Users on Public Computers

Joshua Viney josh at eastmedia.com
Mon Nov 6 16:41:30 PST 2006


One question re: User Experience and single-sign-on comes to mind:

How do we treat users who are accessing their IdP and Relying Parties  
via public computers?

Use Case:
Good User at public library wants to leave a comment on Blog X
Blog X requires the person to authenticate via OpenID
Good User enters their OpenID and successfully authenticates via  
email and password (or whatever) (and authorizes the RP ('realm' in  
2.0) if necessary) at their IdP
Good User is redirected to Blog X signed in
Good User leaves comment
Good User signs out of Blog X (if sign out is even an option)
Good User then leaves the public library and goes shopping
Evil User jumps on computer and proceeds to leave comments at any  
number of OpenID enabled blogs using Good User's OpenID (he saw it  
while looking over Good User's shoulder, or he checks any sites that  
Good User did NOT sign out of that might display his OpenID)
Evil User, uses Good User's signed in IdP session to sign into any  
number of sites, etc

Outcome: Good User's reputation is ruined and his/her OpenID is  
banned from a whole list of Relying Parties. Good User then blames  
their IdP, the Relying Parties and OpenID as a technology and tells  
everyone he/she knows not to use it blogs about it and initiates a  
press release.

It may be easy to pass this off as an implementation specific issue  
or as "user error", but this use case is somewhat likely for 2 reasons:

1. A user's OpenID URI is not necessarily a private thing (obscurity  
is not security anyway)
2. Users will be at least 1 site removed from their IdP while  
accessing a Relying Party, and no one is use to signing out twice
3. It is very very likely that IdP's will use some type of "remember  
me" functionality

One solution to consider would be a global sign-out feature on  
relying party sites that signs users out of their IdP as well.  
Another solution would be to make very specific recommendations about  
messaging users who may be using public computers.



Josh Viney
http://www.eastmedia.com -- EastMedia
http://identity.eastmedia.com -- OpenID, Identity 2.0




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/user-experience/attachments/20061106/512ac6c4/attachment-0001.htm 


More information about the user-experience mailing list