On Tue, Feb 10, 2009 at 7:10 AM, Chris Scott <[email protected]> wrote: > > See the Darkslide iPhone app for a nice implementation of this. When > you touch the log in button it opens mobile Safari where you log in > and authorize the app. Mobile Safari then closes and you are taken > back to Darkslide where you are now logged in. > > I have no idea how this is done from a programming perspective, > however, from a user perspective it works well IMHO. >
>From a user perspective I find it confusing and awful. I second the "chip hole in skull" comment. I'd love to see some research on the topic, though, maybe it's just me.[1] Popping up a browser control inside the app (on the iPhone WebKit allows you to do this) appears to be a superior (but still kinda weak) solution, with no loss in actual security. I too am thankful that plain-old-password-based auth is sticking around for when it's appropriate. -cks [1] Well, there was that link Cameron Kaiser posted: http://sites.google.com/site/oauthgoog/UXFedLogin/desktopapps but I mean some research that supports the idea that it's all fine and ok, not research that suggests it's an ugly hack that ruins usability. I especially liked the quote "The flow makes some security people happy because the user never enters their password into the client application. However it makes usability much much worse, and any evil client application on most operating systems can do other evil things to the user's computer anyways such as installing malware.". Well, duh. Thanks for the link, Cameron. -- Christopher St. John http://artofsystems.blogspot.com
