[OpenID] Another Client-side Password Phishing Mitigation Idea

Marcin Jagodziński marcin.jagodzinski at gmail.com
Mon Jan 22 08:52:28 UTC 2007

2007/1/22, Martin Atkins <mart at degeneration.co.uk>:
> It maybe worth investigating the possibility of a Yadis service type
> that says "I'm an OpenID RP; Here's my return_to URL, trust_root etc" so
> that the login can be initiated from the browser chrome. Then the user
> doesn't need to touch a "login form" at all: just hit the "OpenID Login"
> button in the browser chrome.

I like this. Sounds good.

> All of these proposals make an assumption which I suspect may be flawed:
> we're assuming that if browsers have an "Identity Manager" component,
> users will be wary of sites that bypass the identity manager and ask for
> a password directly. However, I'm not convinced that's the case: users
> will generally do whatever a site asks to get things to "work", and
> there are already lots of sites out there that ask for passwords without
> popping up an "Identity Manager" so training users never to log in when
> identity manager isn't around is probably not feasible.

It's OP responsibility. I suppose the OP page can discover if client
has plugin installed and warn her every time that it should be

How Flash plugin spread so quickly? We should learn from this example.
And this teaches us that discussion if this should or should not be
"core" browser function is irrelevant. I suppose that for 90% people
Flash IS a "core" component.

We cannot train users never to login without IdM. But we have to do
our best to convince them to install the plugin.

What about OP without login/password at all? :) Or hidden after "You
should always use Identity Manager to login. If for some reason you're
unable to use it, please 1) check if location bar displays your OpenID
2) check SSL certificate, 3) use this link to log in."

And idea for the plugin: let user create it's chrome. User should have
an option to insert his own photo in GUI.



More information about the general mailing list