[OpenID] PAPE yahoo?
Simon Josefsson
simon at josefsson.org
Thu Jul 3 09:13:29 UTC 2008
Allen Tom <atom at yahoo-inc.com> writes:
> Hi Peter,
>
> Yahoo issues persistent browser sessions that are valid for up to 14
> days, and the Yahoo OpenID Provider does not re-prompt for the user's
> password before we send an assertion to the Relying Party. We do not
> re-prompt the user for their password in order to improve the usability
> of the service.
>
> Generally speaking, sites that authorize financial transactions
> re-prompt the user for their password before authorizing the
> transaction, even if the user is already logged in.
>
> We're definitely interested in seeing OpenID being used to authorize
> high value transactions, and hopefully the new PAPE extension will make
> this a reality.
Do you see a need for the RP to request from the OP to re-prompt the
user for the password? How could you achieve that with PAPE?
This seems similar to my discussions on specs@ about a similar feature
for one-time-passwords. If there is a way, with PAPE, for a RP to
request authentication re-prompt from the OP for passwords, it could
probably be used to re-prompt one-time-passwords too.
Thanks,
Simon
More information about the general
mailing list