[OpenID] Another Client-side Password Phishing Mitigation Idea

Martin Atkins mart at degeneration.co.uk
Mon Jan 22 08:22:33 UTC 2007


Dmitry Shechtman wrote:
> 
>> What about Flash and other login forms?
> 
> If you have a solution for these, I'd love to hear all about it.
> 

It maybe worth investigating the possibility of a Yadis service type 
that says "I'm an OpenID RP; Here's my return_to URL, trust_root etc" so 
that the login can be initiated from the browser chrome. Then the user 
doesn't need to touch a "login form" at all: just hit the "OpenID Login" 
button in the browser chrome.

Could also give sites a scripting API to start this process, since users 
seem to prefer to interact with the site itself rather than the browser 
chrome:

     if (window.IdentityManager) {
         var req;

         var callback = function () {
             if (req.success) {
                 document.loginForm.openid_identifier = req.identifier;
                 document.loginForm.openid_signature = req.signature;
                 // ....
                 document.loginForm.submit();
             }
         }

         req = IdentityManager.GetIdentity(
             "OpenID", return_to, trust_root, callback
         );
     }

(Though I'm not sure what UI sites would provide for that, admittedly.)

All of these proposals make an assumption which I suspect may be flawed: 
we're assuming that if browsers have an "Identity Manager" component, 
users will be wary of sites that bypass the identity manager and ask for 
a password directly. However, I'm not convinced that's the case: users 
will generally do whatever a site asks to get things to "work", and 
there are already lots of sites out there that ask for passwords without 
popping up an "Identity Manager" so training users never to log in when 
identity manager isn't around is probably not feasible.




More information about the general mailing list