>> I still believe that the approach is sound; instead of an identity, >> the consumer could generate a phrase (since this has a much higher >> likelihood of being unique and recognizable), display it to the user, > > anything that the consumer shows in step A would be known to the > attacker so could be possibly used in the social part of the attack, > maybe this phrase should be generated beforehand and be specific (or > unique) to the user at the given consumer, and the users might be then > trained to check it on the authorization page and do this:
Good point. Might language on the authorization page explaining where the phrase should have come from be the answer (it limits the possibilities, but phishers are creative ones)? Pre-generating phrases would be tricky, as not all apps have the concept of "identity" and may not have the opportunity to generate phrases beforehand. seth --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
