Has there been any discussion about supporting a 2-stage login similar to what many banks are doing, where they show you an image or a word that you previously chose so that you can verify you're talking to the right server?
For example, when I log in to my bank I first enter my username. Then they show me my secret word, and if I recognize it, I enter my password. This gives me a chance to verify the server I'm logging in to really is my bank, and not a third party intercepting my login attempt. It seems that this would be a nice way to solve the security concern around embedded user agents in mobile apps. I realize this would not be part of the OAuth spec since this describes how to sign in to the authorization server. But I'm curious if this would allow native apps (especially mobile apps) to safely use an embedded browser to complete the OAuth flow? Or is the general consensus that opening an external browser is better because the user may already be signed in in that session? Aaron Parecki Geoloqi.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
