[OpenID] Password age and password reset
Breno de Medeiros
breno at google.com
Wed May 13 16:03:38 UTC 2009
Let's give a concrete scenario:
1. RP detects malicious activity on the user's account at the OP.
2. In such cases, the RP would have asked the user to reset the
password. However, this user logs in via OpenID so the RP does not
have the choice.
3. The RP puts some messaging that the user should change their
password at the OP. However, because there is no standard to even
communicate which URL at the OP the user can change password, the
experience is broken. A lot of users either don't know (without help
from the OP) how to change their passwords.
4. Users give up, or seek personal assistance.
On Tue, May 12, 2009 at 8:17 PM, Santosh Rajan <santrajan at gmail.com> wrote:
> Wouldnt it be better if the OP took complete responsibility of the users
> security instead of bringing the RP into the loop? OP can decide based on
> the users usage pattern how often he must change his password and post a
> recommendation to the user whenever he logs in.
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list