Talk:Viewer Authentication Critique

From Second Life Wiki
Revision as of 10:31, 29 September 2007 by Matthew Dowd (talk | contribs) (→‎Cons)
Jump to navigation Jump to search

Security

Pros

  • Viewer does not have to process (and "see") username and password

Cons

  • Viewer still involves running trusted code on the computer and could initiate other attacks e.g.
    • Silently buy L$ and pass onto another account
    • Pass token onto bot, and drop the users connection
  • Potential for phishing websites to entice users to enter username and password and then pass control to SL website and viewer.
  • Possibility some third party clients will retain the existing UI in order to make it easier for people with alts and multiple clients, and do appropriate GETs and POSTs on the SL to initiate a logon and get the token (thus defeating the original purpose)

Alternatives

Flexibility

Pros

  • Enables username/password authentication to work on third party sites without them having to "see" username and password

Cons

Alternatives

  • OpenID
  • CardSpace
  • Identity Metasystem

Persistence

Pros

Cons

  • Inconvenient for those with alts
    • Cumbersome to change alts and logon with multiple alts
    • Those with alts, often have a primary account which is used for forums and logged on permanently to forums even when the alt is online in SL
  • Inconvenient for those with multiple clients

Alternatives

  • Is this really needed?



--Matthew Dowd 11:27, 29 September 2007 (PDT)