[OpenID] FW: two-factor authentication with a bookmark

Hans Granqvist hgranqvist at verisign.com
Wed Feb 7 19:25:44 UTC 2007

Even though the idea depends on user-specific actions, such as
"use the bookmark", and though there seems to be some muddled
reasoning related to SSL -- where Ben's post doesn't seem to
agree with his paper whether SSL is easy/usable -- and the
idea has client-deployment dependencies (for example JavaScript,
as aptly discussed in blog/paper)

. . .

nonetheless it seems a way cool idea.

I hope I didn't miss this in the paper, but I'm curious to see
if there is a way to combine the bmauth challenge and the user's
OP password into one, and thus get rid of a phishable password.

(That is, there is no 'normal username/password' login at the OP.
The password the EU has is *only* good when it's used as part of the 
bmauth HMAC).


Scott Kveton wrote:
> Forwarding from the identity gang list (with Ben's permission) ... Very cool
> addition to Simon's thoughts on how to fight phishing.  Very cool Ben.
> - Scott

More information about the general mailing list