Quick question about iframes versus popups

[Robert]

I understand the narrative about why Facebook connect migrated from inline frames to popups.

I also understand the narrative about Plaxo and Google's 92% rate of return on OpenID two-click logins.

That said, why shouldn't the burden for security rest with the provider?  I'm wondering if popups are contributing to the lack of adoption problem that OpenID has.  I think popups and redirections are very jarring for users (UI/UX), and in the implementation we're building over at disodev.org, I'm inclined to snub the "popup phishing" problem in the face and use iframes anyway.  I don't believe that the problem is because it's an iframe.  I believe it's that the OP needs to give the RP a better anti-phishing methodology.  There are any given number of security tactics that could be used.

Shadowbox/lightbox/thickbox was invented precisely because usability and user experience with popup windows is historically so atrocious.  It's just awful.  And redirects are just as bad.  The best idea is to keep the user on the page.

AND

If iframes really ARE that bad, there ought to be another way to keep the user "present," so they don't drift off and we lose them.  I don't think the problem is the two click return rate.  I think the problem is adoption because it's too confusing in the first place.  This may mean the browser ultimately does have to take on part of the role, i.e., we need something even better than iframes.  But for NOW (avoiding the chicken-egg problem), why are iframes so bad?