...
Other technically unsuitable mitigations were examined and rejected.
- Strong authentication of Further authenticating the legitimate requesting party: This is an insufficient mitigation because the attacker takes over the session after the victim completes his
- asdf
- asdf: (Could this actually work if you have a trust elevation chain with "strong auth", effectively a fresh transient AAT, after claims-gathering?)
- Warning the victim what the client has redirected him to the AS for: It is already good practice for the AS to give cues as to the client's purpose, but this is weak and known to be insufficient in current potential phishing situations.