Labs/Weave/Identity/Account Manager: Difference between revisions

From MozillaWiki
< Labs‎ | Weave
Jump to navigation Jump to search
No edit summary
 
(29 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{DRAFT}}
= Account Manager =


= Account Manager =
The Account Manager project aims to produce:
 
* A protocol definition that sites can use to define their account-and-session management features in a format a web browser can understand.  (The latest draft of [[Labs/Weave/Identity/Account_Manager/Spec/Latest|the specification is here]]).
 
* An implementation of this protocol as a Firefox addon.


Help users manage their accounts.
The goal is to help users manage the process of "connecting" to a site, in a way that allows us to use secure browser chrome, and supports multiple authentication mechanisms.


The account manager is an evolution of the Firefox password manager and the Weave identity components (OpenID + auto-login).  It will help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc.  The focus is on "traditional" login methods (e.g., form + cookie), but it will also have some support for OpenID/federated logins.
The account manager is an evolution of the Firefox password manager and the Weave identity components (OpenID + auto-login).  It will help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc.  The first prototype will have support for "traditional" login methods (e.g., form + cookie), but it will also have some support for OpenID/federated logins.


Creating a new identity framework is a non-goal of this project, although some new file formats and protocols are in scope (see below for details).
Creating a new identity framework is a non-goal of this project, although some new file formats and protocols are in scope (see below for details).


== Release Roadmap ==
There is additional information in the [https://mozillalabs.com/blog/2010/03/account-manager/ announcement blog post], as well as the add-on's [http://mozillalabs.com/conceptseries/identity/account-manager/ first-run page].
 
= Drivers =
 
* Mike Hanson
* Dan Mills
* Aza Raskin (UX/Labs)
* Alex Faaborg (UX/Firefox)
 
= Releases / Roadmap =
 
'''Specification'''
 
Our proposal, "HTTP Extensions for Account and Session Management", is under development.  You can read our [https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager/Spec/Latest draft here].
 
'''Addon'''


[https://people.mozilla.com/~dmills/account-manager/latest.xpi Latest release]
[https://people.mozilla.com/~dmills/account-manager/latest.xpi Latest release]


* [https://people.mozilla.com/~dmills/account-manager/dist/account-manager-0.0.1-dev.xpi 0.1] (2009.11.11) - Initial release that spins off the Weave identity features and creates a basic account manager.
* [https://people.mozilla.com/~dmills/account-manager/dist/account-manager-0.0.1-dev.xpi 0.0.1] (2009.11.11) - Initial release that spins off the Weave identity features and creates a basic account manager.
* 0.2 (2009.11.18) - Snapshot: sign in/sign out functionality (spec proposal)
* [https://people.mozilla.com/~dmills/account-manager/dist/account-manager-0.0.2-dev.xpi 0.0.2] (2009.11.<strike>18</strike>29) - Bugfix for Weave identity features (autologin).  Sign in/sign out functionality (spec proposal) still in the works.
* 0.3 (2009.12.02) - Alpha release: account registration (spec proposal)
* ...
* [https://people.mozilla.com/~dmills/account-manager/account-manager-0.0.10-dev.xpi 0.0.10] (2010.03.05) - Alpha pre-release of "true" account management support (no heuristic autologin, uses the spec above).
 
= Use Cases =
 
'''Simple Connect'''
 
Alan routinely visits sites that use username-password logins, HTTP basic auth, and OpenID.  He is tired of remembering which credential style to use at each site, and frustrated that he needs to repeat this process after unlocking his Firefox with a master password.
 
Account Manager provides a single click to log in to each of these sites, and, when Alan selects "always keep me connected", he never needs to deal with a login screen again.
 
'''Two Users, One Firefox'''
 
Madison and Connor use the same family computer in the den, and can't be bothered to use OS-level multi-user functions, and don't understand Firefox Profiles.
 
With Account Manager, they can tell at a glance that a given browser instance of Facebook, Twitter, or Yahoo Mail is logged in as their sibling, and by selecting from a dropdown menu, easily switch to their account.


