[OpenID] Anti-phishing workarouund idea

Gabe Wachob gabe.wachob at amsoft.net
Thu Jan 18 17:48:26 UTC 2007


Just a thought to perhaps deal with the phishing/MITM issues with
authenticating to a users's OpenID Provider. 

 

Many OP's set a (session) cookie after you log in so that when you
authenticate once in a browser session, you don't have to authenticate
again.  

 

There's no reason this authentication has to happen at the time of asserting
your openid at a Relying Party. 

 

What if a firefox/mozilla plugin/extension/feature automatically logged you
in to your OP when you first ran Firefox (with credentials managed by the
password manager in firefox), after authenticating to your local (firefox)
password manager. This could be relatively seamless if users already use the
password manager (lets hope they use at least password protection - but we
know they probably don't). This is, of course, assuming user/pass
authentication - there are certainly better authentication mechanisms in
place. 

 

Users may still have to interact with their OP, but at least they wouldn't
have to re-authenticate after identifying themselves to a RP. 

 

This obviously requires a little bit of user training. But if you could
authenticate on startup, there's much reduced opportunity for a MITM attack
when you are authenticating to your OP. 

 

Thoughts?

 

    -Gabe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070118/5fba4ee9/attachment-0002.htm>


More information about the general mailing list