[OpenID] An alternative OpenID UX

SitG Admin sysadmin at shadowsinthegarden.com
Mon Apr 20 10:23:44 UTC 2009

>>Though without some trust mechanism with the OPs I don't know that 
>>having two or three OPs say they have performed biometrical
>>authentication of the user, is that much better than one.
>Assume one is offline and another is malicious; for more detail, see
>(Also note that multiple factors should be covered.)

Another thought: how many password-recovery services send a 
notification to the E-mail address on file if someone so much as 
*requests* the password hint for an account? If few, there would be 
little to lose by the OP advertising "we need their favorite pet's 
name" versus "mother's maiden name" versus "model of their first 
car". I won't go on about the stupidity of using questions like these 
on the very social networking sites that *expose* such information to 
all and sundry; I just want to suggest that RP's look for a different 
question (the "what you know" authentication factor being further 
subdivided) from each OP, to be certain that all 3 accounts haven't 
been compromised by a single common answer.


More information about the general mailing list