== Use Cases ==


'''Automatic site registration, automatic password change'''
'''Automatic site registration, automatic password change'''


Diego is looking to improve his guitar skills, and wants to share some
Diego visits guitar.com to improve his musical skills.  The site promises exciting personalized features if he connects, so he clicks the "Connect" button.  Firefox immediately presents a summary of the personal information that it will send to the site, which Diego confirms, and an account (with a random password) is created.
experiences with fellow guitar studentsHis friend recommends the
 
site guitar.com, which he is a user of.  Diego has never been there
At a later date, Firefox asks Diego if he would like to automatically change the password, and to automatically change it for him in the future.  Since Diego uses cloud-based password sync, all of his other devices are able to log in using the new password after a sync.
before, and clicks the "Sign Up" link to create an account.  Firefox
immediately negotiates with the site which information is required for
a signup, and presents Diego with a summary.  After Diego confirms the
account creation, Firefox sends the information to guitar.com and
creates a new account for him, with a random password (which Diego
doesn't need to know). Next month, when Diego visits the site again,
Firefox asks Diego if he would like to change his password to a new
one (for higher security).  Diego has the option of changing it,
leaving it as-is, as well as letting Firefox change it silently for
him in the future.  Since Diego uses password sync, all of his other
devices are able to log in using the new password after a sync.


''If Diego has never seen his password, then it doesn't make sense if he'd like to change it. As far as he is concerned, Firefox holds the keys and it doesn't matter if Firefox gets them retooled as long as his experience remains the same.''
''If Diego has never seen his password, then it doesn't make sense if he'd like to change it. As far as he is concerned, Firefox holds the keys and it doesn't matter if Firefox gets them retooled as long as his experience remains the same.''


'''<del>One</del>Two Click shopping for the whole web'''
'''Mass Password Reset'''


Ben decides to buy some flowers for his fiancee. He goes to his
Chris left his laptop in the car a few days ago, and a thief broke his window and stole his laptop.  Chris is now nervous that he could suffer from identity theft, and wants to minimize that chance. On his desktop machine he opens the Account Manager and changes his passwords to all his sites with a single action, locking out anyone who might have his stolen passwords.
favorite neighborhood flower store's website and picks out just the
 
bouquet he wants. When it comes time to check out and pay, he really
= Requirements =
wishes he didn't have to enter in all of his billing data. Since he
 
has stored his identity and credit card information on the Weave
The following are the main features we are focusing on for the alpha.
server, the web site is able to automatically pull in this information
 
from the server. The browser prompts Ben to grant access to the server
* Auto login for form/cookie based authentication
for just this transaction, he says yes and his purchase is complete.
* Formal protocol definition
* Heuristic Engine (if needed)
* Supports Sync if installed
 
 
The following are the main features we are focusing on for the beta.
 
* Global Profile
* Auto registration using global profile
* Detailed account viewer (integration with Site Preferences?)
* Add auto login support for HTTP Basic and other


'''Mass Password Reset'''


Chris left his laptop in the car a few days ago, and a thief broke his window and stole his laptop. Chris is now nervous that he could suffer from identity theft, and wants to minimize that chance.  On his desktop machine he opens the Account Manager and changes his passwords to all his sites with a single action, locking out anyone who might have his stolen passwords.
The priorities below are more tailored towards the 1.0 release.


== Requirements ==


Priorities are for the alpha release, we'll reshuffle based on what we learn from that.


=== UX ===
== UX ==


* Account Manager
* Account Manager
Line 86: Line 115:
** Multiple account chooser
** Multiple account chooser


These two used to be part of this project, but will be moved to a seaprate identity-related effort:
== Backend ==
* Combine browser (Weave) login credentials with Fx master password
* Layer on 2-factor auth for logging into the browser (e.g., send an SMS with a password)
 
=== Backend ===


* Heuristic engine [P1]
* Heuristic engine [P1]
Line 122: Line 147:
* Disables itself during private browsing mode [P1]
* Disables itself during private browsing mode [P1]


