[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Claus Färber gmane at faerber.muc.de
Sat Jan 20 01:21:00 UTC 2007


Ben Laurie <benl at google.com> schrieb/wrote:
> a) Push browser authors to add unphishable auth!

Support for TLS client certificates is already built into most browsers.  
The OP could generate the key and a certificate for the user so all she  
has to do is to download a file from the OP and import it into her  
browser.

It does not work on public computers, though. But then, entering a
password at an Internet café isn't a good idea, either. For these
locations, the OP could issue OTPs only valid for one login with limited
privileges on managing one's account (so a MITM can't do too much
damage).

Claus





More information about the general mailing list