Google uses email addresses as OpenID login strings for its provider service.
I was reading about a conference where they were pushing to have it incorporated into the standard. Microsoft was against this, the "official" reason being security vulnerabilities this would supposedly introduce. Is this bogus? If not, why is it insecure?
One danger of using email address is that it is guessable. Or rather than someone who wants to break your account will probably know it.
Compare that to the current situation where your username and your OpenID provider could be anything. Maybe that's guessable, maybe it isn't. If it's not it makes it just a little harder to compromise your account.
Some people seem to have a problem with this. Look it's pretty simple. I haven't said that a non-obvious username is in and of itself sufficient security. Far from it. Security through obscurity is no security at all.
However, it's pure commonsense that out of:
that (1) is, at worst, equally secure to (2) and at best it is more secure.
What's more if your email is your password then if you compromise someone's email address you potentially compromise every system that uses that as a username is more easily compromised both by virtue of "Forget Password?" links and the fact that a password used in one place is more likely to be used in another.
Sorry but that's just commonsense.
It's not more insecure than using plain urls.
Imagine my email is [email protected]. It's the same thing as using domain.com/name, right?
It's as guessable as your homepage (almost everyone I know uses their homepage or blog as their OpenID).
What may (although I don't really believe it) be more insecure is if the authentication happens via email. For instance you give your email address, and you receive a token in your email that you have to insert in order to continue (like a temporary password).
That may be insecure if you have an insecure email workflow (specially the email client, and OS. This security is a special concern for Microsoft). That's maybe why they think it's less secure. But if you think you can reset your password by email in most OpenID providers, isn't it the same thing?
Notice however that you can also have email authentication (or even Twitter or SMS-based authentication, I've used for a while) in OpenID even without using email addresses as OpenID, but URLs instead.
This goes against the minimal disclosure concept. Right now if an OpenID relying party wants your email address they ask for it and you are warned about this by the identity provider and asked to confirm it. Using the email address means it goes whether you like it or not unless you're using OpenID 2.0 which can generate unique values on a per relying party basis.
It would also be a big change for all the OpenID libraries - URLs are discoverable, you know where to go with them, email addresses are not, which was why there was outrage at Google unilaterally doing this and effectively forking the OpenID standard to suit themselves.
The other problem lies in phishing. OpenID is very vulnerable to this as users trust the relying party to redirect them to their provider after discovering it via the OpenID provided - so a "mischievous" relying party may redirect to a phishing site which saves the OpenID and the password. With Google the OpenID and password is your gmail account and password so you've not only lost control of your OpenID but your email account as well. Of course this could be secured by the provider - you could have separate email passwords and OpenID passwords, you could have a secret message on a per user basis you show on the OpenID login page, but as we're well aware users are stupid. They don't check URLs in the browser, they blindly click OK on dialog boxes, they simply don't think that a web page could be fake. By using the email address and the same password Google are exposing the majority of their users to an unacceptable risk.