== Current status: ==
= UX Mockups =
 
{| width="100%" cellpadding="3"
|-
| style="background-color: #efefef;" colspan="5" | '''Core Features'''
|-
| style="background-color: #efefef; width: 20px"| '''Priority'''
| style="background-color: #efefef; width: 20px"| '''Target'''
| style="background-color: #efefef;"| '''Item'''
| style="background-color: #efefef;"| '''Bug'''
| style="background-color: #efefef;"| '''Status'''
|-
| P1 || 0.1 || Feature name ||  || not started
|}
 
== UX Mockups ==


We have a couple of UI mockups related to how this might look. We'll be iterating on these and will continue to post updates here. Note that these are both '''really early mockups''' and will continue to evolve.
We have a couple of UI mockups related to how this might look. We'll be iterating on these and will continue to post updates here. Note that these are both '''really early mockups''' and will continue to evolve.
Line 144: Line 154:


[[File:PersonalIdentity.png|200px|thumb|left|Design 2]]
[[File:PersonalIdentity.png|200px|thumb|left|Design 2]]
[[File:IdentityInTheBrowser2.png|200px|thumb|left|[http://www.flickr.com/photos/azaraskin/4128966575/ Design 3]]]


<br clear="all"/>
<br clear="all"/>


== Notes from UX reviews ==
== Notes from UX reviews ==
=== 23-Nov-2009 ===
=== 23-Nov-2009 ===


Line 163: Line 174:


* How do we present the notion of connect/disconnect etc before there is login to firefox?
* How do we present the notion of connect/disconnect etc before there is login to firefox?
= Other Notes / Whiteboards =
[[File:Signin-signout-flowchart.jpg|200px|thumb|left|Sign in/Sign out flowchart]]
<br clear="all"/>

Latest revision as of 10:34, 4 May 2010

Account Manager

The Account Manager project aims to produce:

  • A protocol definition that sites can use to define their account-and-session management features in a format a web browser can understand. (The latest draft of the specification is here).
  • An implementation of this protocol as a Firefox addon.

The goal is to help users manage the process of "connecting" to a site, in a way that allows us to use secure browser chrome, and supports multiple authentication mechanisms.

The account manager is an evolution of the Firefox password manager and the Weave identity components (OpenID + auto-login). It will help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc. The first prototype will have support for "traditional" login methods (e.g., form + cookie), but it will also have some support for OpenID/federated logins.

Creating a new identity framework is a non-goal of this project, although some new file formats and protocols are in scope (see below for details).

There is additional information in the announcement blog post, as well as the add-on's first-run page.

Drivers

  • Mike Hanson
  • Dan Mills
  • Aza Raskin (UX/Labs)
  • Alex Faaborg (UX/Firefox)

Releases / Roadmap

Specification

Our proposal, "HTTP Extensions for Account and Session Management", is under development. You can read our draft here.

Addon

Latest release

  • 0.0.1 (2009.11.11) - Initial release that spins off the Weave identity features and creates a basic account manager.
  • 0.0.2 (2009.11.1829) - Bugfix for Weave identity features (autologin). Sign in/sign out functionality (spec proposal) still in the works.
  • ...
  • 0.0.10 (2010.03.05) - Alpha pre-release of "true" account management support (no heuristic autologin, uses the spec above).

Use Cases

Simple Connect

Alan routinely visits sites that use username-password logins, HTTP basic auth, and OpenID. He is tired of remembering which credential style to use at each site, and frustrated that he needs to repeat this process after unlocking his Firefox with a master password.

Account Manager provides a single click to log in to each of these sites, and, when Alan selects "always keep me connected", he never needs to deal with a login screen again.

Two Users, One Firefox

Madison and Connor use the same family computer in the den, and can't be bothered to use OS-level multi-user functions, and don't understand Firefox Profiles.

With Account Manager, they can tell at a glance that a given browser instance of Facebook, Twitter, or Yahoo Mail is logged in as their sibling, and by selecting from a dropdown menu, easily switch to their account.


