User Experience in the Identity Community
By Eric Sachs and Ben Laurie,
Google Security TeamOne of the major conferences on
Internet identity standards is the
Internet Identity
Workshop(IIW), a semiannual 'un-conference' where the sessions are not determined
ahead of time. It is attended by a large set of people who work on Internet security and
identity standards such as OAuth, OpenID, SAML, InfoCards, etc. A major theme within
the identity community this year has been about improving the user experience and growing the
adoption of these technologies. The OpenID community is making great progress on user
experience, with Yahoo, AOL, and Google quickly improving the support they provide (read
summary from
Joseph Smarr of Plaxo). Similarly, the InfoCard community has been working on simplifying the
user experience of InfoCard technology, including the
updated
CardSpace selector from Microsoft.
Another hot topic at IIW centered
around how to improve the user experience when testing alternatives and enhancements to
passwords to make them less susceptible to phishing attacks. Many websites and enterprises
have tried these password enhancements/alternatives, but they found that people complained
that they were hard to use, or that they weren't portable enough for people who use multiple
computers, including web cafes and smart phones. We have published an
article
summarizing some of the community's current ideas for how to deploy these new authentication
mechanisms using a multi-layered approach that minimizes additional work required by users. We
have also pulled together a set of
videos
showing how a number of these different approaches work with both web-based and desktop
applications. We hope this information will be helpful to other websites and enterprises who
are concerned about phishing.
[Also posted on the
Google
Online Security Blog.]
