[OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)

Simon Willison simon at simonwillison.net
Fri Jan 19 15:10:18 UTC 2007


On 19 Jan 2007, at 15:06, Scott Kveton wrote:

> What if the OP cataloged where you just came from and then  
> presented the
> screen that you mention?  The user is asked to navigate via a  
> bookmark or
> entering the URL in the location bar and then upon logging in is  
> presented
> with a link back to the site they just came from.  Then the user  
> can quickly
> engage and the site can still kick of the SREG mojo instead of  
> having to go
> _back_ to the site in question to re-initiate the login.

That's actually what I had in mind - I should have made that more  
clear. When you arrive on the landing page a cookie is set to allow  
the site to track your half-complete authentication request; once you  
log in you get a link to continue with that authentication.

I totally agree that the best thing about OpenID is that it lowers  
the barrier to engagement. My hope is that most users will be logged  
in to their OP most of the time, so they will actually very rarely  
see the landing page.

Cheers,

Simon



More information about the general mailing list