[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)
simon at simonwillison.net
Sat Jan 20 00:47:31 UTC 2007
On 20 Jan 2007, at 00:26, Gabe Wachob wrote:
> It is entirely possible to use, for example, token-based
> authentication that isn’t susceptible to the same phishing attacks.
If by token-based authentication you mean those little RSA keyfobs,
I'm pretty sure they're still just as susceptible to phishing as a
username and password. In a phishing attack the fake authentication
screen can act as a man-in-the-middle, so when you log in to it using
your token the attacking site can use the information you provide to
log in to your identity provider at the same time.
More information about the general