account management best practices openid for mobile webfinger allen tom yahoo! membership architect...
Post on 21-Dec-2015
218 views
TRANSCRIPT
Account Management Best PracticesOpenID for Mobile
Webfinger
Allen TomYahoo! Membership Architect
[email protected]@atom
“Soft Registration”
• First time visitors should be presented with a soft registration form
• Collect additional data if necessary– Terms of Service– Data that was not provided via OpenID• Birthday (for COPPA)• Location• Display Name
• Don’t Ask for:• Username, Password, account recovery info
Multiple accounts
• Preferable to have the user link their OpenID with an existing account if they already have one
• Existing account probably has data that the user wants to use– Purchase history– Ratings and reviews– Profile– Reputation
Does the user already have an account?
• Ask the user– Cons: Can be confusing and lower success rates
• Check the email address– Most sites already have the user’s email address– Suggest that the user link their OpenID with their
existing account of the user’s email address is already on file
Account Linking
• Verify the user’s password to link accounts• Account linking should be optional– User might not want to link– User might have forgotten the password
• After the account has been linked, the user can log in using either their username/password or their OpenID
Account Unlinking
• Users should be able to add and remove OpenIDs to their accounts
• Same thing as adding/removing email addresses to an account– But with a much better UX!
OpenID Login is like Email account recovery
• Many websites allow users to reset their password via email
• User needs to prove that they can access their email to reset their password
• Password reset is the same thing as logging in
Account Recovery
• Many websites allow Account Recovery via email• Outsourced Account Recovery to the user’s Email
provider
Email account recovery is like Logging In
• Sites that allow password reset via email have already outsourced their authentication to the user’s email provider
OpenID on Mobile
• Account registration has high friction on the desktop, and is virtually impossible on Mobile
• Use OpenID!• User is very likely to be already be logged into
the their OP’s mobile site– Can sign in to via a few clicks
Webfinger
• Find a profile page for a user given an email address
• Example:[email protected]
http://profiles.yahoo.com/allentomdude
“Well Known” discovery document
• $ curl http://yahoo.com/.well-known/host-meta
<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> <Host xmlns='http://host-meta.net/xrd/1.0'> yahoo.com
</Host> <Link>
<Title>WebFinger</Title> <Rel>http://webfinger.info/rel/service</Rel> <Rel>describedby</Rel> <URITemplate> http://webfinger.yahooapis.com/?id={%id} </URITemplate> </Link> </XRD>
Webfinger
• $ curl http://webfinger.yahooapis.com/[email protected]
<XRD> <Subject>acct:[email protected]</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>
Webfinger
<XRD> <Subject>acct:[email protected]</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>
• Other services can be published via Webfinger– Calendar/Photos– IMAP/SMTP settings– Other public info– OpenID service discovery? (NASCAR replacement)