[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)
scott at janrain.com
Sat Jan 20 15:43:36 UTC 2007
>> Phishing is a _huge_ problem ... By huge I don't mean its happening all over
>> the place, I mean its an the-Internet-Sucks problem. That alone is reason
>> enough to leave it as out-of-scope for OpenID.
> No one expects OpenID to make phishing go away. I understand that.
> But OpenID exacerbates phishing, and that has to be acknowledged.
Well, you quoted only part of what I wrote. The second half went on to say
that authentication is out-of-scope because there will be many ways to
authenticate via OpenID ... Not just from redirects to forms.
I'm with the others on this list that have said the following:
1) OpenID will not solve phishing
2) To limit the problem, we'll need a set of best practices for OP's
3) There is no silver bullet for solving phishing and users will want to
choose what level of security they want; we can't mandate any of this or
we'll lose the very value of what makes OpenID great.
I think that the suggestions on this list, taken together, provide quite a
defense against phishing.
More information about the general