[OpenID] Security related Use Cases?
Paul Madsen
paulmadsen at rogers.com
Wed Oct 22 02:16:21 UTC 2008
Hi Allen, yes, my point was that there are many reasons why a user (e.g.
me) will be able to convince themselves why the absence of the seal
should not be overly alarming.
Specific to the multi-machine issue, I logged into Yahoo twice today,
once from a machine where I had set the seal, and once from another.
Seeing the seal only 50% of the time makes for poor conditioning to
expect it (I do acknowledge that you do guide users on this issue).
If I wanted to phish a Yahoo user, I'd show a seal with a generic
'Second PC' or 'Home Laptop' text seal, that's the type of message that
many (this one at least) users would be able to 'remember' creating :-)
regards
paul
Allen Tom wrote:
> Hi Paul - the Yahoo Sign-in Seal has to be configured per machine. It
> it not bound to your Yahoo ID, and it not copied or synchronized
> across different machines.
>
> Thanks
> Allen
>
>
> Paul Madsen wrote:
>> Thanks Allen, yes I understand the premise, but I'm a Yahoo! user
>> and, despite knowing better, I find myself very tolerant of 'not'
>> seeing the seal (which I know I set up at some point, but can't
>> remember if I removed it, or did I do it from another machine, or was
>> it for a different account, or was it Google, etc ....)
>>
>> paul
>>
>> Allen Tom wrote:
>>> Paul Madsen wrote:
>>>> Even better 'please login so we can display your personalized seal'
>>>>
>>> This is exactly why we want the Login UX to be very consistent, so
>>> users should be very alarmed if the flow ever changes.
>>>
>>> Allen
>>>
>>>
>>>
>>
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-282-8647
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the general
mailing list