[OpenID] An alternative OpenID UX
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Apr 20 10:23:44 UTC 2009
>>Though without some trust mechanism with the OPs I don't know that
>>having two or three OPs say they have performed biometrical
>>authentication of the user, is that much better than one.
>
>Assume one is offline and another is malicious; for more detail, see
>http://openid.net/pipermail/general/2009-January/007786.html
>(Also note that multiple factors should be covered.)
Another thought: how many password-recovery services send a
notification to the E-mail address on file if someone so much as
*requests* the password hint for an account? If few, there would be
little to lose by the OP advertising "we need their favorite pet's
name" versus "mother's maiden name" versus "model of their first
car". I won't go on about the stupidity of using questions like these
on the very social networking sites that *expose* such information to
all and sundry; I just want to suggest that RP's look for a different
question (the "what you know" authentication factor being further
subdivided) from each OP, to be certain that all 3 accounts haven't
been compromised by a single common answer.
-Shade
More information about the general
mailing list