The redirection flow works well on a desktop or a well implemented mobile platform. It sucks on a set top box or a mobile platform with a poor browser and an inability to relaunch the app. Just because we as technical minds find it intuitive enough doesn't mean that my grandmother will. Nonetheless, Lukas makes a very compelling point about granularity that is insoluble with my argument and has effectively shut me up, for now.
On Sep 29, 3:03 pm, Blaine Cook <[email protected]> wrote: > 2009/9/29 James Wanga <[email protected]>: > > > > > I completely agree that having a single point of authentication is > > ideal. However, security and usability have always been an > > inharmonious pair. When a new pattern offers a significant security > > improvement in exchange for an marginal usability sacrifice, we adopt > > it. The danger of the redirection pattern is that it asks for a > > usability sacrifice in exchange for an imaginary security improvement. > > The only security value is that users MAY, over time, grow skeptical > > of entering their credentials in third party apps. This can be easily > > mitigated by more sophisticated phishing sites. The bottom line is, we > > gain so little from redirection that isn't worth the usability penalty > > no matter how unpalatable it is to enter your creds in a third party > > app. > > I'm getting a little sick of the argument that the redirection flow > has worse usability than entering a username / password. The redirect > flow is straight-forward and easy to understand. There are plenty of > applications that are deployed, using this method, and to great > success. Just because some designers get persnickety that they don't > have complete control over the experience doesn't mean it's bad. > > b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
