RP Challenges to Federated Login

From IIW

Session Topic: RP Challenges to Federated Login

Wednesday 4D

Convener: Jack Greenberg

Notes-taker(s): Jack Breenberg

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

This session centered on issues that Relying Parties face when they begin to implement several "Sign in with ___" options on their sites to increase security and ease of use. For new sites, there may be a concern about UX.

  • How does the site look to a new user?
  • Is it clear how to login or is it stressful for the user to understand what is required?
  • Can users with email addresses from non-IdentityProviders (many ISPs) still create passwords?

There could also be issues on re-visit. If the user clicks a different button than they did the first time, even if it is for the same email address, does he/she now have two accounts or does the site link them in a smart way to verify the user has control of both IDPs? For existing sites, the migration story of moving users off of passwords and over to Identity Providers can be cumbersome.

The group discussed how sites handle these issues, and I offered suggestions based on lessons learned at Google with our Identity Toolkit project, where we develop tools to make tackling these problems as easy as possible. Discovering a user's possible IDPs came up as well and we talked about how the OpenID Foundation's AccountChooser.com project might help in this respect.

Finally, we had a great conversation toward the end about how smaller IDPs can become visible and mentioned that compliance with OpenID Connect's upcoming standard will likely be helpful when "selling" your IDP to RPs because there will likely be libraries for many platforms that make implementing OIDC-compliant IDPs trivial.