[OpenID] Automatic login with checkid_immediate

Andrew Arnott andrewarnott at gmail.com
Wed May 20 18:31:33 UTC 2009 

This auto-login aggravates the need for a single-signout.  If RPs start to
auto-login their users, then it's no longer even a matter of "I log out of
every site I log into before I leave the terminal".  Now it's "I log out of
my OP *first*, then I revisit *every *site I've merely visited (whether or
not I explicltly logged in during this session) on this terminal and make
sure I'm explicitly logged out of it before leaving".  That's an
*awful*user story.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Wed, May 20, 2009 at 9:36 AM, Chris Messina <chris.messina at gmail.com>wrote:

> On Wed, May 20, 2009 at 9:28 AM, SitG Admin <
> sysadmin at shadowsinthegarden.com> wrote:
>
>>  If you're signed in to your Gmail account and you use your Gmail account
>>> as your OpenID, why wouldn't you want to automatically be signed in to all
>>> the sites that you've linked your Gmail identity to (that's rhetorical - I
>>> can think of reasons too)?
>>>
>>
>> The only one occurring to me is privacy. From a security perspective, if
>> various RP's will accept OpenID logins from the terminal you're at as having
>> your Google identity, without Google requiring further verification from the
>> user at this terminal (only PRESUMED to be you), there is no difference
>> between being logged out of a given RP and being logged back in - because
>> you still CAN log back in, or anyone with access to the same terminal can,
>> without any further verification.
>
>
> Two responses:
>
> 1. most OPs allow you to specify something like "Remember this decision" —
> which means that you don't want to be asked the next time that RP tries to
> sign you in again. This keeps this flow in your control (as
> checkid_immediate would fail).
> 2. Since you must manually associate or link your accounts, you shouldn't
> do so if you don't want the automatic sign in behavior. In other words,
> unless you've already linked your Google and Facebook account, you won't get
> the benefit of automatic sign in, so you do so intentionally.
>
> There does appear to be a need to better specify, from a user experience
> and language perspective, how to handle the "public terminal" (what I call
> the "Apple store situation") case, where the browser session might be shared
> or accessed by other people.
> Still, that's largely covered by links that say things like "Not [other
> person's name]? Sign in as a different user."
>
> This doesn't prevent someone from access your account or pretending to be
> you, but if someone wants to hack in to your account, they'll figure it out
> somehow — leaving yourself signed in accidently is probably more of an
> annoyance for someone else that wants to access her account than a real
> security issue that can be addresses technologically (besides having best
> practices around time out and stuff like that).
>
> Chris
>
> --
> Chris Messina
> Open Web Advocate
>
> factoryjoe.com // diso-project.org // openid.net
> This email is:   [ ] bloggable    [X] ask first   [ ] private
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090520/dfb544ea/attachment.htm>

More information about the general mailing list