That wouldn't do anything to prevent man-in-the-middle attacks. The concern is that sites may intercept your password. However, a man-in- the-middle attack would not be possible if the OpenID server uses SSL encryption. We can provide security by ensuring that the OpenID server will not accept an insecure connection. On Nov 7, 2007, at 9:46 AM, Walt Daniels wrote:
One thing that might help a little is to allow people to upload their verification picture. Then separate the userid and password to separate screens, or in the case of OpenID the proceed to the server page, with a new page where you show them their verification picture and the password box, or for OpenID a proceed button. Rather than allowing them to upload a verification picture, they could select from a large collection of supplied ones. One bank I use does approximately this and has a picture and a phrase under it that I supplied.