You may want to think about Graphical User Authentication (GUA), where the user identifies the authenticity of the site/application pictorially first using graphics they configure during the setup process, before providing any type of sensitive credentials. Most banking sites do a variant of this.
P.S: Technically, I think it would be incorrect to the classify this as GUA since no graphics are actually used to authenticate the user. This would be more like graphical user recognition :) > -----Original Message----- > From: Tom Poage [mailto:[email protected]] > Sent: Friday, August 2, 2013 12:34 PM > To: [email protected] > Subject: [cas-user] CAS anti-phishing measures > > Greetings, > > We've had occasional issues with fake CAS login sites, and I'm wondering > what current anti-phishing measures might be available to the CAS web > server (I see a slightly outdated mention of the topic on > https://wiki.jasig.org/x/FgnP). > > Foremost is user education--instilling the Internet analogue of "street > smarts". Unfortunately, there's always someone who isn't paying attention > or, in some cases, a bit of a language barrier understanding nuance in > phishing emails, web pages, .... > > At the server level, one method is to place either a short expiration or 'no- > cache' directive on static content (e.g. css) and, on detecting a non-local HTTP > 'Referer' header ("hot linking"), block access to alter login page presentation, > or redirect an access-denied page (with additional educational content). > > None of this is bulletproof; they're only layers to reach a fraction of low > hanging fruit. > > Other ideas? > > Thanks. > Tom. > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
