[OpenID] OpenID User Interface Working Group
Nash, Andrew
annash at paypal.com
Thu Mar 19 21:42:38 UTC 2009
I am concerned about the stated direction of this working group and have
voted against it.
I wanted to take a moment to explain the reasons why - especially as I
am sympathetic to the usability arguments that are utilized in these use
cases.
One of the most significant challenges to Internet identity and trust in
the Internet generally (particularly for ecommerce and financial
transactions) is identity theft. At the moment (ignoring the increasing
impact of drive-by download and malware attacks) the most significant
contribution is Phishing and Spoofing. Both eBay and PayPal expend
enormous amounts of money, energy and creativity to tackle these
problems and they directly contribute to our fraud/risk profile. From a
position where several years ago jointly our companies were the targets
of the majority of phishing attacks, we have dramatically reduced that
through a multi-layered program to address the issue. It is a hard
problem, and in many cases we are forced to rely on guidelines that are
as simple as possible for consumers (100's of millions of them).
One of the ways that we have been able to reduce the incidence of
successful account takeovers has been to drill into consumers that they
should NEVER sign into an account on a domain that is not directly
associated with the account provider. This is not perfect, but then none
of the anti-phishing techniques are - it is why we have to spend so much
money and utilize so many different strategies.
As it reads, UI working group will be socializing the concept among
users that it is perfectly fine to enter your authentication information
at any site that pops up a frame asking for it. From an Internet trust
perspective this is a REALLY BAD IDEA!
OpenID is already criticized for its exposure to phishing and spoofing
attacks. If this approach is taken in the way it seems to be described,
we will pretty much ensure that no one that has medium to high value
transactions or services will be interested in implementing OpenID.
--Andrew
More information about the general
mailing list