FxA Flows

Ryan Feeley rfeeley at mozilla.com
Tue Nov 12 08:31:32 PST 2013


Speaking with Borjas and John, my security concerns really only apply to the web and password syncing. The phone will have its own front-end, so we can tackle this differently on the web. John’s original design (single email field for both sign in/up) is what we’re going with. Ryan

On Nov 11, 2013, at 2:35 PM, Chris Karlof <ckarlof at mozilla.com> wrote:

> 
> On Nov 11, 2013, at 10:23 AM, Ryan Feeley <rfeeley at mozilla.com> wrote:
>> 
>> Beyond that (and Chris tells me not make UX decisions based on my assumption of what makes good security), other sites probably keep these flows separate so that users accounts are not exposed. Most sites use “invalid email/password” messaging because saying “you got the email right, but the password is wrong” is helpful for attackers.
> 
> Ryan, I love that you are interested in security UI design and I don't want to discourage you. This issue is complex and it's not easy to hide whether a user has an account with us. It's a leaky sieve, and locking down all the holes might introduce unfortunate UX compromises. 
> 
> For example,
> 
> Google gives you a 
> 
> The username or password you entered is incorrect.
> 
> to disguise whether the username exists or not when you try to log in, but they'll reveal whether a given account exists or not here:
> 
> https://accounts.google.com/SignUp?
> 
> Type in your existing username they'll tell you right away whether that username is claimed or not:
> 
> Someone already has that username. Try another?
> 
> However, the sign in and sign up flows will have different rates so we can throttle them differently. 
> 
> I've re-opened the issue with engineering, so we can discuss further:
> 
> https://github.com/mozilla/picl-idp/issues/134
> 
> You might also check out pg 22 of:
> 
> http://www.jbonneau.com/doc/BP10-WEIS-password_thicket.pdf
> 
> -chris
> 
> 
> 
> 
> 
>> Because you may be syncing your saved passwords, we need to “take care of you” like we promised in our Firefox Design Values.
>> 
>> To be honest, I hope we can do more before we begin syncing passwords.
>> 
>> Thoughts?
>> 
>> 
>> On Nov 8, 2013, at 4:39 PM, Francis Djabri <fdjabri at mozilla.com> wrote:
>> 
>>> 
>>> Hi, 
>>> 
>>> Yes, that was the logic we used for the flow initially, with the ultimate goal that the user could sign in with just their email if using Persona. 
>>> 
>>> Francis 
>>> 
>>> 
>>> On Nov 8, 2013, at 10:40 AM, Maureen Hanratty <mhanratty at mozilla.com> wrote:
>>> 
>>>> I thought part of the reason to separate the email entry from the password (rather then putting it into one form) was that in the event the user did have an account but didn't know about it we could detect that and on the second screen with the password entry tell them, "Looks like you already have an account. Type your password." This was the logic we used when coming up with the sign in flow for payments.  
>>>> 
>>>> On Nov 8, 2013, at 7:51 AM, Ryan Feeley <rfeeley at mozilla.com> wrote:
>>>> 
>>>>> On Nov 7, 2013, at 6:00 PM, Chris Karlof <ckarlof at mozilla.com> wrote:
>>>>> 
>>>>>> 1) Why the separate email and password entry for account creation and signup? Why are we so special that we need to do it differently from everyone else? Can we combine those into a single form?
>>>>> 
>>>>> 
>>>>> Like this? http://cl.ly/image/471i2s0k3g0J
>>>>> 
>>>>> Ryan Feeley
>>>>> Product Designer, Identity
>>>>> Mozilla UX
>>>>> IRC: rfeeley
>>>>> 
>>>>> _______________________________________________
>>>>> Dev-fxacct mailing list
>>>>> Dev-fxacct at mozilla.org
>>>>> https://mail.mozilla.org/listinfo/dev-fxacct
>>>> 
>>>> _______________________________________________
>>>> Dev-fxacct mailing list
>>>> Dev-fxacct at mozilla.org
>>>> https://mail.mozilla.org/listinfo/dev-fxacct
>>> 
>> 
>> Ryan Feeley
>> Product Designer, Identity
>> Mozilla UX
>> IRC: rfeeley
>> 
> 

Ryan Feeley
Product Designer, Identity
Mozilla UX
IRC: rfeeley

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/dev-fxacct/attachments/20131112/4bbdb006/attachment.html>


More information about the Dev-fxacct mailing list