Scott Kveton

There have been some intense discussions going on over on the OpenID general and security lists over the past week or so. Some great suggestions have been made about how to better secure users against phishing and we have just implemented a couple of them on MyOpenID.com.

• Personal Icon: A Personal Icon is a picture that you can specify that is presented to you in the title bar of MyOpenID every time you visit the site. The image is shown based on a cookie that is not tied to your account. This aids in fighting phishing as you’ll get used to seeing the same picture at the top of the page every time you sign in. If you don’t see it, then something might be up. Carl worked on this feature for us over the last few days and it employs several of the techniques discussed on the list to make it happen. You can see the picture next to this text that shows my Personal Icon which is a picture of my son Živio in the bathtub.
• SafeSignIn: The SafeSignIn feature was inspired by Simon Willison and was implemented by Mike on our Identity Provider team. SafeSignIn is an option that users can set on their settings page that makes it so you cannot be redirected to your MyOpenID.com to enter a password. If you are redirected to MyOpenID.com from another site, you are presented with the dialog you see below prompting you to either use a bookmark or enter the address in your location bar in the browser. This is an optional feature but we highly recommend you enable it.

While discussion on the OpenID specification continues to happen, we wanted to make sure we had the tools our users would need to protect themselves against phishing in the mean time.

We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong. The Personal Icon and SafeSignIn tools help give you a clear indication when something might be up. The ability to fight phishing from one place really well could actually become a huge driver for OpenID; I know the place I always enter my password every single day. Asking users to deal with several layers of anti-phishing technology on every site they visit isn’t very realistic. These type of tools, coupled with OpenID, allow you to have the layers of security while giving you the ease-of-access to the sites you want to visit.

We still don’t have a complete answer to phishing yet but with the continuing work of the OpenID community, we just might get closer to one.

If you’d like to take advantage of these features for your OpenID enabled site or your own personal domain, you might want to check out our affiliate program or read up on how to delegate from your own domain.

There has been a bunch of discussion about OpenID 2.0 and how the latest draft does not address phishing at all.

First and foremost; phishing is an extremely important problem and one that is more than just OpenID-related. It just so happens that OpenID really exacerbates the problem because if you phish someones OpenID you could potentially have access to all of the sites they login to. I couldn’t agree more.

Alright, so let’s step back for a moment and ask ourselves; why hasn’t phishing been solved before this? Its been a huge problem for folks like PayPal and eBay. I think the main reason is that the problem is compartmentalized. Today, you might get one account (albeit a very important account) phished, but its just that one account you have to deal with. As such, no real definitive solutions have come up to completely (or mostly completely) solve the problem.

Enter OpenID 2.0. OpenID 2.0 is the culmination of lots of technology, ideas and people from many different schools of thought on identity. With pieces of Sxip, LID, XRI and others involved, we have a unique solution that is quickly gaining market and mind share. What’s really interesting is the firestorm that this has kicked up on the mailing list about phishing. Wow! This is fantastic! People are actually devoting some serious attention to and proposing some excellent solutions to phishing. If anything, the OpenID discussion might help move the phishing discussion (and thus OpenID) move forward.

We’ve got the proposal for Petnames/Passpet, SRP, the creation of an identity manager, the use of InfoCards with OpenID and a raft of others. This is great. The conversation is happening and solutions are being worked on. Wow. Talk about cool.

What’s most interesting to me is the nature of OpenID and why its succeeding. OpenID is the HTML to the world’s SGML identity solutions. Yes, SGML was infinitely superior to HTML but it was HTML that “won” out. Simple works and not only that simple wins. The barrier to adoption has to be low and the ability for the technology to proliferate from a bottoms-up standpoint is critical to for the success of a technology like OpenID.

I was going to write more on this but when I found Gabe Wachob’s post I just stopped and realized it couldn’t be said any better:

No, OpenID doesn’t solve all problems, and maybe today it only solves a very narrow set of problems with an acceptable risk profile. But to me, thats not the point – its the unleashing of creativity and the power to let developers and architects focus on what they are interested in and good at. Security and identity nuts can focus on authentication and let the social networking, wiki-touting, web 2.0-heads do what they do best! OpenID is an abstraction, a key middle ground for these folks to meet and leverage each other’s work – that OpenID is deployed for use in a fairly narrow set of use cases TODAY should not mean that it will not be very important in they very near future…

Gabe is dead on … OpenID makes the problem of phishing that much more important … the people on the general list and all of the great discussion in this space are leading to a solution. This is a solution that might not have been possible were it not for OpenID. If done correctly, the technologies and methods adopted for by OpenID providers could be a significant driver of the technology.

Note: with IIW starting today, I thought it would be fitting to talk about phishing and hopefully also convene a session on this over the next couple of days. This is a big problem for us in this space and something we’re going to need to find a solution for.

The second most common request from potential adoptees of OpenID (right behind having a solution to the potential spam bot problem) is, what is the answer for dealing with phishing of OpenID’s?

Phishing to me is one of those “The Internet Sucks ™” problems (another example is how easily DNS can be spoofed – yes, its a bummer, but how do you *really* fix it?). However, I believe there are a few things we can do with OpenID to help alleviate the problem. After all, with one username and one password for all of the sites you visit in in one place, the stakes are much higher.

The one thing we have going for us with OpenID as it relates to phishing is that users will be developing a stronger relationship with the one site that they enter in their password at. If there is even the slightest problem, it will be more obvious to the user because they go to their identity provider so often. Users are getting more and more sophisticated and the early adopter crowd is extremely savvy when it comes to phishing. However, this isn’t good enough.

There are a couple of approaches you can take to deal with phishing:

• Personalized site seal: Yahoo! has recently launched a service that allows users to put a personal image that they have chosen on their login page. If the user is directed to a phishing page that doesn’t have that picture on it, the user will realize it immediately and hopefully not enter their credentials. I’m not sure what they have done to make sure you can’t scrap that image from the users’ login page but I think this is to help stop against “general” phishing pages. We’ll be implementing personalized site seal functionality in our OpenID identity provider soon.
• Two-factor authentication: What about having more than just a username and password? The example would be of a user having to enter in both a username and password, authenticate and then enter in some other data such as a secret question or contents of an SMS message. The phishing site might get your username and password but they won’t know your secret question. Feasibly, however, they could directly “log you in automatically” to your identity provider and then scrap the question but this too would be quite difficult althouhg unfortunately not impossible.
• Browser extension/plugin: My least favorite of the solutions is to use an extension or plugin on the client to help verify the users’ identity provider. When installed, the user would enter where their identity provider is. If the user is presented with a username/password field that is not at their identity provider, it would change the chrome to red on the browser or bring up an annoying popup (it has to be annoying to be effective). Andy Dale has a great Firefox extension for doing this for OpenID’s and I believe Sxip is also working on one as well.

Unfortunately, that’s all I’ve got. Its not fantastic and none of those completely stop the problem, they just buy us time while we figure out better solutions. If you have ideas for ways to combat phishing with OpenID’s, by all means, please comment here.