Phishing and OpenID: Bookmarks to the Rescue?
January 20, 2007 by PingOpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website. Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it. That’s because the OpenID login procedure can look like this:
- Visit a site I’ve never seen before.
- Enter my OpenID name and click “Log in”.
- See the login form for my OpenID provider.
- Submit my password.
And the experience of being phished looks like this:
- Visit a site I’ve never seen before.
- Enter my OpenID name and click “Log in”.
- See the login form for my OpenID provider.
- Submit my password.
In other words, OpenID providers that redirect to login forms train users to follow a link from an unknown site and then enter their passwords.
Several people have now written about this problem; most recently Ben Laurie kicked off a long discussion on the OpenID mailing list. Here’s an idea for how to deal with it, building on Simon Willison’s proposal.
One Possible Answer
Ask users to bookmark the login page. Never show a login form in response to any request that contains a Referer: header.
The User Experience
Imagine a fancy new OpenID provider called “BookmarkID”. It advertises that you should use it for authentication because it’s safer.
When you set up an account with BookmarkID, you’re asked to make a bookmark to the login page. (You can either right-click on a link to add it to your bookmark menu, or drag the link to your bookmark bar.) With BookmarkID, you always use your bookmark to log in. If the BookmarkID service ever needs you to enter your password, it will ask you to use your bookmark.
BookmarkID will never redirect you to the login page, and anyone else who tries to take you there will only bring up a big warning reminding you to Always use your bookmark to log in.
Cost to you: just one click on your bookmark (for the lifetime of your cookie).
Benefit to you: phishing resistance for all the OpenID-enabled sites you use.
Would You Use It?
The cost is not zero. You have to do a little bit more to use BookmarkID. So maybe it’s not for everyone.
In the most common case, your browser auto-fills your password, so it’s two clicks (bookmark and submit) instead of just one (submit). But the tradeoff isn’t bad — after doing this once, you don’t have to do it again until the cookie expires, and you only have to bookmark one site instead of every website you use, because of the leverage that OpenID provides.
On top of that, keep in mind that we’re already asking users to adopt a new login procedure when they use OpenID — it’s a login procedure that requires at least one extra click, and we expect them to be willing to do that in exchange for the convenience of single sign-on. Since we’re teaching users a new login procedure anyway, why not teach them a safe one?
BookmarkID would be worth it to me. I’d use it.
And the beauty of OpenID is that I can use it, and those of us who think this is worth it can use it, without forcing anyone else to. Someone could just come along and launch the BookmarkID login service and see who likes it. It could happen any day. It could even happen tomorrow. It could turn out to completely fail for reasons I haven’t thought of, and we could still go on looking for other solutions without having to migrate everyone off of OpenID.
I’d be grateful for your comments and thoughts on this.
January 20th, 2007 at 05:29
I really like it. It’s similar to my proposal but much, much easier to understand - especially as the key security feature is described in the name of the service.
I’m always a bit skeptical of anything that involves checking the referer header due to some companies stripping it out at the firewall, but in this case I can’t see how that would cause any breakages.
Obviously someone else likes the idea too, because the domain names boomarkid.com / .net / .org were all registered today.
January 20th, 2007 at 07:41
Thanks! It really is your proposal. After I looked through the comments on your entry I realized this is essentially the same as what you and Nato were discussing there.
I registered the domain names. (This happens when I get excited about an idea, and this one seems fairly dependent on having a name that makes it impossible to forget that you’re supposed to use bookmarks.)