<div dir="ltr">Most large providers, as I understand, are using risk based authentication and also offers two-step or two-factor authentication. <div>So, simply stealing password would not work: they are phishing resistant.</div><div>It looks more like a deployment issue than a protocol issue to me. </div><div>Correct me if I am wrong. <br><div><br></div><div>Man-in-the-browser attack is something else. It needs continuous or second channel authentication. This looks more interesting from a protocol point of view. </div><div><br></div><div>Nat</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-09-25 2:14 GMT+09:00 Chris Drake <span dir="ltr"><<a href="mailto:christopher@pobox.com" target="_blank">christopher@pobox.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<span style="font-family:'Calibri';font-size:12pt">Hi Nat,<br>
<br>
I remember back when the original OpenID was forming, and a bunch of my suggestions got shoved "out of scope"... which are now being brought back in to scope via OpenID Connect. It's cold comfort, but at least I get to brag "I told you so" after the fact:-)<br>
<br>
Scratch the surface of any megahack, and 9 times out of 10 it was caused by phishing. Personally, I don't see the point wasting effort on OpenID Connect when it's merely going to exacerbate what is already a crippling problem.<br>
<br>
There's a bunch of smart and experienced people on this list - they should put their heads together and use the power and knowledge present to fix what is reported at being behind 91% of the worlds security problems, most especially when OpenID users are significantly more vulnerable to these attacks, and at-risk once attacked. "Get it right" is better than "get it now" IMHO.<br>
<br>
Kind Regards,<br>
Chris Drake<div><div class="h5"><br>
<br>
<br>
Wednesday, September 24, 2014, 9:57:03 PM, you wrote:<br>
<br>
</div></div></span><div><div class="h5"><table>
<tbody><tr>
<td width="2" bgcolor="#0000ff"><br>
</td>
<td><span style="font-family:'calibri';font-size:12pt">The authentication mechanism itself is out of scope. <br>
You can, as an OP, select whatever the authentication mechanism you may want to use. <br>
OpenID Connect is concerned about transferring the information around the authentication event to another party. <br>
It is a federation protocol. <br>
<br>
Nat<br>
<br>
2014-09-25 1:17 GMT+09:00 Chris Drake <</span><a style="font-family:'calibri';font-size:12pt" href="mailto:christopher@pobox.com" target="_blank">christopher@pobox.com</a><span style="font-family:'calibri';font-size:12pt">>:<br>
Hi,<br>
<br>
Can anyone tell me if any kind of mutual-authentication or other kind of phishing-protection is present anywhere in the specs?<br>
<br>
Kind Regards,<br>
Chris Drake<br>
<br>
<br>
<br>
-- <br>
Nat Sakimura (=nat)<br>
Chairman, OpenID Foundation<br>
</span><a style="font-family:'calibri';font-size:12pt" href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
<span style="font-family:'calibri';font-size:12pt">@_nat_en</span></td>
</tr>
</tbody></table>
<br><br>
<br>
</div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>