[Opensim-dev] OpenID
Dr Scofield
DrScofield at xyzzyxyzzy.net
Thu Mar 19 07:11:28 UTC 2009
Diva Canto wrote:
> There is nothing wrong with the mechanism and its roots. In fact, when I
> first read the spec I liked it a lot. But I hadn't used this until 2
> hours ago.
>
> There is, potentially, a huge hole in the resulting system because it
> ignores how people interact with their computers. Did anyone make a
> serious study about how the normal people react to being phished on
> using OpenID? That sounds like a great project for one of my colleagues
> here at UCI...
i agree with you re the concerns about normal users tend to not really check the
security status of a page. most wouldn't even know how to do this properly: they
probably check whether there is the little padlock icon in the header, but
that's about it. very few know that that padlock icon is just an indicator and
that one should check the certificate as well... and i've got to admit that it's
been a long time since i checked the certificate of amazon.com, etc. and even if
you do know how to check the certificate, what does it all mean?
a better approach would be openID coupled with an out-of-band channel that, for
example, utilizes your mobile phone (think OpenID + mTAN), but that would mean
that each authentication would cost a bit.
DrS/dirk
--
dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab
SL: dr scofield ---- drscofield at xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/
RL: hud at zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/
More information about the Opensim-dev
mailing list