3 Jul 11:13
Re: [OpenID] PAPE yahoo?
From: Simon Josefsson <simon <at> josefsson.org>
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 09:13:29 GMT
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 09:13:29 GMT
Allen Tom <atom <at> yahoo-inc.com> writes: > Hi Peter, > > Yahoo issues persistent browser sessions that are valid for up to 14 > days, and the Yahoo OpenID Provider does not re-prompt for the user's > password before we send an assertion to the Relying Party. We do not > re-prompt the user for their password in order to improve the usability > of the service. > > Generally speaking, sites that authorize financial transactions > re-prompt the user for their password before authorizing the > transaction, even if the user is already logged in. > > We're definitely interested in seeing OpenID being used to authorize > high value transactions, and hopefully the new PAPE extension will make > this a reality. Do you see a need for the RP to request from the OP to re-prompt the user for the password? How could you achieve that with PAPE? This seems similar to my discussions on specs@ about a similar feature for one-time-passwords. If there is a way, with PAPE, for a RP to request authentication re-prompt from the OP for passwords, it could probably be used to re-prompt one-time-passwords too. Thanks, Simon
RSS Feed