- From: James A. Donald <jamesd@echeque.com>
- Date: Tue, 13 Jun 2006 09:53:57 +1000
- To: public-usable-authentication@w3.org
George Staikos wrote:
> I've seen some tactics in a few places where some sort
> of information well-known only to the user was placed
> in the chrome. While it did require the user to
> actively look at the chrome to make sure the
> information was valid, the information was not
> spoofable since it was impossible for a site to know
> what that information was (barring any security hole
> in the browser implementation). Imagine a browser that
> had, in the tool/menu bar, "This is Phillip's
> browser." and a mini-picture of Phill's car.
User does not look at routine chrome. Does not look at
irrelevant information.
We have to make the login page special in an obvious and
dramatic way - and not make all the other pages special,
because then it just turns into noise and the user tunes
it out - so login and account creation has to be part of
the browser, not a web page. In Microsoft's Identity
Metasystem, they are making it part of the operating
system (their instinctive reaction to every issue to
make it part of the operating system, which in the long
run leads to more operating system holes, but still that
is better than login and account creation being part of
the web page.)
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
LjuWOtGh287wFXNak6A8VtrdZzc72E5RsAnCwcPa
4Cg7s6ndA7Qipr2sdXbHYCV+I08lHsaaxoq+w8phm
Received on Tuesday, 13 June 2006 15:04:21 UTC