[OpenID] OpenID Uri versus Email addresses

tom calthrop tom at barnraiser.org
Thu Aug 7 12:39:14 UTC 2008 

Hi Shade,

This is drifting a big off topic from the subject, but your email 
reminded my of the list conversation when Mozilla expressed an interest 
in OpenID (not sure what happened to that). I was hoping to see a user 
be able to set a preference in Firefox "my openid is..." and that the 
browser would warn me if something that looks like a phishing attack 
takes place. The spec places this in the hands of the OP developer (see 
openid authentication 2.0 spec chapter 15.3), but I would feel a lot 
happier if the browsers were helping us out a lot more here.

It's not just after authentication either sadly. We did a test with an 
openid login field with the password under it and a submit button under 
that. We did a lab usability experiment a year ago with 20 people. 19 
entered their password in the wrong place and pressed the submit button. 
Because there is such a wide variety in login/registration mechanisms on 
the web the user expects variety and sadly rarely questions it. The 
example you cite in the blog link is ever more common and just makes 
this situation even worse. Given this I believe phishing will always be 
a problem until the browsers play an active part in this part of openid 
security.

Anyone up for working out what the browser would need to do then with 
foundation approval asking the browser manufactures to assist? Maybe 
this is already being done in which case just tell me to shut up:)


tom




SitG Admin wrote:
>> asked to sign in on a page, users immediately enter their email
>> address *and* password.  That's scary to me
>>     
>
> I found this scary:
> http://adactio.com/journal/1357/
>
>   
>> and really highlights both
>> the usability problems we're seeing as well as the security dilemmas
>>     
>
> I've read that we can educate users about not entering their 
> passwords anywhere but at an OP's site. Yet all an attacker has to do 
> is put up a greeting page (once the user has returned from their OP 
> with a successful authentication) explaining that the user has now 
> earned the right to prove their identity to the *RP* by entering 
> their password, and the same lowered resistance to changing sign-on 
> methods that led to them adopting OpenID in the first place, will 
> fail to defend them against the malicious RP telling them how it has 
> to be done *now*.
>
> I'm in favor of training users to *expect* phishing attempts, and 
> rewarding users for not being tricked. For instance, a Relying Party 
> could give its OpenID users a setting for "How often would you like 
> to be reminded about not being phished?" (with "never" an option for 
> those of us who are certain we know better), and then, every 3-9 or 
> so login attempts, prompt them for their username/password to see 
> what the user did. Previously given instructions, of course, would 
> have informed the user to leave the area blank; if left blank on 
> submission, the instructions would be repeated and the user 
> congratulated on having done well, but if any text WAS submitted, the 
> user would be warned about this and a suggestion could be made that 
> they only give false passwords in future.
>
> The real problem, of course, is getting users to pay attention to the 
> exact lettering of that URL field in their browser, and check if the 
> entity asking them for information has the authority to do so. That's 
> a larger human problem, though :(
>
> Perhaps getting users to mentally decouple their identity and 
> credentials would lead somewhere more interesting?
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list