Paragraph 1: it is not only the resource owners' password that can be phished. OTP etc. can be phished as well.
Proposes to change: "steal resource owners' passwords" to "steal resource owners' passwords and other credentials that are not phishing-resistant".
Also, as the paragraph 2 advises, user education is important, but its effectiveness is somewhat limited.
It is better to advise authorization servers to deploy Phishing-resistant authentication mechanisms.
Therefore, I propose to add a new paragraph 2 such as:
Service providers SHOULD implement phishing-resistant authenticator support.
A question. There are two instances of "should" in the current paragraph 2. Are they intended or they actually are "SHOULD"?
Paragraph 1: it is not only the resource owners' password that can be phished. OTP etc. can be phished as well. Proposes to change: "steal resource owners' passwords" to "steal resource owners' passwords and other credentials that are not phishing-resistant".
Also, as the paragraph 2 advises, user education is important, but its effectiveness is somewhat limited. It is better to advise authorization servers to deploy Phishing-resistant authentication mechanisms. Therefore, I propose to add a new paragraph 2 such as:
Service providers SHOULD implement phishing-resistant authenticator support.
A question. There are two instances of "should" in the current paragraph 2. Are they intended or they actually are "SHOULD"?