[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Sat Jan 20 15:43:36 UTC 2007

>> Phishing is a _huge_ problem ... By huge I don't mean its happening all over
>> the place, I mean its an the-Internet-Sucks problem.  That alone is reason
>> enough to leave it as out-of-scope for OpenID.
> No one expects OpenID to make phishing go away.  I understand that.
> But OpenID exacerbates phishing, and that has to be acknowledged.

Well, you quoted only part of what I wrote.  The second half went on to say
that authentication is out-of-scope because there will be many ways to
authenticate via OpenID ... Not just from redirects to forms.

I'm with the others on this list that have said the following:

1) OpenID will not solve phishing
2) To limit the problem, we'll need a set of best practices for OP's
3) There is no silver bullet for solving phishing and users will want to
choose what level of security they want; we can't mandate any of this or
we'll lose the very value of what makes OpenID great.

I think that the suggestions on this list, taken together, provide quite a
defense against phishing.

- Scott

More information about the general mailing list