- From: David Nicol <davidnicol@gmail.com>
- Date: Fri, 16 May 2014 15:34:39 -0500
- To: Dave Raggett <dsr@w3.org>
- Cc: Web Payments <public-webpayments@w3.org>
Received on Friday, 16 May 2014 20:35:07 UTC
On Fri, May 16, 2014 at 4:33 AM, Dave Raggett <dsr@w3.org> wrote: > If an attacker has fooled users into disclosing their email address and > passphrase, how does the identity provider differentiate the attacker from > users trying to login from a new device? I would also like to see an > analysis of the potential for replay attacks. > I understand the standard answer to this question is "multi-factor authentication."
Received on Friday, 16 May 2014 20:35:07 UTC