[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Sat Oct 18 03:34:33 UTC 2008
Dick Hardt wrote:
>
> The UX of getting a verified email and then auto binding an existing
> account is cleaner. It does mean that if I can prove I have your email
> address, that I can take over your account. Seems to broaden the
> attack surface rather then narrow it.
>
Hi Dick,
Many sites allow an account's password to be reset by sending a Reset
Token to an email address associated with the account. An attacker who
gains access to the email address is able to reset the password, and is
therefore able to take over the account. If the ability to reset a
password is equivalent to logging in, then the attack surface is really
unchanged.
Allen
More information about the general
mailing list