[OpenID] FW: two-factor authentication with a bookmark
Hans Granqvist
hgranqvist at verisign.com
Wed Feb 7 19:25:44 UTC 2007
Even though the idea depends on user-specific actions, such as
"use the bookmark", and though there seems to be some muddled
reasoning related to SSL -- where Ben's post doesn't seem to
agree with his paper whether SSL is easy/usable -- and the
idea has client-deployment dependencies (for example JavaScript,
as aptly discussed in blog/paper)
. . .
nonetheless it seems a way cool idea.
I hope I didn't miss this in the paper, but I'm curious to see
if there is a way to combine the bmauth challenge and the user's
OP password into one, and thus get rid of a phishable password.
(That is, there is no 'normal username/password' login at the OP.
The password the EU has is *only* good when it's used as part of the
bmauth HMAC).
Hans
Scott Kveton wrote:
> Forwarding from the identity gang list (with Ben's permission) ... Very cool
> addition to Simon's thoughts on how to fight phishing. Very cool Ben.
>
> - Scott
>
More information about the general
mailing list