[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Simon Willison simon at simonwillison.net
Fri Jan 19 15:28:49 UTC 2007

On 19 Jan 2007, at 15:12, Marcin Jagodziński wrote:
> I don't think it will work, sorry. While this prevents phishing, this
> also prevents OpenID from mass adoption. People are lazy, they don't
> want do type anything. That of course my humble opinion.

Most of the time they wouldn't have to type anything, as they would  
already be logged in to their identity provider. With seals based on  
persistent cookies, users need to know:

1. If the site is showing your seal, it's safe to log in.
2. If the site isn't showing your seal, it's NOT safe to log in.

Since a spoofed login page won't remind them about the seal, it's  
easy to see how they could still be taken in. The nice thing about  
the landing page proposal is that it's totally unambiguous: it  
teaches users "ONLY log in if you have navigated to the login page  
yourself", and makes it easy to tell the difference between a spoof  
page and the real thing.

Unfortunately all I can do here is second-guess the behaviour of  
users - what's really needed is serious usability research. There's  
plenty of academic work around this area; maybe someone on the list  
can point out some references.



More information about the general mailing list