[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
simon at simonwillison.net
Fri Jan 19 15:28:49 UTC 2007
On 19 Jan 2007, at 15:12, Marcin Jagodziński wrote:
> I don't think it will work, sorry. While this prevents phishing, this
> also prevents OpenID from mass adoption. People are lazy, they don't
> want do type anything. That of course my humble opinion.
Most of the time they wouldn't have to type anything, as they would
already be logged in to their identity provider. With seals based on
persistent cookies, users need to know:
1. If the site is showing your seal, it's safe to log in.
2. If the site isn't showing your seal, it's NOT safe to log in.
Since a spoofed login page won't remind them about the seal, it's
easy to see how they could still be taken in. The nice thing about
the landing page proposal is that it's totally unambiguous: it
teaches users "ONLY log in if you have navigated to the login page
yourself", and makes it easy to tell the difference between a spoof
page and the real thing.
Unfortunately all I can do here is second-guess the behaviour of
users - what's really needed is serious usability research. There's
plenty of academic work around this area; maybe someone on the list
can point out some references.
More information about the general