<HTML>
<HEAD>
<TITLE>Re: [OpenID] Password age and password reset</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>If Gmail or Yahoo is an OpenID provider, and also an email provider, then resetting the password (and sending an email) does the same thing. The attacker will know they’ve been detected because the account will stop working.<BR>
<BR>
The question is, what should the RP do when it detects a compromised account? Today, the most common response is to reset the user’s password, and then perhaps require some additional security measures when they come back. With OpenID, there’s no way for the RP to know that the OP is controlled by the same user.<BR>
<BR>
This whole thing was prompted because Facebook is working to become a relying party. As part of that, we would like to be able to get this extra information. Otherwise, we are forced to have a more draconian policy – if the user’s account is compromised, then disable all OpenID logins until the user does something out of band to convince us that they control their provider. That’s pretty awkward.<BR>
<BR>
Publishing the account management link is useful – it lets the RP send the user to the OP to change their password if they like. But it doesn’t close the loop – there’s still no way for the RP to know whether the user has actually confirmed their account.<BR>
<BR>
<BR>
On 5/13/09 12:46 PM, "Allen Tom" <<a href="atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>That's why I don't quite understand this proposal. If the RP detects<BR>
that the account is possibly compromised, telling the user to change<BR>
their password is very likely the same thing as informing the attacker<BR>
that he's been detected. Since the attacker has the password, he might<BR>
as well change the password (and the account recovery data) to lock out<BR>
the original user.<BR>
<BR>
At any rate, having the OP publish its "Account Management" link seems<BR>
to be a useful thing. For RPs that want give the user to also sign out<BR>
of the OP when the user signs out of the RP could also benefit from<BR>
having the OP publish its Logout link as well.<BR>
<BR>
Allen<BR>
<BR>
<BR>
George Fletcher wrote:<BR>
> The key is that as an RP, you have to be able to shut down "bad<BR>
> accounts" and if that account is an OpenID (or any other federated<BR>
> identity), then there is no way for the user (good or other wise) to<BR>
> reset things. They are locked out completely. Hence, in order to<BR>
> enable a good experience for users, the RP would like the OP to do<BR>
> something to prove the user is really "good" before the RP will let<BR>
> them back in. This does of course not protect against the attacker<BR>
> going through the hoops to prove the attacker is "good", but I'd say<BR>
> that's out of scope for this proposal.<BR>
><BR>
> Thanks,<BR>
> George<BR>
><BR>
> Andrew Arnott wrote:<BR>
>> Hi Breno,<BR>
>><BR>
>> But if the RP detects malicious activity, why would it ask the OP to<BR>
>> have the user change their password? Isn't it too late by then, and<BR>
>> wouldn't it be asking the malicious user to reset the password, thus<BR>
>> locking out the real user?<BR>
>><BR>
>> Also, some OPs don't even use passwords to authenticate their users,<BR>
>> so whatever we come up with, the extension should be able to behave<BR>
>> reasonably in that case.<BR>
>> --<BR>
>> Andrew Arnott<BR>
>> "I [may] not agree with what you have to say, but I'll defend to the<BR>
>> death your right to say it." - Voltaire<BR>
>><BR>
>><BR>
>> On Wed, May 13, 2009 at 9:03 AM, Breno de Medeiros <<a href="breno@google.com">breno@google.com</a><BR>
>> <<a href="mailto:breno@google.com>">mailto:breno@google.com></a>> wrote:<BR>
>><BR>
>> Let's give a concrete scenario:<BR>
>><BR>
>> 1. RP detects malicious activity on the user's account at the OP.<BR>
>><BR>
>> 2. In such cases, the RP would have asked the user to reset the<BR>
>> password. However, this user logs in via OpenID so the RP does not<BR>
>> have the choice.<BR>
>><BR>
>> 3. The RP puts some messaging that the user should change their<BR>
>> password at the OP. However, because there is no standard to even<BR>
>> communicate which URL at the OP the user can change password, the<BR>
>> experience is broken. A lot of users either don't know (without help<BR>
>> from the OP) how to change their passwords.<BR>
>><BR>
>> 4. Users give up, or seek personal assistance.<BR>
>><BR>
>><BR>
>> On Tue, May 12, 2009 at 8:17 PM, Santosh Rajan<BR>
>> <<a href="santrajan@gmail.com">santrajan@gmail.com</a> <<a href="mailto:santrajan@gmail.com>">mailto:santrajan@gmail.com></a>> wrote:<BR>
>> > Wouldnt it be better if the OP took complete responsibility of<BR>
>> the users<BR>
>> > security instead of bringing the RP into the loop? OP can decide<BR>
>> based on<BR>
>> > the users usage pattern how often he must change his password<BR>
>> and post a<BR>
>> > recommendation to the user whenever he logs in.<BR>
>><BR>
>><BR>
>><BR>
>> --<BR>
>> --Breno<BR>
>><BR>
>> +1 (650) 214-1007 desk<BR>
>> +1 (408) 212-0135 (Grand Central)<BR>
>> MTV-41-3 : 383-A<BR>
>> PST (GMT-8) / PDT(GMT-7)<BR>
>> _______________________________________________<BR>
>> general mailing list<BR>
>> <a href="general@openid.net">general@openid.net</a> <<a href="mailto:general@openid.net">mailto:general@openid.net</a>><BR>
>> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
>><BR>
>><BR>
>> ------------------------------------------------------------------------<BR>
>><BR>
>> _______________________________________________<BR>
>> general mailing list<BR>
>> <a href="general@openid.net">general@openid.net</a><BR>
>> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
>> <BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
_______________________________________________<BR>
general mailing list<BR>
<a href="general@openid.net">general@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>