One thing that might help a little is to allow people to upload their verification picture. Then separate the userid and password to separate screens, or in the case of OpenID the proceed to the server page, with a new page where you show them their verification picture and the password box, or for OpenID a proceed button. Rather than allowing them to upload a verification picture, they could select from a large collection of supplied ones. One bank I use does approximately this and has a picture and a phrase under it that I supplied. -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Augustin (Beginner) Sent: Wednesday, November 07, 2007 8:10 AM To: development@drupal.org Subject: Re: [development] OpenId open to phishing attacks. On Wednesday 07 November 2007 17:58, J-P Stacey wrote:
Unless you're running your own OpenID *server* then this isn't an issue. Looking at the module page I don't think that's in 5.x yet, let alone core.
Thanks. I thought Drupal could act as a server.... Oh. I see what you mean. http://drupal.org/project/openid says the server code is in 4.7. http://drupal.org/node/144050 Here are some references for those interested: server module? (feature request) http://drupal.org/node/185272 Port 4.7-2.x to Drupal 5 http://drupal.org/node/126841 PHP-based OpenID Server code http://groups.drupal.org/node/1109 Augustin. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.23/1113 - Release Date: 11/6/2007 10:04 AM