Are there any security risks associated with me using OpenID as the authentication method on my site?

Question

Is OpenID a secure method of authentication users on a website?

And, if not, what are the security risks associated with OpenID?

Answer 1

OpenID does add another party to the authentication process which you must treat as a trusted component. It's quite similar in that regard to any application that allows account recovery by e-mail, but whereas your email messages are transmitted in cleartext, you may choose to communicate with OpenID providers only over verified HTTPS connections.

Review the Security Considerations section of the specification.

For a great description of the weak spots in OpenID and a demonstration of how a good OpenID provider can give an experience that's much more secure than the traditional easily-phished password, see this short video by Kim Cameron from his Identity Weblog.

Answer 2

Actually I always disliked OpenID for various reasons.

• I have to trust the OpenID provider who I gave my data. I do trust certain sides to certain degrees, but just because I may trust Stack Overflow, I don't automatically trust any of the well known OpenID providers.

  2. If my OpenID password is compromised, all my sites where I'm using OpenID are compromised. Usually I would chose a different password for every site I'm using, but I can't with OpenID.

  3. I don't like the Persona concept at all. Even though I'm asked before any data is sent, it just doesn't seem right that one provider has this information and other services can request it. Okay, I don't have to use it if I don't like, but the concept seems flawed to me.

  4. As has been mentioned already, data is sent between a site and the OpenID provider and back again. Whenever data is exchanged, it can be compromised. No system is 100% secure; not even SSL (HTTPS). It's a difference if data only travels from me to a side and back to myself or if it also travels from that side to another one and back again.

  5. If an OpenID provider is hacked and the hacker gets the login data of all users (after all they are lovely centralized in one place!), just think of the impact!

Just to name a few. I also fail to see the big advantage of OpenID. For the user they say

1. Faster & easier registration and login
   • Reduced frustration from forgotten user name/password
   • Maintain personal data current at preferred sites
   • Minimize password security risks

Okay, let's analyze that.

(1) How often do you register for a page a day? 200 times? If I register for 2 pages a week, that is already a damn lot. Usually rather for 2-3 a months at most (actually Stack Overflow, or my OpenID provider to use Stack Overflow, was the last page I registered and this was not quite yesterday). So when you register for 2 sites a month, you don't have the 5 minutes it takes to fill out a form? Come on, don't be ridiculous.

(2) How? Because it uses the same password everywhere? "This is no future, this is a bug", most security experts would say. Or because it allows me to recover my password via mail? Well, actually almost any side I use allows me to do so. Despite that, my Firefox remembers my passwords quite well, stores them encrypted on disk (using a master password) and this encrypted database is back-uped regularly to never get lost.

(3) Well, this is probably something positive... however, my name has never changed so far, my e-mail address won't either as it's one of the domain I use and forwarded to a real address (so the real one can change, I just update the forward and everything works as before). My street address? Well, some people move a lot. I only moved once in my whole life so far. However, most sides don't need to know my street address. Sites where I see no reason for having the people know this information, but that demand me to fill it out for registering, just get a faked one. There are very little sites on the whole Internet that know my real address (actually only those that may ever have to send me a snail mail or where I might order goods).

(4) Actually I see it the other way round. It maximizes the security risk. How would it minimize the risk?

Answer 3

I agree with many of the points David makes above, so I'm making some points here just for the sake of argument.

For the knowledgeable user, I would argue that OpenID is a more secure form of authentication than many websites provide. Now let me back up that statement. First what do I mean by a knowledgeable user? I would define that person as somebody who is aware of the weaknesses of OpenID and who takes measures to mitigate them:

• Maintains multiple personas if they don't wish websites to be able to track them effectively.
• Registers two or more OpenID providers at websites where 24/7 access is an issue.
• Always logins to their OpenID provider directly. They never login to a page a 3rd party web site has redirected them to.

Many websites do not know how to securely maintain user's passwords. The really nice thing with OpenID is that I get to choose my OpenID provider and thus the level of authentication needed to login to a relying party. For example, I can choose to delegate authentication to Verisign or Trustbearer - both of which provide much stronger authentication techniques than most websites on the web. I would much rather trust an organization which specializes in security with my password than some random web site on the web. So I would argue, that for the knowledeable user, OpenID can be more secure than each website implementing their own authentication system.

All that being said, most users are not aware of the risk factors inherent in OpenID and won't take the steps to mitigate the risks.

Answer 4

OpenID can be made more secure if you choose to ignore all OpenID providers that do not support HTTPS

Answer 5

While this thread is old I wanted to add my 2 cents. I think OpenId has one flaw that no one seems to care about. When I authenticate with Yahoo, it actually logs me into yahoo. It should not log you into yahoo it should just authenticate that you have the proper credentials with yahoo. When you log out of my app, you are still logged into yahoo. If you walk away from a shared computer and another person goes to yahoo, you will be logged in.. because when you authenticated with Yahoo, they also log you into their service. They should just authenticate you, not log you in. I have told several people about this and even demonstrated it with stackoverflow.com (who has a terrible log out mechanism, when I hit log out I expect to be logged out, not please click another logout button). Try this logout of yahoo or gmail. Close all your tabs, and then log into stackoverflow with yahoo/gmail. Then log out off stack overflow..(make sure you hit logout twice).. now browse to yahoo or gmail, you are logged in. Now the snide answer I get is "Don't use a shared computer, you should log out of Yahoo/gmail, etc"... Everyone is not a developer with a degree in MIS or computer science, my mother in law would think when she logged out of Stackoverflow, that she would not be logged into yahoo still.. Perhaps I am missing some parm or something that will actually force what I want, but it is surely not in the documentation telling you how great OpenId is!!!

Answer 6

Ouch. MyOpenID reports unconfirmed email addresses, just did a test for that. Looks like email info should be trusted only for some manually white-listed providers like google/yahoo and couple of others. I'll link the code here if someone's interested.