[OpenID] OpenID's effect on CAPTCHA
Martin Atkins
mart at degeneration.co.uk
Thu Mar 26 18:16:52 UTC 2009
Rabbit wrote:
> This is more of a philosophical musing than a genuine concern but it
> occurred to me OpenID might have an impact on how Captcha systems are
> implemented. The signup process is typically the gate where we stop
> robots. I can almost positively say I've never had to prove my
> fleshiness to a login form.
>
> Services rely on OpenID to prove a user is *who* they claim to be.
> Should services also rely on OpenID to prove a user is *what* they claim
> to be? The cautious would say no but I thought the question was
> interesting. Should proving to Google that I am a human be good enough
> for an RP to believe it too? Is there an implied transitive property of
> trust that comes along with using some services as opposed to others?
>
As usual, compromise is the key here.
Some RPs have had success with whitelisting certain providers that they
know do effective CAPTCHAs on account creation, while retaining the
CAPTCHA for unrecognised providers.
Since most users come from one of the big providers, this provides an
optimized user experience to most users while retaining your security
and the ability for users to self-host or use a less common provider.
More information about the general
mailing list