[OpenID] Another Client-side Password Phishing Mitigation Idea
Martin Atkins
mart at degeneration.co.uk
Mon Jan 22 08:22:33 UTC 2007
Dmitry Shechtman wrote:
>
>> What about Flash and other login forms?
>
> If you have a solution for these, I'd love to hear all about it.
>
It maybe worth investigating the possibility of a Yadis service type
that says "I'm an OpenID RP; Here's my return_to URL, trust_root etc" so
that the login can be initiated from the browser chrome. Then the user
doesn't need to touch a "login form" at all: just hit the "OpenID Login"
button in the browser chrome.
Could also give sites a scripting API to start this process, since users
seem to prefer to interact with the site itself rather than the browser
chrome:
if (window.IdentityManager) {
var req;
var callback = function () {
if (req.success) {
document.loginForm.openid_identifier = req.identifier;
document.loginForm.openid_signature = req.signature;
// ....
document.loginForm.submit();
}
}
req = IdentityManager.GetIdentity(
"OpenID", return_to, trust_root, callback
);
}
(Though I'm not sure what UI sites would provide for that, admittedly.)
All of these proposals make an assumption which I suspect may be flawed:
we're assuming that if browsers have an "Identity Manager" component,
users will be wary of sites that bypass the identity manager and ask for
a password directly. However, I'm not convinced that's the case: users
will generally do whatever a site asks to get things to "work", and
there are already lots of sites out there that ask for passwords without
popping up an "Identity Manager" so training users never to log in when
identity manager isn't around is probably not feasible.
More information about the general
mailing list