Comments on: Phishing and OpenID

By: Steve Pepple

Steve Pepple — Wed, 13 Feb 2008 18:41:39 +0000

To try to solve the problem using two-factor authentication, a team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID,
TrustBearer OpenID.

We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.

With our OpenID, you basically just set-up a strong authentication device
and then link the device to your OpenID URL.

By: Acura

Acura — Sun, 07 Oct 2007 22:06:47 +0000

One thing in which i would have more confidence is to be logged into the OpenId provider before trying to access a site that supports OpenId.

By: Order phentermine online.

Order phentermine online. — Tue, 13 Mar 2007 10:33:21 +0000

Order phentermine online….

Order phentermine online….

By: The Undevelopment Blog » External Authentication and OTP

The Undevelopment Blog » External Authentication and OTP — Thu, 08 Feb 2007 13:17:50 +0000

[…] Well, it took a little longer than one day, but Scott finally got to publish Phishing and OpenID. Sadly, it only mentioned three non-solutions: […]

By: kveton

kveton — Wed, 24 Jan 2007 14:53:07 +0000

FYI - we’ve implemented two new features on MyOpenID that help fight phishing as per suggestions from the OpenID community.

By: kveton

kveton — Wed, 24 Jan 2007 06:37:52 +0000

Where can you not fill out your profile? MyOpenID.com? More than happy to help.

By: Kisakookoo

Kisakookoo — Tue, 23 Jan 2007 18:42:29 +0000

Hi! Why I can’t fill my info in profile? Can somebody help me?
My login is Kisakookoo!

By: Don Park

Don Park — Tue, 16 Jan 2007 22:32:33 +0000

If you guys are referring to BoA’s SiteKey which uses PassMark technology, cookies and other mechanisms are used to profile the client’s computer, network, and user for real-time risk analysis as well as offline risk analysis. Also, on-demand out-of-band authentication may kick in when risk gets too high. Overall, I think it’s an effective anti-phishing solution. But then I could be biased since I am one of the guys who built it.

Frankly, I think the best way to protect passwords from phishers is to hide the password from the user because you can’t lose what you don’t have.

By: thomasmaloney

thomasmaloney — Sat, 13 Jan 2007 17:54:50 +0000

I’m pretty sure the site seal is tied to cookies.

I setup the Yahoo! site seal in Firefox. When I went to login in Safari, the seal was not there. Once in Safari, I logged in, logged out, and when logging back in a second time the site seal was not there.

Going back to Firefox, I deleted the Yahoo! cookies while signed out. When signing in, the site seal was not there.

I’m not sure how I feel about that. I read somewhere that a lot of people delete cookies nowadays.

By: kveton

kveton — Sat, 13 Jan 2007 17:14:50 +0000

Thomas: actually the site seal is not tied to your username and password. Its a one-time setup between your computer and the identity provider. The attacker would have to have access to your machine or in the case of a non-SSL connection, do a MITM attack. Looking over the general OpenID list archives, folks are saying that the Yahoo! site seal has some Flash functionality … if you setup the site seal on Firefox its there on IE as well.