[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)
Claus Färber
gmane at faerber.muc.de
Sat Jan 20 01:21:00 UTC 2007
Ben Laurie <benl at google.com> schrieb/wrote:
> a) Push browser authors to add unphishable auth!
Support for TLS client certificates is already built into most browsers.
The OP could generate the key and a certificate for the user so all she
has to do is to download a file from the OP and import it into her
browser.
It does not work on public computers, though. But then, entering a
password at an Internet café isn't a good idea, either. For these
locations, the OP could issue OTPs only valid for one login with limited
privileges on managing one's account (so a MITM can't do too much
damage).
Claus
More information about the general
mailing list