[OpenID] OpenID and SSO
Eric Norman
ejnorman at doit.wisc.edu
Fri Jun 27 19:25:47 UTC 2008
On Jun 27, 2008, at 9:25 AM, Dick Hardt wrote:
> *if* the RP remembers the user's OpenID the first time they visit the
> site and the user only uses one OpenID on the site, then when the user
> returns, and if the RP autofills the OpenID in the form, then the user
> just has to click the submit button to login (assuming they have a
> valid session at their OP and their OP is configured to automatically
> login to that RP
>
> Lots of assumptions in this flow, definitely room for improvement.
>
> Question: do people think improving this is important?
Well, I certainly think that the fewer actions that a user has
to perform, whether they by physical (e.g. clicking) or cognitive
(e.g. remembering), then the more riskier and less safer the login
process is from the point of view of security. This does assume
that the user has close to an accurate understanding of the action
she is about to perform. The latter is a lot more difficult to
effect then most with geek training believe.
To reiterate, the main point here is that fewer user actions
imply less safety.
Eric Norman
More information about the general
mailing list