Proposal: An anti-phishing compromise
Josh Hoyt
josh at janrain.com
Fri Feb 2 21:53:21 UTC 2007
On 2/2/07, john kemp <john.kemp at mac.com> wrote:
> Don't get me wrong - I think it's a good idea for the OP to make a
> statement about the authentication method used (although I would prefer
> it to say something like
> authn_method="urn:openid:2.0:aqe:method:password", rather than
> phishable="yes"). That points to AQE, as David mentioned already.
A browser plug-in, like sxipper, that uses a username and (a
generated, non-user-visible) password internally and will only submit
it to the correct OP can't be phished.
Is this a different kind of authentication than "password"? I don't
think so. Is it phishable? I think that the OP can reasonably say that
it is not. Therefore, I think that the authentication mechanism is (or
at least can be) independent from whether the authentication channel
is phishable.
Josh
More information about the specs
mailing list