As major Internet players back OpenID, we were reminded of an Amsterdam computer student pointing out a trio of scenarios that makes the prospect of OpenID's single sign-on method a scary prospect.
Usernames and passwords stopped being the end-all to online security years ago. Yet it's the model touted by Marco Slot demonstrated how OpenID could be too much convenience and too little security. Slot presented three scenarios where phishing someone's OpenID credentials presents little more of a challenge than writing (or copying) some PHP code. Two of the methods can be guarded against by providers who prudently consider the consequences. The third scenario, a basic OpenID login box set up on a malicious web page, cuts the OpenID provider out entirely. Someone enters their credentials, and the evil people end up with a login combo that probably works on more sensitive sites. Feed the login combo to a script that checks it against common financial and retail sites, and if the person used that username and password to login to any such site that does not offer an additional security factor, it's game over. AsSuggest a Correction
Found an error or have a suggestion? Let us know and we'll review it.
No comments yet. Be the first to comment!