Re: [OpenID] OpenID and SSO

On 27-Jun-08, at 12:25 PM, Eric Norman wrote:

>
> On Jun 27, 2008, at 9:25 AM, Dick Hardt wrote:
>
>> *if* the RP remembers the user's OpenID the first time they visit the
>> site and the user only uses one OpenID on the site, then when the  
>> user
>> returns, and if the RP autofills the OpenID in the form, then the  
>> user
>> just has to click the submit button to login (assuming they have a
>> valid session at their OP and their OP is configured to automatically
>> login to that RP
>>
>> Lots of assumptions in this flow, definitely room for improvement.
>>
>> Question: do people think improving this is important?
>
> Well, I certainly think that the fewer actions that a user has
> to perform, whether they by physical (e.g. clicking) or cognitive
> (e.g. remembering), then the more riskier and less safer the login
> process is from the point of view of security.  This does assume
> that the user has close to an accurate understanding of the action
> she is about to perform.  The latter is a lot more difficult to
> effect then most with geek training believe.
>
> To reiterate, the main point here is that fewer user actions
> imply less safety.

Interesting logic. Does that mean that more actions is more safety?  
Would the security of each action not be relevant?

Is "asasasasasasasasasasasasasasasasasas" a better password then  
"6 <at> h." because there are more keystrokes?

If you make the user jump through a bunch of hoops each time they  
authenticate, they strive to make their life simpler, not more secure.

Writing the really strong password on the sticky  right beside the   
monitor is a classic example.

-- Dick