[OpenID] OpenID Uri versus Email addresses

[SitG Admin]

>asked to sign in on a page, users immediately enter their email
>address *and* password.  That's scary to me

I found this scary:
http://adactio.com/journal/1357/

>and really highlights both
>the usability problems we're seeing as well as the security dilemmas

I've read that we can educate users about not entering their 
passwords anywhere but at an OP's site. Yet all an attacker has to do 
is put up a greeting page (once the user has returned from their OP 
with a successful authentication) explaining that the user has now 
earned the right to prove their identity to the *RP* by entering 
their password, and the same lowered resistance to changing sign-on 
methods that led to them adopting OpenID in the first place, will 
fail to defend them against the malicious RP telling them how it has 
to be done *now*.

I'm in favor of training users to *expect* phishing attempts, and 
rewarding users for not being tricked. For instance, a Relying Party 
could give its OpenID users a setting for "How often would you like 
to be reminded about not being phished?" (with "never" an option for 
those of us who are certain we know better), and then, every 3-9 or 
so login attempts, prompt them for their username/password to see 
what the user did. Previously given instructions, of course, would 
have informed the user to leave the area blank; if left blank on 
submission, the instructions would be repeated and the user 
congratulated on having done well, but if any text WAS submitted, the 
user would be warned about this and a suggestion could be made that 
they only give false passwords in future.

The real problem, of course, is getting users to pay attention to the 
exact lettering of that URL field in their browser, and check if the 
entity asking them for information has the authority to do so. That's 
a larger human problem, though :(

Perhaps getting users to mentally decouple their identity and 
credentials would lead somewhere more interesting?

-Shade