[OpenID] Combining Google & Yahoo user experience research

[Martin Atkins]

Brandon Ramirez wrote:
> 
> I care who my bank trusts.  If my money gets stolen because somebody  
> setup their own OP that requires no authentication (yes, security  
> through obscurity) and some attacker gained enough entry to the bank's  
> web app that they exploited a security flaw (let's face it... Most  
> security is perimeter-based and becomes less stringid post-login), I'd  
> be VERY angry with my bank.
> 

It seems to me that in the situation you describe the bank is quite 
rightly culpable, since the security flaw was in their system, not in 
the OP. The OP was working as designed. The bank shouldn't be allowing 
arbitrary users of their online banking system to transfer money out of 
your account.

A more realistic situation for your argument would be if *your* OP had a 
security flaw that allowed someone to access your account *as you* and 
gain access to all operations that only you ought to be able to do. In 
this case it could be argued that the bank is culpable; that would 
certainly make for an interesting court case. Logically though, it 
should be your OP that catches the liability in this case, assuming that 
they didn't disclaim responsibility in their terms of service as Yahoo! 
currently does.

I concede that right now there are no OPs that I'm aware of that accept 
financial liability for flaws in their authentication. I'd be happy to 
be corrected on this.