PiP and the "Fun" Test
As referenced on Mike Jones's blog, Fun Commutations has deployed a service at: http://idtheft.fun.de/ that attempts to demonstrate a man-in-the-middle based phishing attack against a number of OpenID providers using Janrain's IDSelector. Since our Personal Identity Provider or "PiP" is one of the providers included in the Selector we naturally had a look.
The good news is that there are a couple of features specifically designed in the PiP to combat the attacks noted in the demonstration. The first is found within the PiP itself. The optional feature is called "Secure Sign-On" and the way it works is that if the user has enabled it, they must first be logged into the PiP *before* they attempt to login to a RP. If they are not logged in and they attempt to login they will be presented with this message:
The important point is that any PiP user who has enabled this knows that they must first login, so in the "Fun" case seeing a login screen while having the feature enabled would immediately flag the user that they were being phished.
Secondly, this feature combined with our SeatBelt being used in conjunction with the PiP beta product affords even more detection. With SeatBelt if a user is entering their identity URL we immediately detect whether or not the user is logged in and if they aren't we give them the option to login to their account. With SeatBelt installed Firefox 2 and 3 users can clearly see if they are on the "correct" login page through a visual indicator in their status bar. There are a number of checks SeatBelt performs to insure that the login page the user is entering their credentials into is correct for their configured OP. In addition to the PiP, SeatBelt is supported by 9 other providers some of which are listed in the selector (more on this in a follow-up post).
In addition to these features our PiP product also provides 2 factor authentication through our VeriSign Identity Protection ("VIP") Authentication Service so at the end of the day our view is balancing usability with the layering of functionality to thwart the very thing that Fun in their demo attempts to bring forward. "Secure Sign-In" backed with 2 factor authentication and SeatBelt we believe is a step to providing a level of comfort to the OpenID community in continuing to drive usage and adoption.