[OpenID] Automatic login with checkid_immediate

Chris Messina chris.messina at gmail.com
Wed May 20 16:36:57 UTC 2009 

On Wed, May 20, 2009 at 9:28 AM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:

> If you're signed in to your Gmail account and you use your Gmail account as
>> your OpenID, why wouldn't you want to automatically be signed in to all the
>> sites that you've linked your Gmail identity to (that's rhetorical - I can
>> think of reasons too)?
>>
>
> The only one occurring to me is privacy. From a security perspective, if
> various RP's will accept OpenID logins from the terminal you're at as having
> your Google identity, without Google requiring further verification from the
> user at this terminal (only PRESUMED to be you), there is no difference
> between being logged out of a given RP and being logged back in - because
> you still CAN log back in, or anyone with access to the same terminal can,
> without any further verification.


Two responses:

1. most OPs allow you to specify something like "Remember this decision" —
which means that you don't want to be asked the next time that RP tries to
sign you in again. This keeps this flow in your control (as
checkid_immediate would fail).
2. Since you must manually associate or link your accounts, you shouldn't do
so if you don't want the automatic sign in behavior. In other words, unless
you've already linked your Google and Facebook account, you won't get the
benefit of automatic sign in, so you do so intentionally.

There does appear to be a need to better specify, from a user experience and
language perspective, how to handle the "public terminal" (what I call the
"Apple store situation") case, where the browser session might be shared or
accessed by other people.
Still, that's largely covered by links that say things like "Not [other
person's name]? Sign in as a different user."

This doesn't prevent someone from access your account or pretending to be
you, but if someone wants to hack in to your account, they'll figure it out
somehow — leaving yourself signed in accidently is probably more of an
annoyance for someone else that wants to access her account than a real
security issue that can be addresses technologically (besides having best
practices around time out and stuff like that).

Chris

-- 
Chris Messina
Open Web Advocate

factoryjoe.com // diso-project.org // openid.net
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090520/8a937f33/attachment.htm>

More information about the general mailing list