[OpenID] FB Connect, OpenID and UX
David Fuelling
sappenin at gmail.com
Tue Dec 16 05:56:12 UTC 2008
On Mon, Dec 15, 2008 at 7:49 PM, Steven Livingstone-Perez <
weblivz at hotmail.com> wrote:
> I am seriously seriously missing something here? I love the UX on FB
> Connect but all I see are potential security holes.
>
> IMHO OpenID should be build **into** the browsers if we want to get this
> kind of inline authentication mechanism.
>
>
+1, and then some. Popup windows asking for a password are very easy to
phish, both when the user doesn't click into the address bar to see that the
covered up URL isn't actually Facebook's (or whomever's site), and when the
user doesn't click into the URL bar to notice that it's not actually a
Facebook browser popup, but is instead a popup with an image that looks like
a URL bar from Facebook, but is actually a popup window from some other site
that's trying to steal your password.
I like MyOpenId's client cert login method -- I don't ever have to enter a
password anymore, so I don't worry about it. That combined with sxipper,
and I feel pretty good about most of my logins nowadays.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/dc9395c9/attachment-0002.htm>
More information about the general
mailing list