Videos of that desktop prototype with different federated login and strong authentication mechanisms

We provided some UX research on desktop apps using federated login and/or OAuth. One of the goals of that research was to show we could use OAuth as the technology, because it is agnostic to whether any type of federated login mechanism is used (SAML, OpenID, etc.) and agnostic as to how the user is authenticated (password, digital certificate, CardSpace, biometric, etc.). Below are some links to videos that show how that prototype was used (without any specific modification) with a few different federated login mechanism and authentication mechanisms. Google has also published some early research on usability of strong authentication approaches.

Note: To view the videos below in higher quality, click "watch in high quality" link that is at the bottom right under the video on the YouTube watch page

Authentication with standard password

• • Traditional login, no federated identity [video]

  • Using federated login with SAML (provided by Ping Identity's signon.com service) [video]

Authentication with other forms of "what you know"

• • Using a series of images (through the Vidoop service) [video]

Authentication with one-time-password device that does not need to be connected to the PC (via USB, Bluetooth, etc.)

• • Using a Verisign credential from their VIP service [video]

  • Using a mobile phone (through the Vidoop service) using sms [video] and using a phone call [video]

Authentication with software certificate, and for machines without that certificate the user is asked to provide the answers to some secret questions

• • Using a traditional X.509 cert in the browser (provided by Tricipher)

    • Part 1 is a machine without the certificate, Part 2 is a machine with the certificate

  • Using a certificate stored as a Flash object (provided by Arcot)

    • Part 1 is a machine without the certificate, Part 2 is a machine with the certificate. This video shows both scenarios together.

  • Using a Microsoft CardSpace Infocard selector (provided by Ping Identity's signon.com service) [video] (Note that the blank screen in the middle of the video is when the Cardspace selector is shown, and it has special security controls to block potential malware, including screen capture software. If you want to see the CardSpace user interface, please watch this video)

  • Using an Azigo CardSpace Infocard selector (provided by Parity) [video]. Azigo also provides an Infocard selector for the iPhone (see screenshots) so we are looking for someone who wants to build an iPhone application that uses OAuth (similar to the sample made for Powne), but that connects to the Google Contacts API (similar to our prototype)

Authentication with physical device

• • Using a thumb-scanning USB token (token provided by Privaris, federation service provided by Trustbearer's OpenID/SAML service) [video] (Note that when the USB token is shown, the user is scanning their thumb on a physical USB token that looks similar to the one displayed on the screen)

  • Using a USB token from Yubico that generates one-time passwords [video]

These examples will hopefully serve to show that it is possible for rich-client apps to use OAuth so that they can get the user's AUTHORIZATION to access that user's data, as opposed to the more traditional model of asking for the user's username/password and then impersonating them to the destination website. The delegated authorization model of OAuth allows rich-client apps to support federated login and strong auth without any additional changes for specific federation and strong auth technologies.