing becomes a thing of the past. Great. Where do we start? I don\u00e2\u20ac\u2122t think InfoCard is the answer. Let me explain.<\/p>\n<p>How do we know InfoCard provides a great interface for users? When I first saw and used an InfoCard it freaked me out. \u00e2\u20ac\u0153What the heck is popping onto my screen?!\u00e2\u20ac\u009d Talk about a paradigm shift. Answering the this-is-a-great-user-interface question is an iterative process. It takes time and lots and lots of user input.<\/p><\/blockquote>\n<p>My answer?&nbsp; You build interfaces and test them.&nbsp;&nbsp;You look at the numbers.&nbsp; You test phishing approaches on a wide assortment of people.&nbsp; You find out what works and doesn&#39;t, and keep evolving the interface.&nbsp;&nbsp;If we take this as a starting point, we&#39;ll all end up agreeing.<\/p>\n<p>The problem with redirection within the conventional browser is there is no way to know&nbsp;for sure where you&#39;ve ended up &#8211; especially if you aren&#39;t a network&nbsp;engineer.&nbsp;<\/p>\n<blockquote><p>The fact is we have no idea how users are going to use user-centric identity so how can we make assumptions about the user interface today that aren\u00e2\u20ac\u2122t iterative?<\/p>\n<div style=\"margin-left: 30px\">But if this type of SSO were to become a massive success, that success would bring about its downfall. For it would then be worth attacking and very vulnerable at the same time.<\/div>\n<p>If something like OpenID or BBAuth takes off, there won\u00e2\u20ac\u2122t be a downfall. The platform will continue to evolve and get better. Is InfoCard the final and complete answer? We have no idea. The real question is which platform is best suited to constant evolution? Like Kim is a broken record about InfoCards (his words, not mine), I\u00e2\u20ac\u2122m the same way about OpenID \u00e2\u20ac\u00a6 \ud83d\ude42 I believe OpenID is best suited to this kind of evolution.<\/p><\/blockquote>\n<p>Sorry &#8211; the redirection aspect of the incremental UI is still, in my view, vulnerable.&nbsp; None the less it&#39;s a step forward from where we are today.&nbsp; I&#39;m not arguing that InfoCard is the final word on anything.&nbsp; I&#39;m arguing that it helps you&nbsp;deal with&nbsp;multiple identity providers,&nbsp;eliminates &#8220;redirection attacks&#8221;, prevents the&nbsp;evil site from being in control of the user experience.&nbsp; Surely these can&#39;t be seen as bad things?&nbsp; OpenID could take advantage of them by including support for that interface.<\/p>\n<p>Kvelton concludes:&nbsp;<\/p>\n<blockquote><p>OpenID is incremental by its nature. Its not a quantum leap. Its a URL. Users today are starting to think more and more in terms of URL\u00e2\u20ac\u2122s \u00e2\u20ac\u00a6 just ask a MySpace or blog user (I have cold hard data on this one; my babysitter is a MySpace user). Its iterative. We\u00e2\u20ac\u2122re not trying to boil the ocean in the first go at this. We don\u00e2\u20ac\u2122t know how users are going to use this thing. So let\u00e2\u20ac\u2122s make the fewest number of assumptions for the users before we deliver something. Watch how they use it, find out what makes sense. Repeat.<\/p><\/blockquote>\n<p>A lot of users will be fine with URLs for their public personas.&nbsp; But I fear they can still be phished during redirection.<\/p>\n<blockquote><p>Is BBauth, CardSpace or OpenID the end-all-be-all solutions for single sign-on? Definitely not today. One thing is clear though; companies and users alike are seeing the value of user-centric identity and its slowly but surely happening; CardSpace, OpenID and BBauth are clear indications of this. This stuff doesn\u00e2\u20ac\u2122t happen overnight but the ship is slowly turning in the right direction.<\/p><\/blockquote>\n<p>There is wisdom in this.&nbsp; But&nbsp;if Kvelton&nbsp;is against giving the InfoCard visual metaphor a try, then I don&#39;t get it.&nbsp; It does nothing to undermine OpenID.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A lot of users will be fine with URLs for their public personas.  But I fear they can still be phished during redirection.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,6,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/609"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=609"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/609\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}