Best practices for login pages?

Question

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable

Answer 1

Seems like a no-brainer, but use HTTPS if the app requires it. Heck, even if it doesn't warrant it because people tend to reuse the same passwords. You can get a SSL cert cheap these days. If they lift a password from your site they can try it elsewhere. Even many banks don't have the login page on a secure line. It posts to an HTTPS page, but there is still no protection of a man in the middle type attack.

I agree with Omniwombat. Phishing is a hard problem to solve well and seemingly impossible to solve it completely.