Want to insist on a recent login

Xageroth Sekarius xageroth at gmail.com
Sun Jul 17 11:32:45 PDT 2005

Nothing stops consumers from attaching additional passwords to OpenID's.

On 7/17/05, Dave Hinton <dah at thereaction.co.uk> wrote:
> I see no way in the current spec for the Consumer to insist that the
> End User must relogin to the Server if he has not logged in within,
> say, the last five minutes.
> This would be useful for sites where certain actions are more sensitive
> than others, e.g. e-commerce.
> If the End User has left themself logged in while they go to the loo
> and someone else posts to their blog while they are away from the
> keyboard, that is the End User's silly fault for leaving themself
> logged in.  But if someone should attempt to spend money on the End
> User's credit card, or erase the End User's entire blog, or something
> else similarly drastic, then the Consumer web site has a responsibility
> to try to prevent that.
> (Compare also with the behaviour of sudo on *nix systems.)
> This might seem to defeat the point of single sign on.  But no:  The
> End User would still only have to maintain a single password at a
> single web site.  Currently the End User must either (a) use the same
> password at all web sites (insecure) or (b) never be able to remember
> their password at web sites they visit infrequently, thus having to ask
> the web site to e-mail their password to them (annoying, and wastes
> time).
> So I think this would be a useful feature for OpenID to have.  It would
> only require adding an openid.required_freshness field to the
> checkid_setup and checkid_immediate requests.
> Any thoughts?

Xageroth Sekarius
[ http://digitalmyth.net/ ]:[ http://xageroth.blogspot.com/ ]

More information about the yadis mailing list