[OpenID] Why spoofing and OpenID look so much alike
Peter Williams
pwilliams at rapattoni.com
Mon Sep 29 13:01:12 UTC 2008
In ie3, authenticode users were shown a very characteristic certificate-like dialog, introducing the trusted publishers of native code in signed/timestampvalidated activex form. Netscape marketing educated users to hate it (to complex!), so normal competition made it disappear. Everyone suffered.
There are downsides to the US cult of simplicity in design. Tendency to make it too dumb and fast, so systemic risks actually go up.
-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Sunday, September 28, 2008 11:37 PM
To: Allen Tom <atom at yahoo-inc.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Why spoofing and OpenID look so much alike
>If the user is usually signed into their OP before using OpenID,
>then we might be able to train users to think that entering their
>password is a special event, which requires vigilance and caution.
>Education and evangelism against the password/phishing anti-pattern
>could go a long ways to prevent phishing.
>
>Yahoo's Login Screen encourages users to setup a customized Sign-in seal
Seal. Badge?
Has anyone gathered up various analogies to see which of them users
find most helpful in understanding digital authentication concepts? I
think it could be useful.
Right now I'm thinking of telling users that, when they login to
Yahoo, it's like the security guard at Yahoo's door gives them a
badge to identify them, and when they use OpenID, they're showing
their badge to my site. Making it more accurate, but also complex, I
could model privacy by explaining that the user can tuck their badge
inside their jacket (or a pocket) to make sure we can't see who they
are at Yahoo unless the user deliberately takes it out to show us,
and explain Yahoo's timeout by saying that they only get a daypass
(or one that's only good for a few hours), so occasionally their
badge - like a credit card - is getting checked out against Yahoo's
systems when it starts flashing "Expired".
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list