[OpenID] An OpenID "mobile" Hint?

David Recordon drecordon at sixapart.com
Wed Jun 4 23:50:24 UTC 2008 

I think authentication mechanism would actually be in the minority of  
the decisions for this sort of flow, was using the YubiKey OpenID  
Provider as a very clear example of what won't work on a mobile phone.

Today I'm more interested in how we can increase the number of OpenID  
Providers that have good mobile experiences and am thinking that this  
sort of extension may be a tactic in achieving that goal.  Even just  
pitting two OpenID Providers which both use passwords against each  
other with one having a mobile experience and the other not would be a  
good thing in solving this problem.

--David

On Jun 4, 2008, at 2:34 PM, Hans Granqvist wrote:

> It makes sense (though the YubiKey is a mechanism, not a provider),  
> but
> it's a bit dangerous since security decisions on the RP based on the
> User-Agent's self-issued origin/type are quite tricky.
>
> An attacker would pick the easiest mechanism if there is a choice,  
> too.
>
> Regardless, the XRDS file could map accepted authentication
> mechanism(s) to each URL as a simple attribute.
>
> Hans
>
>
> On Wed, Jun 4, 2008 at 2:08 PM, David Recordon  
> <drecordon at sixapart.com> wrote:
>> In developing a mobile application that uses OpenID for logins one of
>> the things I've become really cognizant of is how poor of the mobile
>> experience most Providers have when it comes to OpenID.  It obviously
>> doesn't take a lot to create a streamlined Provider flow for
>> authentication and the trust request, but so far it seems that no one
>> has really done that.  I was also thinking more about Providers such
>> as YubiKey where authenticating with a USB device (despite how  
>> awesome
>> it is) won't work on my iPhone.
>>
>> I'm wondering if it would be useful to write a dead simple extension
>> to provide some hints around mobile support?  Allow a Provider to
>> advertise in an XRDS file that they support a mobile login flow so
>> that Relying Parties could discover that theoretically making it so
>> that I could use a Provider such as YubiKey on the desktop and then
>> MyOpenID on the phone.
>>
>> Am I barking up a useful tree?  If I spec'd this would any Providers
>> actually implement a mobile friendly flow?
>>
>> --David
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>

More information about the general mailing list