No subject


Wed Mar 4 18:19:19 UTC 2009 

ins the context of the RP's site, which is the biggest complaint that w=
e've received with BBAuth, OAuth, and OpenID. =A0Facebook, Yahoo, many =
others have UX research showing that the redirect is a very jarring experie=
nce, and the success rate can be dramatically improved by moving to a popup=
 flow.<br>

<br>
As far as I can tell, an independent popup window, with the address bar dis=
played, has the same characteristics with regards to phishing, as the full =
browser redirect. The popup window does not prevent OPs from deploying anti=
-phishing technologies, and I believe that the popup will drive more widesp=
read usage of OpenID, which will also increase demand for anti-phishing sol=
utions.<br>

<br>
thanks<br>
Allen<br>
<br>
<br>
Nash, Andrew wrote:<br>
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
One of the ways that we have been able to reduce the incidence of<br>
successful account takeovers has been to drill into consumers that they<br>
should NEVER sign into an account on a domain that is not directly<br>
associated with the account provider. This is not perfect, but then none<br=
>
of the anti-phishing techniques are - it is why we have to spend so much<br=
>
money and utilize so many different strategies.<br>
<br>
As it reads, UI working group will be socializing the concept among<br>
users that it is perfectly fine to enter your authentication information<br=
>
at any site that pops up a frame asking for it. From an Internet trust<br>
perspective this is a REALLY BAD IDEA!<br>
<br>
OpenID is already criticized for its exposure to phishing and spoofing<br>
attacks. If this approach is taken in the way it seems to be described,<br>
we will pretty much ensure that no one that has medium to high value<br>
transactions or services will be interested in implementing OpenID.<br>
<br>
--Andrew<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href=3D"mailto:general at openid.net" target=3D"_blank">general at openid.net<=
/a><br>
<a href=3D"http://openid.net/mailman/listinfo/general" target=3D"_blank">ht=
tp://openid.net/mailman/listinfo/general</a><br>
 =A0<br>
</blockquote>
<br>
_______________________________________________<br>
general mailing list<br>
<a href=3D"mailto:general at openid.net" target=3D"_blank">general at openid.net<=
/a><br>
<a href=3D"http://openid.net/mailman/listinfo/general" target=3D"_blank">ht=
tp://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br></div>

--0016364ecdfcd1975704658dac33--

More information about the general mailing list