Labs/Weave/Identity/Account Manager

From MozillaWiki
< Labs‎ | Weave
Revision as of 11:00, 23 November 2009 by Aza (talk | contribs) (→‎UX)
Jump to navigation Jump to search

DRAFT
The content of this page is a work in progress intended for review.

Please help improve the draft!

Ask questions or make suggestions in the discussion
or add your suggestions directly to this page.


Account Manager

Help users manage their accounts.

The account manager is an evolution of the Firefox password manager and the Weave identity components (OpenID + auto-login). It will help users manage logins and profile information for each site, and it will automate currently manual tasks such as signing up for sites, generating passwords, etc. The focus is on "traditional" login methods (e.g., form + cookie), but it will also have some support for OpenID/federated logins.

Creating a new identity framework is a non-goal of this project, although some new file formats and protocols are in scope (see below for details).

Release Roadmap

Latest release

  • 0.1 (2009.11.11) - Initial release that spins off the Weave identity features and creates a basic account manager.
  • 0.2 (2009.11.18) - Snapshot: sign in/sign out functionality (spec proposal)
  • 0.3 (2009.12.02) - Alpha release: account registration (spec proposal)

Use Cases

Automatic site registration, automatic password change

Diego is looking to improve his guitar skills, and wants to share some experiences with fellow guitar students. His friend recommends the site guitar.com, which he is a user of. Diego has never been there before, and clicks the "Sign Up" link to create an account. Firefox immediately negotiates with the site which information is required for a signup, and presents Diego with a summary. After Diego confirms the account creation, Firefox sends the information to guitar.com and creates a new account for him, with a random password (which Diego doesn't need to know). Next month, when Diego visits the site again, Firefox asks Diego if he would like to change his password to a new one (for higher security). Diego has the option of changing it, leaving it as-is, as well as letting Firefox change it silently for him in the future. Since Diego uses password sync, all of his other devices are able to log in using the new password after a sync.

If Diego has never seen his password, then it doesn't make sense if he'd like to change it. As far as he is concerned, Firefox holds the keys and it doesn't matter if Firefox gets them retooled as long as his experience remains the same.

OneTwo Click shopping for the whole web

Ben decides to buy some flowers for his fiancee. He goes to his favorite neighborhood flower store's website and picks out just the bouquet he wants. When it comes time to check out and pay, he really wishes he didn't have to enter in all of his billing data. Since he has stored his identity and credit card information on the Weave server, the web site is able to automatically pull in this information from the server. The browser prompts Ben to grant access to the server for just this transaction, he says yes and his purchase is complete.

Mass Password Reset

Chris left his laptop in the car a few days ago, and a thief broke his window and stole his laptop. Chris is now nervous that he could suffer from identity theft, and wants to minimize that chance. On his desktop machine he opens the Account Manager and changes his passwords to all his sites with a single action, locking out anyone who might have his stolen passwords.

Requirements

Priorities are for the alpha release, we'll reshuffle based on what we learn from that.

UX

  • Account Manager
    • List accounts with basic information [P1]
    • Filter by site [P1]
    • Open detailed viewer for an account [P2]
    • Global session viewer - "you are logged in at all these sites" [P2]
  • Detailed account viewer [P2]
    • Show information the site has about you
    • Change information
    • Update information from global profile
    • Close account
  • Global profile
    • User hcard info [P1]
    • Ability to blast out changes to sites that already have that info [P3]
  • Notifications/workflows
    • Login requested by site -> new account creation / existing account UI [P1]
    • Profile data chooser for creating a new account [P1]
  • Status indicator [P1]
    • Login not supported on this site (invisible, maybe)
    • Logged out / logged in / automatic login enabled / error
    • View profile details for this site (detailed acct viewer)
    • View error details (?)
    • Multiple account chooser

These two used to be part of this project, but will be moved to a seaprate identity-related effort:

  • Combine browser (Weave) login credentials with Fx master password
  • Layer on 2-factor auth for logging into the browser (e.g., send an SMS with a password)

4127077941_ef523e4568.jpg

Backend

  • Heuristic engine [P1]
    • Log in, log out, basic status (logged in, etc)
    • Password change
    • Account creation automation / auto form-fill hcard info
  • Interim site definitions [P1]
    • Jetpack API to add support for sites the heuristic engine doesn't work for
  • Formal protocol/format definitions [P1]
    • Status: logged in/logged out/errors/etc
    • API endpoint query (discovery)
    • Log in
    • Log out
    • Query information site has about you [P2]
    • Change/add/remove information/password/other account data [P2]
    • Cancel account [P2]
  • Support for various authentication types
    • Form submission/cookie [P1]
    • HTTP Basic auth [P1]
    • HTTP Digest auth [P2]
    • Client certs [P2]
    • OpenID [P3]
    • 2-factor [P3]
    • SRP, etc? [experiment]
  • Supports sync if installed [P1]
  • Disables itself during private browsing mode [P1]

Current status:

Core Features
Priority Target Item Bug Status
P1 0.1 Feature name not started
Retrieved from "https://wiki.allizom.org/index.php?title=Labs/Weave/Identity/Account_Manager&oldid=184949"