<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Nov 11, 2013, at 10:23 AM, Ryan Feeley <<a href="mailto:rfeeley@mozilla.com">rfeeley@mozilla.com</a>> wrote:</div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br></div><div>Beyond that (and Chris tells me not make UX decisions based on my assumption of what makes good security), other sites probably keep these flows separate so that users accounts are not exposed. Most sites use “invalid email/password” messaging because saying “you got the email right, but the password is wrong” is helpful for attackers.</div></div></blockquote><div><br></div><div>Ryan, I love that you are interested in security UI design and I don't want to discourage you. This issue is complex and it's not easy to hide whether a user has an account with us. It's a leaky sieve, and locking down all the holes might introduce unfortunate UX compromises. </div><div><br></div><div>For example,</div><div><br></div><div>Google gives you a </div><div><br></div><div><span style="color: rgb(221, 75, 57); font-family: Arial, sans-serif; font-size: 13px; line-height: 17px; background-color: rgb(247, 247, 247); ">The username or password you entered is incorrect.</span></div><div><br></div><div>to disguise whether the username exists or not when you try to log in, but they'll reveal whether a given account exists or not here:</div><div><br></div><div><a href="https://accounts.google.com/SignUp?">https://accounts.google.com/SignUp?</a></div><div><br></div><div>Type in your existing username they'll tell you right away whether that username is claimed or not:</div><div><br></div><div><span style="color: rgb(221, 75, 57); font-family: arial, helvetica, sans-serif; font-size: 13px; line-height: 17px; background-color: rgb(241, 241, 241); ">Someone already has that username. Try another?</span></div><div><br></div><div>However, the sign in and sign up flows will have different rates so we can throttle them differently. </div><div><br></div><div>I've re-opened the issue with engineering, so we can discuss further:</div><div><br></div><div><a href="https://github.com/mozilla/picl-idp/issues/134">https://github.com/mozilla/picl-idp/issues/134</a></div><div><br></div><div>You might also check out pg 22 of:</div><div><br></div><div><a href="http://www.jbonneau.com/doc/BP10-WEIS-password_thicket.pdf">http://www.jbonneau.com/doc/BP10-WEIS-password_thicket.pdf</a></div><div><br></div><div>-chris</div><div><br></div><div><br></div><div><br></div><div><br></div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Because you may be syncing your saved passwords, we need to “take care of you” like we promised in our Firefox Design Values.</div><div><br></div><div>To be honest, I hope we can do more before we begin syncing passwords.</div><div><br></div><div>Thoughts?</div><div><br></div><div><br></div><div><div>On Nov 8, 2013, at 4:39 PM, Francis Djabri <<a href="mailto:fdjabri@mozilla.com">fdjabri@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div>Hi, <div><br></div><div>Yes, that was the logic we used for the flow initially, with the ultimate goal that the user could sign in with just their email if using Persona. </div><div><br></div><div>Francis </div><div><br></div><div><br><div><div>On Nov 8, 2013, at 10:40 AM, Maureen Hanratty <<a href="mailto:mhanratty@mozilla.com">mhanratty@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>I thought part of the reason to separate the email entry from the password (rather then putting it into one form) was that in the event the user did have an account but didn't know about it we could detect that and on the second screen with the password entry tell them, "Looks like you already have an account. Type your password." This was the logic we used when coming up with the sign in flow for payments. </div><br><div><div>On Nov 8, 2013, at 7:51 AM, Ryan Feeley <<a href="mailto:rfeeley@mozilla.com">rfeeley@mozilla.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=us-ascii"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>On Nov 7, 2013, at 6:00 PM, Chris Karlof <<a href="mailto:ckarlof@mozilla.com">ckarlof@mozilla.com</a>> wrote:</div><div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">1) Why the separate email and password entry for account creation and signup? Why are we so special that we need to do it differently from everyone else? Can we combine those into a single form?</div></blockquote></div><div><br></div><div>Like this? <a href="http://cl.ly/image/471i2s0k3g0J">http://cl.ly/image/471i2s0k3g0J</a></div><br><div apple-content-edited="true">
<div style="font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Ryan Feeley</div><div>Product Designer, Identity</div><div>Mozilla UX</div><div>IRC: rfeeley</div></div>
</div>
<br></div>_______________________________________________<br>Dev-fxacct mailing list<br><a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a><br><a href="https://mail.mozilla.org/listinfo/dev-fxacct">https://mail.mozilla.org/listinfo/dev-fxacct</a><br></blockquote></div><br></div>_______________________________________________<br>Dev-fxacct mailing list<br><a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a><br><a href="https://mail.mozilla.org/listinfo/dev-fxacct">https://mail.mozilla.org/listinfo/dev-fxacct</a><br></blockquote></div><br></div></div></blockquote></div><br><div apple-content-edited="true">
<div style="font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Ryan Feeley</div><div>Product Designer, Identity</div><div>Mozilla UX</div><div>IRC: rfeeley</div></div>
</div>
<br></div></blockquote></div><br></body></html>