@FlorinaV, Looking through the PDF, I see some great ideas for usability, thanks for your efforts so far. A few of those things I had on my list too!
One thing I'd like to put on your radar is the necessity of users to understand the criticality of the domain verification step (not sure if that's the official lingo or not). In Steve's recent post he lays out the scenario where a man-in-the-middle could logon as you to another site.
Right now, the client says "Do you want to login to: sqrl.grc.com", and your cursor is flashing below asking for a "Password". There's a back arrow, but it seems unbalanced between "the url looks good" vs "the url looks fishy".
What's happening here is that by typing your password, you are giving permission to the owner of the page where you found the QR code to login to the specific domain of sqrl.grc.com, and the two might not be the same!
People are already complaining about having to type even the quickpass each time, but I think that there might need to be a checkbox next to the domain that says something like "I want to give the page I scanned the ability to log me in to sqrl.grc.com (yes-domain looks good / no-domain looks fishy)", and also require the quickpass.
So training the users there's two things going on. One is make sure there's no man in the middle, and the other is to make sure it's really you.
- Can you explain "CPS (client provided session), which we rarely will on mobile devices"? How is the mobile vs. web experience different?
- When we say "is this website.com where you want to sign in?", could we render this page and have it be a visual comparison? Just a thought, not necessarily pushing the idea. This seems like a big burden and people will stop reading and start clicking.
- This is extremely vulnerable to typosquatting attacks as well right?