Friday, February 16, 2007

Absence of evidence

is not Evidence of Absence. Carl said that. He wasn't talking about identity ceremonies as far as I know.

MyOpenID's 'Safe Sign-In' mechanism made me think of the phrase. Safe Sign-In is a feature of MyOpenID whereby users can stipulate that they want the normal OPenID sign-in sequence interrupted - this interruption designed to thwart the much discussed OpenID phish vulnerability.

Because the phish in question relies on a bad RP directing the user to a bad IDP for authentication, the Safe Sign-In option intentionally throws a wrench into the normal OpenID sequence with the GOOD IDP (in which, when arriving at that IDP, the user is asked to log-in if not already in a session). Instead of immediately asking the user to authenticate, the IDP instead displays a screen that basically says "To protect you, I'm not going to ask you to log-in yet. You need to come back on your own through a bookmark or entering my address manually". The MyOpenID screen in question is shown below

If the user enables Safe Sign-In for their IDP account, this is what they see whenever directed to the IDP from an SP. At this point, they would (presumably in a different tab/window) manually go the MyOpenID sign in page and authenticate, secure in the knowledge that they have run an end-around on any phisher. Afterwards, they'd return to the above page and click on 'continue this action' for redirection back to the RP. Note that, when actually being redirected to the valid IDP, this is all just unnecessary hassle for the user - they could have safely logged in as typical. (it's a hassle, but meant to be instructive hassle, no pain no gain etc).

Now, if a site were to want to phish MyOpenID, they would of course not display the above screen - they would instead display the log-in page as per the normal OpenID sequence. It's at this point that the Safe Sign-In mechanism is supposed to demonstrate its worth. The hope is that the user, conditioned by the previous multiple authentications to the valid IDP through the intentionally awkward Safe Sign-In mechanism - will identify (and avoid) the now easier log-in option as offered by the phisher. Alerted by the atypical log-in ceremony, the user would surf quickly away, feeling smug and safe.

The scheme relies on the user making the connection between the 'evidence of absence' (the fact that they see no Safe Sign-In screen) with 'absence of evidence' (a suspicious phish site that gets their spidy-senses tingling). This is the same model of Yahoo!'s Sign-in Seal, in which users are trained to expect to see a particular icon on their log-in page and warned to be suspicious should they not see it. I have doubts about the value of the model, it effectively places the burden of site authentication right on the user. Users make great validation engines of course.

But for OpenID IDPs, the value of such a model appears even more questionable. Remember that OpenID, to a certain extent, stipulates the form and format for the log-in ceremony in order to create a consistent user experience. Remember also that at any other OpenIDs the user will be authenticating to, unless those other IDPs also implement Safe Sign-In (or comparable), the user will be trained by their experiences to expect the normal OpenID log-in sequence of direct password prompt. So, what they are conditioned to expect as normal by these other IDPs is exactly what they would see by the MyOpenID phisher.

I just can't see the occasional 'training session' as delivered by MyOpenID's Safe Sign-In ceremony triumphing in setting user-expectations over the more frequent (and easier) conditioning they will receive everywhere else.

No comments: