Want to insist on a recent login

Sun Jul 17 11:36:24 PDT 2005

Dave Hinton wrote:
> I see no way in the current spec for the Consumer to insist that the End
> User must relogin to the Server if he has not logged in within, say, the
> last five minutes.
> 
> This would be useful for sites where certain actions are more sensitive
> than others, e.g. e-commerce.
> 
> If the End User has left themself logged in while they go to the loo and
> someone else posts to their blog while they are away from the keyboard,
> that is the End User’s silly fault for leaving themself logged in.  But
> if someone should attempt to spend money on the End User’s credit card,
> or erase the End User’s entire blog, or something else similarly
> drastic, then the Consumer web site has a responsibility to try to
> prevent that.
> 
> (Compare also with the behaviour of sudo on *nix systems.)
> 
> This might seem to defeat the point of single sign on.  But no:  The End
> User would still only have to maintain a single password at a single web
> site.  Currently the End User must either (a) use the same password at
> all web sites (insecure) or (b) never be able to remember their password
> at web sites they visit infrequently, thus having to ask the web site to
> e-mail their password to them (annoying, and wastes time).
> 
> So I think this would be a useful feature for OpenID to have.  It would
> only require adding an openid.required_freshness field to the
> checkid_setup and checkid_immediate requests.
> 
> Any thoughts?
> 
> 

Unless I'm misunderstanding you, this is already possible. Once the
one-time OpenID login has taken place, it's up to the consumer what kind
of session — if any — is created. There's no reason at all why you
couldn't have the session only last a certain amount of time if that was
appropriate for your site, but you would of course have the tricky issue
of what to do once the user's session expires: What if the user comes
back and hits a submit button on a form? Can you maintain the form
values while the browser does the OpenID dance or is the user going to
have to start again?

Also, I don't think I'd want to depend on OpenID for anything involving
my finances. If you do that, you're putting a lot of trust in your
identity provider and your identity server. Even if both of these are
you, do you really want to chance your website getting attacked somehow?

I think I'd go so far as to say that I would expressly advise *against*
using OpenID for anything like that, as the principle of OpenID is for
several parties to co-operate to prove identity, but for a financial
transaction the only two parties involved should be you and the
reciever. I only trust my identity server to a point, and I would
certainly never buy from an online merchant that only put OpenID in
front of a user's stored credit card details.