Labs/Weave/Identity/Account Manager: Difference between revisions

From MozillaWiki
< Labs‎ | Weave
Jump to navigation Jump to search
No edit summary
Line 60: Line 60:
= Requirements =
= Requirements =


Priorities are for the alpha release, we'll reshuffle based on what we learn from that.
The following are the main features we are focusing on for the alpha.
 
* Auto login for form/cookie based authentication
* Formal protocol definition
* Heuristic Engine (if needed)
* Supports Sync if installed
 
 
The following are the main features we are focusing on for the beta.
 
* Global Profile
* Auto registration using global profile
* Detailed account viewer (integration with Site Preferences?)
* Add auto login support for HTTP Basic and other
 
 


== UX ==
== UX ==

Revision as of 23:45, 8 January 2010

Account Manager

Help users manage their accounts.

The account manager is an evolution of the Firefox password manager and the Weave identity components (OpenID + auto-login). It will help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc. The focus is on "traditional" login methods (e.g., form + cookie), but it will also have some support for OpenID/federated logins.

Creating a new identity framework is a non-goal of this project, although some new file formats and protocols are in scope (see below for details).

Drivers

  • Mike Hanson
  • Dan Mills
  • Aza Raskin (UX/Labs)
  • Alex Faaborg (UX/Firefox)

Release Roadmap

Latest release

  • 0.0.1 (2009.11.11) - Initial release that spins off the Weave identity features and creates a basic account manager.
  • 0.0.2 (2009.11.1829) - Bugfix for Weave identity features (autologin). Sign in/sign out functionality (spec proposal) still in the works.
  • 0.0.3 (2009.12.04) - Alpha release: account registration (spec proposal)

Use Cases

Automatic site registration, automatic password change

Diego is looking to improve his guitar skills, and wants to share some experiences with fellow guitar students. His friend recommends the site guitar.com, which he is a user of. Diego has never been there before, and clicks the "Sign Up" link to create an account. Firefox immediately negotiates with the site which information is required for a signup, and presents Diego with a summary. After Diego confirms the account creation, Firefox sends the information to guitar.com and creates a new account for him, with a random password (which Diego doesn't need to know). Next month, when Diego visits the site again, Firefox asks Diego if he would like to change his password to a new one (for higher security). Diego has the option of changing it, leaving it as-is, as well as letting Firefox change it silently for him in the future. Since Diego uses password sync, all of his other devices are able to log in using the new password after a sync.

If Diego has never seen his password, then it doesn't make sense if he'd like to change it. As far as he is concerned, Firefox holds the keys and it doesn't matter if Firefox gets them retooled as long as his experience remains the same.

OneTwo Click shopping for the whole web

Ben decides to buy some flowers for his fiancee. He goes to his favorite neighborhood flower store's website and picks out just the bouquet he wants. When it comes time to check out and pay, he really wishes he didn't have to enter in all of his billing data. Since he has stored his identity and credit card information on the Weave server, the web site is able to automatically pull in this information from the server. The browser prompts Ben to grant access to the server for just this transaction, he says yes and his purchase is complete.

Mass Password Reset

Chris left his laptop in the car a few days ago, and a thief broke his window and stole his laptop. Chris is now nervous that he could suffer from identity theft, and wants to minimize that chance. On his desktop machine he opens the Account Manager and changes his passwords to all his sites with a single action, locking out anyone who might have his stolen passwords.

Requirements

The following are the main features we are focusing on for the alpha.

  • Auto login for form/cookie based authentication
  • Formal protocol definition
  • Heuristic Engine (if needed)
  • Supports Sync if installed


The following are the main features we are focusing on for the beta.

  • Global Profile
  • Auto registration using global profile
  • Detailed account viewer (integration with Site Preferences?)
  • Add auto login support for HTTP Basic and other


UX

  • Account Manager
    • List accounts with basic information [P1]
    • Filter by site [P1]
    • Open detailed viewer for an account [P2]
    • Global session viewer - "you are logged in at all these sites" [P2]
  • Detailed account viewer [P2]
    • Show information the site has about you
    • Change information
    • Update information from global profile
    • Close account
  • Global profile
    • User hcard info [P1]
    • Ability to blast out changes to sites that already have that info [P3]
  • Notifications/workflows
    • Login requested by site -> new account creation / existing account UI [P1]
    • Profile data chooser for creating a new account [P1]
  • Status indicator [P1]
    • Login not supported on this site (invisible, maybe)
    • Logged out / logged in / automatic login enabled / error
    • View profile details for this site (detailed acct viewer)
    • View error details (?)
    • Multiple account chooser

Backend

  • Heuristic engine [P1]
    • Log in, log out, basic status (logged in, etc)
    • Password change
    • Account creation automation / auto form-fill hcard info
  • Interim site definitions [P1]
    • Jetpack API to add support for sites the heuristic engine doesn't work for
  • Formal protocol/format definitions [P1]
    • Status: logged in/logged out/errors/etc
    • API endpoint query (discovery)
    • Log in
    • Log out
    • Query information site has about you [P2]
    • Change/add/remove information/password/other account data [P2]
    • Cancel account [P2]
  • Support for various authentication types
    • Form submission/cookie [P1]
    • HTTP Basic auth [P1]
    • HTTP Digest auth [P2]
    • Client certs [P2]
    • OpenID [P3]
    • 2-factor [P3]
    • SRP, etc? [experiment]
  • Supports sync if installed [P1]
  • Disables itself during private browsing mode [P1]

UX Mockups

We have a couple of UI mockups related to how this might look. We'll be iterating on these and will continue to post updates here. Note that these are both really early mockups and will continue to evolve.

Design 1
Design 2
Design 3


Notes from UX reviews

23-Nov-2009

  • What do we use as the identifier to show in the URL bar?
  1. Username we sent (from password manager) --> think of the problems if we sign up with openid/webfinger
  2. We let the site tell us (10% off pants @ gap.com)
  3. Profile tag (Work/Home)
    1. Profile tag variant (First name of the profile) <- bad
  4. Logged in
  5. Weave ID
  • Do we show users that even when they are not explicitly signed in to a site, that the site actually knows who they are (via cookies)?
  • How do we present the notion of connect/disconnect etc before there is login to firefox?

Other Notes / Whiteboards

Sign in/Sign out flowchart


Current Status

Core Features
Priority Target Item Bug Status
P1 0.1 Feature name not started
Retrieved from "https://wiki.allizom.org/index.php?title=Labs/Weave/Identity/Account_Manager&oldid=193169"