[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)
scott at janrain.com
Sat Jan 20 04:50:12 UTC 2007
> Firstly - I don't have an answer - I don't even have a vague suggestion...
> I completely understand that it is not an OpenId issue. - it effects all www
Therein lies the biggest problem.
> How can it be considered out of spec for OpenId, if the mechanics of OpenId
> authentication seem to assist phishing?
> I clearly see it being something that can hold up the official release of
> OpenId 2.0 for a pretty lengthy time - and I realise nobody wants that to
Phishing is a _huge_ problem ... By huge I don't mean its happening all over
the place, I mean its an the-Internet-Sucks problem. That alone is reason
enough to leave it as out-of-scope for OpenID. In addition to that (and
others have mentioned this here, I'm merely repeating), auth via a form is
just one way of doing OpenID authentication. Two factor, FOP, etc are all
options here so putting "phishing for via a form" into the spec is
out-of-scope for this document.
Now, let's be realistic. The majority of users (at least in the near term)
will be using a forms via redirects for logins. The ideas here on the list
are all great and I think putting them all together gives us quite a
reasonable defense against phishing. Moreover, the better the anti-phishing
technologies get for OpenID, the better they get for the Internet. I
honestly believe that this is a huge opportunity for OpenID ... If we can
get it right then that can be a significant driver for OpenID. After all,
then you'd only have to worry about your identity provider having the right
technologies to protect you, not every site that you go to.
I like the idea of having a separate specification or appendix on how you
deal with phishing. I also think the finer points of this discussion should
end up in the FAQ; everyone keeps rehashing the same arguments and it would
be nice to be able to just point at a FAQ.
More information about the general