Automatic site registration, automatic password change

Diego visits guitar.com to improve his musical skills. The site promises exciting personalized features if he connects, so he clicks the "Connect" button. Firefox immediately presents a summary of the personal information that it will send to the site, which Diego confirms, and an account (with a random password) is created.

At a later date, Firefox asks Diego if he would like to automatically change the password, and to automatically change it for him in the future. Since Diego uses cloud-based password sync, all of his other devices are able to log in using the new password after a sync.

If Diego has never seen his password, then it doesn't make sense if he'd like to change it. As far as he is concerned, Firefox holds the keys and it doesn't matter if Firefox gets them retooled as long as his experience remains the same.

Mass Password Reset

Chris left his laptop in the car a few days ago, and a thief broke his window and stole his laptop. Chris is now nervous that he could suffer from identity theft, and wants to minimize that chance. On his desktop machine he opens the Account Manager and changes his passwords to all his sites with a single action, locking out anyone who might have his stolen passwords.

Requirements

The following are the main features we are focusing on for the alpha.

  • Auto login for form/cookie based authentication
  • Formal protocol definition
  • Heuristic Engine (if needed)
  • Supports Sync if installed


The following are the main features we are focusing on for the beta.

  • Global Profile
  • Auto registration using global profile
  • Detailed account viewer (integration with Site Preferences?)
  • Add auto login support for HTTP Basic and other


The priorities below are more tailored towards the 1.0 release.


UX

  • Account Manager
    • List accounts with basic information [P1]
    • Filter by site [P1]
    • Open detailed viewer for an account [P2]
    • Global session viewer - "you are logged in at all these sites" [P2]
  • Detailed account viewer [P2]
    • Show information the site has about you
    • Change information
    • Update information from global profile
    • Close account
  • Global profile
    • User hcard info [P1]
    • Ability to blast out changes to sites that already have that info [P3]
  • Notifications/workflows
    • Login requested by site -> new account creation / existing account UI [P1]
    • Profile data chooser for creating a new account [P1]
  • Status indicator [P1]
    • Login not supported on this site (invisible, maybe)
    • Logged out / logged in / automatic login enabled / error
    • View profile details for this site (detailed acct viewer)
    • View error details (?)
    • Multiple account chooser

Backend

  • Heuristic engine [P1]
    • Log in, log out, basic status (logged in, etc)
    • Password change
    • Account creation automation / auto form-fill hcard info
  • Interim site definitions [P1]
    • Jetpack API to add support for sites the heuristic engine doesn't work for
  • Formal protocol/format definitions [P1]
    • Status: logged in/logged out/errors/etc
    • API endpoint query (discovery)
    • Log in
    • Log out
    • Query information site has about you [P2]
    • Change/add/remove information/password/other account data [P2]
    • Cancel account [P2]
  • Support for various authentication types
    • Form submission/cookie [P1]
    • HTTP Basic auth [P1]
    • HTTP Digest auth [P2]
    • Client certs [P2]
    • OpenID [P3]
    • 2-factor [P3]
    • SRP, etc? [experiment]
  • Supports sync if installed [P1]
  • Disables itself during private browsing mode [P1]

UX Mockups

We have a couple of UI mockups related to how this might look. We'll be iterating on these and will continue to post updates here. Note that these are both really early mockups and will continue to evolve.

Design 1
Design 2
Design 3


Notes from UX reviews

23-Nov-2009

  • What do we use as the identifier to show in the URL bar?
  1. Username we sent (from password manager) --> think of the problems if we sign up with openid/webfinger
  2. We let the site tell us (10% off pants @ gap.com)
  3. Profile tag (Work/Home)
    1. Profile tag variant (First name of the profile) <- bad
  4. Logged in
  5. Weave ID
  • Do we show users that even when they are not explicitly signed in to a site, that the site actually knows who they are (via cookies)?
  • How do we present the notion of connect/disconnect etc before there is login to firefox?

Other Notes / Whiteboards

Sign in/Sign out flowchart


Retrieved from "https://wiki.allizom.org/index.php?title=Labs/Weave/Identity/Account_Manager&oldid=220282"