Account Management Best Practices OpenID for Mobile Webfinger
description
Transcript of Account Management Best Practices OpenID for Mobile Webfinger
![Page 1: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/1.jpg)
Account Management Best PracticesOpenID for Mobile
Webfinger
Allen TomYahoo! Membership Architect
[email protected]@atom
![Page 2: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/2.jpg)
The NASCAR is just the beginning….
![Page 3: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/3.jpg)
After logging in….
• Now what?
![Page 4: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/4.jpg)
“Soft Registration”
• First time visitors should be presented with a soft registration form
• Collect additional data if necessary– Terms of Service– Data that was not provided via OpenID• Birthday (for COPPA)• Location• Display Name
• Don’t Ask for:• Username, Password, account recovery info
![Page 5: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/5.jpg)
Multiple accounts
• Preferable to have the user link their OpenID with an existing account if they already have one
• Existing account probably has data that the user wants to use– Purchase history– Ratings and reviews– Profile– Reputation
![Page 6: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/6.jpg)
Does the user already have an account?
• Ask the user– Cons: Can be confusing and lower success rates
• Check the email address– Most sites already have the user’s email address– Suggest that the user link their OpenID with their
existing account of the user’s email address is already on file
![Page 7: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/7.jpg)
Account Linking
• Verify the user’s password to link accounts• Account linking should be optional– User might not want to link– User might have forgotten the password
• After the account has been linked, the user can log in using either their username/password or their OpenID
![Page 8: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/8.jpg)
Account Unlinking
• Users should be able to add and remove OpenIDs to their accounts
• Same thing as adding/removing email addresses to an account– But with a much better UX!
![Page 9: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/9.jpg)
Account Linking call to action
![Page 10: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/10.jpg)
![Page 11: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/11.jpg)
![Page 12: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/12.jpg)
Most users don’t know their Yahoo or
Google OpenIDs
![Page 13: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/13.jpg)
OpenID Login is like Email account recovery
• Many websites allow users to reset their password via email
• User needs to prove that they can access their email to reset their password
• Password reset is the same thing as logging in
![Page 14: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/14.jpg)
Account Recovery
• Many websites allow Account Recovery via email• Outsourced Account Recovery to the user’s Email
provider
![Page 15: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/15.jpg)
Email account recovery is like Logging In
• Sites that allow password reset via email have already outsourced their authentication to the user’s email provider
![Page 16: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/16.jpg)
OpenID on Mobile
• Account registration has high friction on the desktop, and is virtually impossible on Mobile
• Use OpenID!• User is very likely to be already be logged into
the their OP’s mobile site– Can sign in to via a few clicks
![Page 17: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/17.jpg)
Registration is challenging on Mobile
![Page 18: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/18.jpg)
Yahoo OpenID Mobile
![Page 19: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/19.jpg)
Google OpenID
![Page 20: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/20.jpg)
Webfinger
• Find a profile page for a user given an email address
• Example:[email protected]
http://profiles.yahoo.com/allentomdude
![Page 21: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/21.jpg)
“Well Known” discovery document
• $ curl http://yahoo.com/.well-known/host-meta
<?xml version='1.0' encoding='UTF-8'?> <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> <Host xmlns='http://host-meta.net/xrd/1.0'> yahoo.com
</Host> <Link>
<Title>WebFinger</Title> <Rel>http://webfinger.info/rel/service</Rel> <Rel>describedby</Rel> <URITemplate> http://webfinger.yahooapis.com/?id={%id} </URITemplate> </Link> </XRD>
![Page 22: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/22.jpg)
Webfinger
• $ curl http://webfinger.yahooapis.com/[email protected]
<XRD> <Subject>acct:[email protected]</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>
![Page 23: Account Management Best Practices OpenID for Mobile Webfinger](https://reader036.fdocuments.net/reader036/viewer/2022062323/568164c0550346895dd6d311/html5/thumbnails/23.jpg)
Webfinger
<XRD> <Subject>acct:[email protected]</Subject> <Alias>http://profiles.yahoo.com/allentomdude</Alias></XRD>
• Other services can be published via Webfinger– Calendar/Photos– IMAP/SMTP settings– Other public info– OpenID service discovery? (NASCAR replacement)