[OpenID] Identity autocomplete
Peter Williams
pwilliams at rapattoni.com
Fri Aug 28 16:49:11 UTC 2009
One site in realty is now doing user auth on keystroke analysis. Be
interesting to conceive of a world on which one can learn from web
crawling the "data entry" patterns of users, and thus collect the data
to spoof this bio signal.
Add a col to the rainbow table, of the passwords, expressed as
personal keystroke patterns. Then start phishing...
What would the openid antiphishing countermeasure be?
On Aug 28, 2009, at 8:43 AM, "SitG Admin" <sysadmin at shadowsinthegarden.com
> wrote:
>> You should be able to say:
>>
>> "Chris"
>>
>> And the system responds: "Chris who?"
>>
>> I'm only partially joking.
>
> Google sometimes guesses what I'm trying to look for and offers
> autocomplete suggestions as I'm typing. I dislike this because, as it
> reveals, Google is having my keystrokes sent to them in real time.
> The privacy concern with a RP is that it would reveal the existence
> of other names (commonly associated with Chris, to continue your
> example) known to that system. Especially since I wouldn't (at that
> time) even be *verified* as having (any claim to) the name Chris
> myself, because the system wouldn't be sure *who* I was (but would be
> trying to help me figure it out). I could just type in names, whoever
> I was after, and hope to find them. I just know their first name? Is
> it an especially *uncommon* first name? Oh, good - well, then, let me
> see if any popular sites know them by (an account associated with)
> their *last* name.
>
> I do think it's a nice feature, but I don't see it going any further
> than "Your username is 'factoryjoe' at which site?".
>
> -Shade
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
More information about the general
mailing list