27 Jun 21:25
Re: [OpenID] OpenID and SSO
From: Eric Norman <ejnorman <at> doit.wisc.edu>
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-06-27 19:25:47 GMT
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-06-27 19:25:47 GMT
On Jun 27, 2008, at 9:25 AM, Dick Hardt wrote: > *if* the RP remembers the user's OpenID the first time they visit the > site and the user only uses one OpenID on the site, then when the user > returns, and if the RP autofills the OpenID in the form, then the user > just has to click the submit button to login (assuming they have a > valid session at their OP and their OP is configured to automatically > login to that RP > > Lots of assumptions in this flow, definitely room for improvement. > > Question: do people think improving this is important? Well, I certainly think that the fewer actions that a user has to perform, whether they by physical (e.g. clicking) or cognitive (e.g. remembering), then the more riskier and less safer the login process is from the point of view of security. This does assume that the user has close to an accurate understanding of the action she is about to perform. The latter is a lot more difficult to effect then most with geek training believe. To reiterate, the main point here is that fewer user actions imply less safety. Eric Norman
RSS Feed