Wednesday, September 24, 2008

Bad User! Bad!

It was gratifying to see George echo (in the sense of saying the same thing, but later) on the OpenID list the same concern I expressed for Google's proposed RP UI model for federated login.

I didn't find the Google response on the OpenID list particularly convincing - essentially that if the user does mistakenly give their IDP password to the RP, then the RP can just alert the user to this, and so teach them proper behaviour.

Warning: it seems that you have mistakenly provided us with your AOL password. When logging in to Buy.com through your AOL.com account, you should only present this password to AOL. To reinforce this lesson, please provide the following additional identity attributes in order to allow us to chastise you more completely.
- SSN
- Blood type
- Sexual Orientation

No comments: