[OpenID] FW: two-factor authentication with a bookmark
scott at janrain.com
Tue Feb 6 20:20:38 UTC 2007
Forwarding from the identity gang list (with Ben's permission) ... Very cool
addition to Simon's thoughts on how to fight phishing. Very cool Ben.
------ Forwarded Message
From: Ben Adida <ben at adida.net>
Reply-To: <idworkshop at googlegroups.com>
Date: Tue, 6 Feb 2007 15:02:39 -0500
To: <idworkshop at googlegroups.com>
Conversation: two-factor authentication with a bookmark
Subject: two-factor authentication with a bookmark
This is likely to get massively overshadowed by all the interesting
activity at the RSA conference, but I thought I'd pass it along anyways.
I've been working on BeamAuth, a two-factor authentication with a
bookmark and a password. The goal is to make it harder to phish an
OpenID user (or any other redirect-based single-sign-on system). The
second goal is to do so without a plugin or other client-side
modification. Basically, any single sign-on provider could deploy this
It's super simple, and it doesn't change the user's login process much:
they get redirected to their login page normally, and then login
requires first a bookmark click, then a password entry.
(forgetting to click your bookmark at a phishing site is not a big deal:
your bookmark token is not revealed and your password is not enough to
log the adversary in.)
I know JanRain recently implemented a bookmark-based anti-phishing
solution proposed by Simon Willinson. This proposal is a bit different:
the bookmark is more than a server locator, it's also a second
I've posted all the details at:
and there's a demo server at:
Looking forward to feedback!
You received this message because you are subscribed to the Google Groups
"Identity Gang" group.
To post to this group, send email to idworkshop at googlegroups.com
To unsubscribe from this group, send email to
idworkshop-unsubscribe at googlegroups.com
For more options, visit this group at
------ End of Forwarded Message
More information about the general