Hey - this is Angus Logan from the Live Services team! Yesterday was Safer Internet Day and I was at the Open ID UX summit. There are two things close to my heart, internet safety and user experience, and I wanted to take a moment to post some things we've done recently at Microsoft to help make the internet a safer place:
- An update on enabling data portability by working with the largest library developers to make address book portability safer for people using many web sites (see previous posts on screen-scraping).
- A new Live ID feature we are releasing to make the user experience on websites which use Windows Live ID for authentication better and more seamless (see previous posts on phishing resistance)
Safer Address book portability - legitimizing leading libraries
Over the past year we have been working with the largest websites (and of course with those that are not so big) in the world to provide a two-way street for address book portability. Throughout this effort we found most developers like the efficiencies gained by using libraries such as Octazen's Contact Importer. The downside of efficiency is a safety tradeoff, and asking end-users to share their Windows Live ID credentials with other websites is less than ideal (see password anti-pattern).
To this end we worked with the Octazen development team to use the Windows Live Contact API which puts the user at the center of their online experience by using Live ID Delegated Authentication. The user does not need to share their credentials and can select what information and how long it can be accessed by the requesting web site. The Octazen library for websites running PHP is available now and additional platforms (.NET / Java) will be available in the future (demo).
Other advancements in this space such as Portable Contacts and the innovation Plaxo discussed yesterday at the Open ID UX Summit which drove a 92% signup & address book conversion are very exciting but by working at the existing library vendor level many websites will implicitly get safer without any additional effort.
Safety isn't just threat vectors - it's also the experience
One of the consistent pieces of feedback we got from web sites which let users sign in using Windows Live ID Web Authentication was end users were being jarred by the user-experience shift once they clicked "sign in" and were taken to the Live ID authentication page.
For a security expert it makes perfect sense, only type in your credentials where you sourced them from (and you need to see the address bar). But for an end user you end up wondering "Where did the pretty site go and what am I doing here, was it a mistake?" and never return to the site.
Whilst balancing the need for instant recognition and desire for a consistent experience throughout the entire sign in flow we've developed a sign-in and sign-up experience for Windows Live ID which can be co-branded/themed and portions can be customized by web developers.
In the next few weeks a web site owner will be able to self service register their relying party, upload their configuration file and any requests to login.live.com for that Application ID (which redirect to a specific site) will have this co-branding/customization made available.
We have also made advancements in "vanilla" authentication screens designed to be used as a popup.
Below you can see regions which can be "themed" are blue and the areas which can be changed are yellow.
Sign In (login.live.com)
Sign Up
NOTE: This customization is not available for the Open ID authentication flow as that is designed to be consumed by any website not provisioned.