[OpenID] OpenID User Interface Working Group

Allen Tom atom at yahoo-inc.com
Fri Mar 20 02:07:04 UTC 2009 

Hi Andrew,

I am in total agreement with you that phishing is a huge problem, and 
the Yahoo Membership team (the same folks working on OpenID) devotes a 
considerable amount of resources to fight phishing, and well as trying 
to help users who have been phished.

We also put in a lot of effort to educate users about phishing, and we 
strongly encourage our users to setup a personalized anti-phishing 
Sign-in Seal, as well as to always check the address bar of the browser 
before entering their Yahoo credentials.

http://security.yahoo.com/article.html?aid=2006102503
https://protect.login.yahoo.com/
http://openid.yahoo.com/ (Click on the OpenID Tour link to learn about 
phishing and OpenID)

We are totally against the concept of allowing an RP to open a frame for 
the user to enter their OP's password. As you pointed out, the user 
would have no idea where the password is going, and this would be 
extremely insecure. Earlier versions of Facebook Connect used to 
demonstrate this behavior, and I'm very glad to see that Facebook has 
since moved the password validation into a standalone popup window, with 
the browser's addressbar clearly displayed.

One of Yahoo's primary security requirements with Federated SSO (OpenID, 
OAuth, BBAuth, SAML) is that the user is able to recognize the Yahoo 
Login screen. We do this by educating users to always check the address 
bar and to create a customized Sign-in Seal.  The UI Working Group 
believes that a popup authentication screen, in a standalone browser 
window (not framed) and with the address bar clearly displayed, 
providers users with the same ability to detect phishing compared to the 
existing full browser redirect user experience that is used by OpenID today.

 From a user experience perspective, eliminating the browser redirect 
maintains the context of the RP's site, which is the biggest complaint 
that we've received with BBAuth, OAuth, and OpenID.  Facebook, Yahoo, 
many others have UX research showing that the redirect is a very jarring 
experience, and the success rate can be dramatically improved by moving 
to a popup flow.

As far as I can tell, an independent popup window, with the address bar 
displayed, has the same characteristics with regards to phishing, as the 
full browser redirect. The popup window does not prevent OPs from 
deploying anti-phishing technologies, and I believe that the popup will 
drive more widespread usage of OpenID, which will also increase demand 
for anti-phishing solutions.

thanks
Allen


Nash, Andrew wrote:


> One of the ways that we have been able to reduce the incidence of
> successful account takeovers has been to drill into consumers that they
> should NEVER sign into an account on a domain that is not directly
> associated with the account provider. This is not perfect, but then none
> of the anti-phishing techniques are - it is why we have to spend so much
> money and utilize so many different strategies.
>
> As it reads, UI working group will be socializing the concept among
> users that it is perfectly fine to enter your authentication information
> at any site that pops up a frame asking for it. From an Internet trust
> perspective this is a REALLY BAD IDEA!
>
> OpenID is already criticized for its exposure to phishing and spoofing
> attacks. If this approach is taken in the way it seems to be described,
> we will pretty much ensure that no one that has medium to high value
> transactions or services will be interested in implementing OpenID.
>
> --Andrew
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list