MyOpenID: New anti-phishing tools available
There have been some intense discussions going on over on the OpenID general and security lists over the past week or so. Some great suggestions have been made about how to better secure users against phishing and we have just implemented a couple of them on MyOpenID.com.
- Personal Icon: A Personal Icon is a picture that you can specify that is presented to you in the title bar of MyOpenID every time you visit the site. The image is shown based on a cookie that is not tied to your account. This aids in fighting phishing as you’ll get used to seeing the same picture at the top of the page every time you sign in. If you don’t see it, then something might be up. Carl worked on this feature for us over the last few days and it employs several of the techniques discussed on the list to make it happen. You can see the picture next to this text that shows my Personal Icon which is a picture of my son Živio in the bathtub.
- SafeSignIn: The SafeSignIn feature was inspired by Simon Willison and was implemented by Mike on our Identity Provider team. SafeSignIn is an option that users can set on their settings page that makes it so you cannot be redirected to your MyOpenID.com to enter a password. If you are redirected to MyOpenID.com from another site, you are presented with the dialog you see below prompting you to either use a bookmark or enter the address in your location bar in the browser. This is an optional feature but we highly recommend you enable it.
While discussion on the OpenID specification continues to happen, we wanted to make sure we had the tools our users would need to protect themselves against phishing in the mean time.
We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong. The Personal Icon and SafeSignIn tools help give you a clear indication when something might be up. The ability to fight phishing from one place really well could actually become a huge driver for OpenID; I know the place I always enter my password every single day. Asking users to deal with several layers of anti-phishing technology on every site they visit isn’t very realistic. These type of tools, coupled with OpenID, allow you to have the layers of security while giving you the ease-of-access to the sites you want to visit.
We still don’t have a complete answer to phishing yet but with the continuing work of the OpenID community, we just might get closer to one.
If you’d like to take advantage of these features for your OpenID enabled site or your own personal domain, you might want to check out our affiliate program or read up on how to delegate from your own domain.
(Testing my first openid login, sorry for the spam, Scott :)
Woot. :) Thanks for all the hard work, Scott- this looks like it’ll save a lot of us a lot of hassle in the future.
I’m just the guy that does the blog posts … :-) … its the team of dedicated developers here at JanRain that is doing the hard work … glad it worked for you!
Well, pass on the congrats to them, then. I’m sure they’ve been hearing a lot of it, of course.
Nice one. It’s especially good to see how quickly the MyOpenID folk reacted to the phishing concerns.
Also, that’s a good point you made about OpenID being vulnerable to phishing, but also having a certain degree of protection built in thanks to user familiarity with their login page.
I’ve put up proof of concept code which validates against IP instead of using passwords so there is no opportunity to phish.
See http://digitalconsumption.com/forum/A-simple-solution-to-OpenID-phishing-attacks