Passive authentication protocols such as those based on the OpenID standard allow a user interacting with one website (a relying party) to redirect to and log onto another website or the like (an identity provider) that authenticates the user, e.g., a provider that hosts the user's OpenID URL. When authenticated, the user is returned back to and is authenticated on the relying party's website via an assertion for the relying party.
To facilitate redirection for authentication, each website/provider that participates provides a mechanism such as a form by which users interact. For example, the original way to interact was for a user to type a fully qualified URL into the form that named the identify provider and provided user-specific information. A more recent way (referred to as “directed identity”) allows the user to type only simplified information that references the identity provider, e.g., xyz123.com. Participating websites further began offering a set of icons by which a user can connect to the authenticating provider with a single mouse click or the like instead of physically typing that simplified information.
However, having icons presents other problems, including usability. More particularly, as the number of participants has grown, to keep the number of icons to a reasonable amount, only a limited number of icons (e.g., for the most popular providers) can be presented to the user. Even with the limited amount of icons, many users find the various icons to be awkward in appearance, far more numerous than desired and/or confusing. Having a limited number of icons also means that other, less widely used participating providers (e.g., educational institutions) that do not have a presented icon are only accessible by typing, that is, users have to manually enter the URLs for those other providers. This makes the authentication process laborious for many users.
Another problem is that having icons results in a security risk. For example, a rogue website that a user is inadvertently browsing may appear to be a participating website with appropriately displayed icons. However, the icons presented on that rogue website do not link actually to the proper identity provider site, which the user will likely not realize. This makes the process vulnerable to phishing and other web-based attacks.