[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Simon Willison simon at simonwillison.net
Sat Jan 20 00:47:31 UTC 2007


On 20 Jan 2007, at 00:26, Gabe Wachob wrote:

> It is entirely possible to use, for example, token-based  
> authentication that isn’t susceptible to the same phishing attacks.

If by token-based authentication you mean those little RSA keyfobs,  
I'm pretty sure they're still just as susceptible to phishing as a  
username and password. In a phishing attack the fake authentication  
screen can act as a man-in-the-middle, so when you log in to it using  
your token the attacking site can use the information you provide to  
log in to your identity provider at the same time.

Cheers,

Simon




More information about the general mailing list