Are there any security risks associated with me using OpenID as the authentication method on my site?

Question

Is OpenID a secure method of authentication users on a website?

And, if not, what are the security risks associated with OpenID?

Answer 1

I think the main weakness of most OpenId providers is that they offer password recovery via e-mail. That reduces OpenId security to the security of my e-mail provider. If someone gets access to my e-mail account he can effectively steal my identity (with or without OpenId).

Using OpenId for authentication makes stealing ym identity just easier. Just get access to my e-mail account and reset my OpenId password. Nothing more to do (instead of 100 password reset requests, one for each of my accounts on the web).

Even worse, if the attacker changes my e-mail account's password it will be very hard for me to prove that I am the original owner of that OpenId account. The attacker might change the associated e-mail account to his one so I can't reset the password even if I get back my e-mail account later.

It might be enough to get acces to the password recovery e-mail my OpenId provider sends to steal my identity.

OpenId providers musst offer disabling e-mail password recovery and provide a more secure way to recover a lost password. Something based on postal address, passport or bank account (things I trust more than an e-mail account).

As long as an OpenId account can be taken over by just getting access to a single e-mail it's nothing more than an additional single point of failure.

See also: http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security where "The Weakest Link: Email Password Reset Mechanisms" is adressed, too.