UX research on Desktop Apps using federated login and/or OAuth

If a website exposes APIs for private user data that are accessed via rich-client applications (desktop apps, J2ME mobile apps, etc.), then it can be hard for that website to become a relying party for federated login.  The reason for this is that most desktop apps have a hardcoded user interface that asks for E-mail/Password to authenticate users.  The same is true for websites which expose APIs, but which authenticate users via some second fatctor auth solution such as USB tokens, phone, InfoCard, etc.  While the website with the API might be able to easily changes its login flow by updating code on its servers, it can be much harder to update the code on all the rich-client applications, especially if some of them were built by 3rd party developers.

Google has been evaluating the user experience of federated login in rich-client apps to determine what method can be used, assuming the website owner and client app developer are willing to modify their code.  This document describes a prototype that we built and tested with our user research team.

One of the options we considered, but did not pursue, was to force all users of the the desktop app to use the OAuth protocol to authorize the app to access the user's data.  Roughly that flow would take eight steps as listed below:
  1. User clicks sign-in on the app
  2. User is told they will be redirected to a web browser to authorize the client app to access their data
  3. The web browser is launched and the user is sent to the login page of the website with the data.  If that website uses second factor auth for authentication, then it could send the user through the standard flow for that authentication process.
  4. If that website was a relying party for federated login, then the user could indicate their IDP on that RP website, and they would be redireted to the IDP to authenticate (and that IDP might in turn use second factor auth).  If the user's account was not associated with an IDP, then they could authenticate directly to the RP website.
  5. Once the user was logged in, they would be shown a screen that describes the application asking for their data, and asks the user if they approve giving that app access to their data
  6. If the user gives their approval, they are then shown a confirmation page and are asked to manually switch back to the application
  7. When the user switches to the application, it will have a screen with a "Continue" button for the user to click after they have given approval
  8. The user will click the "Continue" button and now the application will work.
The flow makes some security people happy because the user never enters their password into the client application.  However it makes usability much much worse, and any evil client application on most operating systems can do other evil things to the user's computer anyways such as installing malware.

Therefore Google decided to try to find an approach that avoided using OAuth when possible, but fell back to it when necessary.  The approach we took was to have the client app display the same style login box that Google suggests that websites should use.  If the user enters an E-mail and password in that login box, it is sent via a proprietary Google ClientLogin API back to the webserver to see if it can be validated.  If the webserver can validate the credentials, then the desktop app can immediately access the user's data.  If it cannot validate the password, then the webserver can either return an error indicating that the user should try again, or it can return an error indicating that the user must be sent through the OAuth flow.  Similarly, if the user enters an E-mail into the login box, but chooses "help me sign in" then they are always sent through the OAuth flow.

To help improve the OAuth user experience, we made two further optimizations:
  1. For steps 3/4, we chose to launch a full web-browser instead of trying to launch an embedded browser in the client app.  The big advantage of this approach is that the user is normally already logged into the website, and thus the user skils steps 3/4 and it sent immediately to step 5
  2. For steps 6/7/8, we had the website create a new cookie in a pre-determined location, and the client-app would constantly poll in the background for the existance of that cookie.  Once it detected that cookie the application would force itself to the foreground and then immediately access the user's data from the website
This prototype application was tested with 11 users who were each told to open a message from their administrator in their inbox, and the message asked them to install a new tool that would give them access to their contact list offline.  Here were the two primary goals of the test, and the results:
Goal 1: Evaluate whether users were surprised by the non-traditional login box
Result: None of the 11 participants detected it was a non-traditional login box.  That is in line with the previous studies we did.  This is a strong indicator that we could change our desktop apps to use this login box and it would have no detrimental impact on normal usage

Goal 2: Get feedback on browser/OAuth flow for users whose domains were SAML enabled.
Result: 10 of the 11 participants completed the flow and found it easy, but identified some UI optimizations we could make (the first participant ran into bugs that we fixed for the others).  The addition of the auto-detection of the approval process was important and without that we would need to significantly improve the UI.  However even in the case without that auto-detection, it is important to note that for users from SAML enabled domains, we do not have any other reasonable alternatives to offer them anyways.

A copy of the prototype application is available here:
It only works on Windows and requires .NET Frameworks v2.  It is optimized for Internet Explorer, so make sure your default browser is set to IE using Start-Set Program Access and Defaults (It works on firefox, but is not yet as user friendly).  We have also provided videos of using this prototype application with multiple federated login technologies and multiple strong authentication technologies.

To test it, launch the application, and try to login with a regular Gmail account by entering your E-mail address and password (see screenshots below).  The app will now display a sample of contacts from your personal address book.  Hit close to go back to the login screen.



You can now test the application with a domain that is hosted on Google Apps For Your Domain, including domains that are running their own SAML IDP (and even with SAML IDPs that use a second factor auth such as tokens or InfoCard).  To do this, enter the E-mail address in that domain and choose "help me sign in" (as shown in the first screenshot below).  If you don't have an account on AppsForYourDomain, then enter an @gmail.com address and choose "No, help me sign in" and you will also be sent through the OAuth flow.
Note: The user/employees may mistakenly type their password in this login box (like in the second screenshot below).  However it will work even if they make this mistake.  The app first sends the E-mail to the Google servers to find out if the domain is SAML enabled, and if so, it forces the user through the OAuth flow, otherwise it sends the E-mail/password to Google directly to be validated.  This prototype version only has a hardcoded list of SAML domains (try tom.brown@alertblue.com as an example), but if you want to force the system to do the OAuth flow for your domain, then choose "help me sign in."  A later version of this prototype might even be able to check a registry setting to see if the enterprise had hardcoded their domain name, and in that case the desktop application could skip the login screen and start the OAuth flow immediately.




The app will launch your the user's default browser (which should have been set to Internet Explorer), and send you through the flow required to login to that address.  If the user is already logged into their IDP and/or Google, then they will not even need to see the login screen.
Note: The login page below is for a domain that is not SAML enabled.  A SAML enabled domain would show its own login page, and might prompt the user for a second form of authentication such as a token/certificate/Infocard.



The next page they will see is the OAuth approval page (screenshot below) to confirm they want the app to have access to their contact list.  The current page refers to some fake domain, however the final version would display the name of the application instead.
Note: The server cannot verify the identity of the application, but it can display a description of the application.  If that description does not match the application the user has installed, then some users will correctly click the Deny Access options.



Once the user gives their approval, the browser will try to redirect to a destination page, and then the desktop app should automatically jump to the foreground and display their corporate address book (screenshot below)
Note: On firefox, you will see a destination page that tells you to manually switch to the desktop app and click the "continue" button



Eric Sachs
Product Manager, Google Security
Comments