Want to insist on a recent login
Xageroth Sekarius
xageroth at gmail.com
Sun Jul 17 11:32:45 PDT 2005
Nothing stops consumers from attaching additional passwords to OpenID's.
On 7/17/05, Dave Hinton <dah at thereaction.co.uk> wrote:
> I see no way in the current spec for the Consumer to insist that the
> End User must relogin to the Server if he has not logged in within,
> say, the last five minutes.
>
> This would be useful for sites where certain actions are more sensitive
> than others, e.g. e-commerce.
>
> If the End User has left themself logged in while they go to the loo
> and someone else posts to their blog while they are away from the
> keyboard, that is the End User's silly fault for leaving themself
> logged in. But if someone should attempt to spend money on the End
> User's credit card, or erase the End User's entire blog, or something
> else similarly drastic, then the Consumer web site has a responsibility
> to try to prevent that.
>
> (Compare also with the behaviour of sudo on *nix systems.)
>
> This might seem to defeat the point of single sign on. But no: The
> End User would still only have to maintain a single password at a
> single web site. Currently the End User must either (a) use the same
> password at all web sites (insecure) or (b) never be able to remember
> their password at web sites they visit infrequently, thus having to ask
> the web site to e-mail their password to them (annoying, and wastes
> time).
>
> So I think this would be a useful feature for OpenID to have. It would
> only require adding an openid.required_freshness field to the
> checkid_setup and checkid_immediate requests.
>
> Any thoughts?
>
>
--
Xageroth Sekarius
[ http://digitalmyth.net/ ]:[ http://xageroth.blogspot.com/ ]
More information about the yadis
mailing list