GOV.UK Frontend is already fully open source [0] with comprehensive documentation [1] and GDS encourage community contributions, libraries and resources [2]. If there was any worry about phishing that would be a question for GDS
This is impressive Matt, and I love the design system GDS has developed, but I'm not sure they want non-government services to use the system. From the second link you posted:
> Use this design system to make *government* services consistent with GOV.UK
Emphasis mine. Are GDS aware of this work? I am in no way affiliated with GDS by the way.
--
I'm always wary of this kind of thing not being on a gov.uk domain, which in this case is entirely appropriate because it's not in anyway official or endorsed by GDS. Not for any direct phishing/crooks concerns as raised above, but because it waters down the impact of this kind of thing always being on gov.uk domains.
--
Edit: I'd be _very_ surprised if GDS don't take issue with you having "GOV.UK" in the name given that it is no way associated with gov.uk
That's a good thing, because people need to learn how to really check the authenticity of a website and not base it on how it looks. See security by obscurity.
There's an old Microsoft study examining what might help users to not give crooks their credentials. The participants used their real credentials to attempt a real bank transaction, and Microsoft studied what might count as a red flag and stop them from attempting this transaction on a bogus site, variations in UI warnings, layout etc..
Nothing. Nothing you could do stopped users from persisting in their goal, despite all the red flags, humans get stuck on a mission, it's called "Get-there-itis" and it kills private pilots, it causes those "How could you be such a moron?" bridge strikes you see on Youtube, it's a defect in human psychology, you have to design knowing that this defect exists.
So what works? Brick Wall UX. When the user can't do the wrong thing they won't. They'll still try of course, but now they can't succeed (in giving their credentials to crooks).
Broadly speaking, I agree with the claim - but I'm very suspicious of the study. We'd have to know the methodology to be sure (maybe you have a link to this?), but there are many factors that could lead participants to ignore the warning signs and persevere. For instance, the participants may have been offered a sum of money for their involvement, and believed (consciously or subconsciously) that they had to 'pass' the test to earn it. Or, it could have been pride and the desire not to lose face; perhaps even the sentiment of "the sooner I can finish this daft test, the sooner I can leave"!
There is a common attitude in the computer industry that designers/developers know better than users, but software users are representative of the general population and are thus no more or less intelligent than average. I believe it's primarily a lack of understanding of how software works that makes online phishing scams work. 'Brick Wall UX' can only go so far to compensate for that, and it comes at a cost of making software less flexible for the end-user.
But this isn't quite the same thing, the dancing pigs (or bunnies) are an attraction, the mission mindset / get-there-itis happen after the user has decided to do something, and prevent them from (correctly) deciding not to do it in light of more information.
Better yet, this creates the ability for prompts such as:
"Using design system from govukvue.org create an app that will [check for service] from [this gov.uk url] using the same hooks and design components to give me a dashboard of [benefits] [contacts_for_benefits] [these_other-compnents_to_query] as a flas app and conect it to my [db] and give me a mobile first view - wrap it in a docker on my DO droplet, use the cred from the .env"
[0] https://github.com/alphagov/govuk-frontend
[1] https://design-system.service.gov.uk/
[2] https://design-system.service.gov.uk/community/resources-and...