[OpenID] OpenID and SSO
Dick Hardt
dick at sxip.com
Fri Jun 27 19:30:19 UTC 2008
On 27-Jun-08, at 12:25 PM, Eric Norman wrote:
>
> On Jun 27, 2008, at 9:25 AM, Dick Hardt wrote:
>
>> *if* the RP remembers the user's OpenID the first time they visit the
>> site and the user only uses one OpenID on the site, then when the
>> user
>> returns, and if the RP autofills the OpenID in the form, then the
>> user
>> just has to click the submit button to login (assuming they have a
>> valid session at their OP and their OP is configured to automatically
>> login to that RP
>>
>> Lots of assumptions in this flow, definitely room for improvement.
>>
>> Question: do people think improving this is important?
>
> Well, I certainly think that the fewer actions that a user has
> to perform, whether they by physical (e.g. clicking) or cognitive
> (e.g. remembering), then the more riskier and less safer the login
> process is from the point of view of security. This does assume
> that the user has close to an accurate understanding of the action
> she is about to perform. The latter is a lot more difficult to
> effect then most with geek training believe.
>
> To reiterate, the main point here is that fewer user actions
> imply less safety.
Interesting logic. Does that mean that more actions is more safety?
Would the security of each action not be relevant?
Is "asasasasasasasasasasasasasasasasasas" a better password then
"6 at h." because there are more keystrokes?
If you make the user jump through a bunch of hoops each time they
authenticate, they strive to make their life simpler, not more secure.
Writing the really strong password on the sticky right beside the
monitor is a classic example.
-- Dick
More information about the general
mailing list