Yes, that was an oversight on my part. See my reply to mixedbit downthread for a proposed solution with a slight change of syntax: just add another field that contains a nonce.
- No ability to add an anti-phishing token (like a login image or phrase)
The phisher can fetch those images for you, making them more or less ineffective. Besides, the whole point of embedding a login button in the browser toolbar and making it pick the correct credentials is that the button will not work on any other domain. I'm trying to be backward compatible with as many existing websites as possible, but I can't achieve perfect compatibility with banks that won't listen to reason.
- No ability to style/brand the login page
- "Forgot Password" needs to be added somewhere
Logos and links can be added to the real HTML login page, which will continue to exist. The API will not replace the login page. It's just another way to send the POST request. If you don't know your password you obviously can't tell your browser to remember it, so the login button will not work and you'll have to visit the real HTML login page anyway.
