On Apr 16, 2:59 pm, Lachlan Hardy <[email protected]> wrote: > > > I would definitely support greater disclosure here, but would avoid > > the checkbox model of authorizing different levels of access (http:// > >www.flickr.com/photos/factoryjoe/2601626420/sizes/o/). > > Why is that? Do you have any evidence against it? > > My own (limited, informal) testing tells me people feel more in > control with checkboxes. >
The evidence contrasting your findings is rather significant and, AFAIC, indisputable. Essentially Google and Facebook (maybe Yahoo as well) have all, at various times, tried the "checkbox approach to authorization" and found that users freak out, run away, call mom, go home and cry when presented with such an interface. Without fail. Or rather, with a bucket of fail. Streamlining this procedure while also providing sufficient disclosure about what's happening seems the nearest approximation we can get here without having the utility of OAuth completely diminished by interfaces that presume far too much savvy or sophistication on the part of the user. Remember, users are busy, often multitasking and rarely stop to fully think through decisions that they're making on the web. Doing more work up front to make it so that certain apps only have the ability to perform certain functions is one important aspect to keeping people safe (it's not so much that the app itself might do something harmful, but that a compromised system might use that app to do something nefarious) — the other is making it easy for people to provide only as much access as is necessary for the external application to functional. Minimal access, minimized potential for harm. For more on some of the authorization research that's been done, check this out: http://sites.google.com/site/oauthgoog/oauth-practices/user-interface Chris
