[Ext] RE: Flag to identify if user selected SSO or not

Peter Schober peter.schober at univie.ac.at
Tue Jun 7 07:23:21 EDT 2016


* Nate Klingenstein <nate.klingenstein at utah.edu> [2016-06-07 13:06]:
> This is now a tangent of a tangent, but it’s the major layer of
> protection we really have as an IdP operator against phished
> credentials.
> 
> Variety in discovery interfaces makes phishing easier if you make
> the heroic assumption that users can defend themselves to some
> degree if they know what to expect.  That’s all I meant.

Sure, phishing is a real issue (and some MFA technologies can protect
against that). Bad (discovery) UIs are a real issue, too (people
unable to use the services or SSO integrations because it's just too
confusing and inconsistent, as you said).

I just think that dealing with one may not necessarily help with the
other. No UI improvement will prevent phishing as UIs both good and
bad can be cloned. Adding MFA into the mix won't make bad UIs any
better. And some MFA mechanisms can still be phished.

And logout on the web is still a mess, true. It's all very bad.

Cheers,
-peter


More information about the users mailing list