Want to insist on a recent login

Dave Hinton dah at thereaction.co.uk
Mon Jul 18 04:39:42 PDT 2005 

Xageroth Sekarius wrote:

 > Nothing stops consumers from attaching additional passwords to 
OpenID's.

The point here is that the Consumer web site does not want to force the 
End User to remember yet another password.



Martin Atkins wrote:

 > Also, I don't think I'd want to depend on OpenID for anything 
involving
 > my finances. If you do that, you're putting a lot of trust in your
 > identity provider and your identity server. Even if both of these are
 > you, do you really want to chance your website getting attacked 
somehow?

The current situation is that End User’s are putting a lot of trust in 
their e-mail providers, as most web sites (including e-commerce web 
sites) will e-mail your password to you, in the clear.  And e-mail 
servers are subject to attack too.


 > I don't understand how you propose to fix this, though. You can't 
force
 > the homesite to log out, since the user might still be using it or
 > another site despite not using yours right now.

I don’t want to force the Server to log out the End User.

Instead of the Consumer web site having to ask “Is this browser logged 
in as X?”, I would like it to have the option of asking “Is this 
browser logged in as X, and did they log in within the last Y period of 
time?”  If the End User hasn’t logged in that recently, they should be 
asked to log in again (re-enter their password), but if they don’t, 
they shouldn’t be logged out of the Server.  All that should happen 
then is that the Server answers “No” to the Consumer.


 > Am I right in thinking that you want to have the OpenID request 
include
 > an inactivity limit?

No, and I agree with you that that would put an unreasonably onerous 
burden on the Server.

I am asking that it include a maximum time since the End User’s 
identity was verified (password entered).  The Server can easily store 
the last time the End User entered their password in the login cookie; 
it doesn’t require writing to a database.

Perhaps some Server’s don’t want to keep track of when the End User 
last entered their password; maybe they should be able to tell the 
Consumer web site “No, and I don’t keep this information” so that the 
Consumer can tell the End User they can’t log in using that Identity.

More information about the yadis mailing list