[OAUTH-WG] Preventing phishing attacks with auth server verification?
Aaron Parecki <aaron@parecki.com> Tue, 06 December 2011 17:42 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 331A521F84DB for <oauth@ietfa.amsl.com>; Tue, 6 Dec 2011 09:42:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1iiiR7NfatQ for <oauth@ietfa.amsl.com>; Tue, 6 Dec 2011 09:42:05 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4861321F8BF0 for <oauth@ietf.org>; Tue, 6 Dec 2011 09:42:04 -0800 (PST)
Received: by faas1 with SMTP id s1so2244616faa.31 for <oauth@ietf.org>; Tue, 06 Dec 2011 09:42:04 -0800 (PST)
Received: by 10.216.139.2 with SMTP id b2mr2780896wej.90.1323193324082; Tue, 06 Dec 2011 09:42:04 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by mx.google.com with ESMTPS id hn15sm15735556wib.22.2011.12.06.09.42.02 (version=SSLv3 cipher=OTHER); Tue, 06 Dec 2011 09:42:03 -0800 (PST)
Received: by wgbdr13 with SMTP id dr13so5288821wgb.13 for <oauth@ietf.org>; Tue, 06 Dec 2011 09:42:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.197.70 with SMTP id ej6mr2563624wbb.13.1323193322219; Tue, 06 Dec 2011 09:42:02 -0800 (PST)
Received: by 10.223.96.201 with HTTP; Tue, 6 Dec 2011 09:42:02 -0800 (PST)
Date: Tue, 06 Dec 2011 09:42:02 -0800
Message-ID: <CAGBSGjqbgYoQzP9GxZn=6RCFnzbH+tDVVgePtY+12dkRV8oPsg@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0015174a0524f0a79d04b36ff3d4"
Subject: [OAUTH-WG] Preventing phishing attacks with auth server verification?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2011 17:42:06 -0000
Has there been any discussion about supporting a 2-stage login similar to what many banks are doing, where they show you an image or a word that you previously chose so that you can verify you're talking to the right server? For example, when I log in to my bank I first enter my username. Then they show me my secret word, and if I recognize it, I enter my password. This gives me a chance to verify the server I'm logging in to really is my bank, and not a third party intercepting my login attempt. It seems that this would be a nice way to solve the security concern around embedded user agents in mobile apps. I realize this would not be part of the OAuth spec since this describes how to sign in to the authorization server. But I'm curious if this would allow native apps (especially mobile apps) to safely use an embedded browser to complete the OAuth flow? Or is the general consensus that opening an external browser is better because the user may already be signed in in that session? Aaron Parecki Geoloqi.com
- [OAUTH-WG] Preventing phishing attacks with auth … Aaron Parecki
- Re: [OAUTH-WG] Preventing phishing attacks with a… William Mills