[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Sat Jan 20 04:50:12 UTC 2007


> Firstly - I don't have an answer - I don't even have a vague suggestion...
> I completely understand that it is not an OpenId issue. - it effects all www
> traffic.

Therein lies the biggest problem.
 
> How can it be considered out of spec for OpenId, if the mechanics of OpenId
> authentication seem to assist phishing?
> I clearly see it being something that can hold up the official release of
> OpenId 2.0 for a pretty lengthy time - and I realise nobody wants that to
> happen. 

Phishing is a _huge_ problem ... By huge I don't mean its happening all over
the place, I mean its an the-Internet-Sucks problem.  That alone is reason
enough to leave it as out-of-scope for OpenID.  In addition to that (and
others have mentioned this here, I'm merely repeating), auth via a form is
just one way of doing OpenID authentication.  Two factor, FOP, etc are all
options here so putting "phishing for via a form" into the spec is
out-of-scope for this document.

Now, let's be realistic.  The majority of users (at least in the near term)
will be using a forms via redirects for logins.  The ideas here on the list
are all great and I think putting them all together gives us quite a
reasonable defense against phishing.  Moreover, the better the anti-phishing
technologies get for OpenID, the better they get for the Internet.  I
honestly believe that this is a huge opportunity for OpenID ... If we can
get it right then that can be a significant driver for OpenID.  After all,
then you'd only have to worry about your identity provider having the right
technologies to protect you, not every site that you go to.

I like the idea of having a separate specification or appendix on how you
deal with phishing.  I also think the finer points of this discussion should
end up in the FAQ; everyone keeps rehashing the same arguments and it would
be nice to be able to just point at a FAQ.

- Scott




More information about the general mailing list