Is OpenID a secure method of authentication users on a website?
And, if not, what are the security risks associated with OpenID?
views:
946answers:
6
+5
A:
OpenID is inherently insecure. It works by your site redirecting the user to their open ID provider site and then accepting an ID back from that site. This provides insecurities in both directions. You have to trust the ID that comes back (as you have no way of authenticating the user yourself) and it is easy to operate a proxy to the user’s open ID provider, that allows you to steal their username and password.
OpenID is fine for something like Stack Overflow, where it doesn’t really matter if someone impersonates you. Using OpenID for sites with more serious – on a personal level – content is extremely risky. If you use OpenID for your email for example, then anyone stealing your Id can access your email. They could then in turn send password reminder requests to other sites that you use in order to get passwords for those sites. In the worst case, you could use OpenID for a bank account, or have a bank that sends password reminders to your email account...
There are numerous other security problems with OpenID. You can find more information in "Privacy on the Internet".
David Arno
2008-10-08 11:35:37
Did you post that so you could answer your own question?
Omar Kooheji
2008-10-08 11:41:33
@Omar: Obviously yes. Nothing wrong with that.
Geoffrey Chetwood
2008-10-08 11:42:07
@Omar, as Rich B says, yes I did. The question hadn't been asked and the site "rules" permit answering your own question as a way to grow the site's knowledge coverage. Take a read of the FAQ for the details.
David Arno
2008-10-08 11:44:54
@David, As I said, if anyone from StackOverflow asks for my credit card, I'll look askance at the request. :-) And, as I said, I do take your point. But is OpenID really that much more inherently insecure than any other website that can be spoofed? Phishing and spoofing long precede OpenID.
Onorio Catenacci
2008-10-08 12:18:09
@Onorio, that's fair enough. Just thought you might appreciate reading a fuller description of what I see as a problem with OpenId.
David Arno
2008-10-08 16:19:29
-1, your answer is very generic and does not answer your own question! What are the insecurities of accepting an ID from a third part website, compared to (say) an ID directly typed from the user in your own website login form? How would you operate the proxy for stealing their username and password, without showing your proxy URL in the browser address bar?Then the "numerous other problems" link you provided redirect to the website homepage which is completely irrelevant.
Davide
2009-05-05 17:39:54
+5
A:
Actually I always disliked OpenID for various reasons.
I have to trust the OpenID provider who I gave my data. I do trust certain sides to certain degrees, but just because I may trust Stack Overflow, I don't automatically trust any of the well known OpenID providers.
If my OpenID password is compromised, all my sites where I'm using OpenID are compromised. Usually I would chose a different password for every site I'm using, but I can't with OpenID.
I don't like the Persona concept at all. Even though I'm asked before any data is sent, it just doesn't seem right that one provider has this information and other services can request it. Okay, I don't have to use it if I don't like, but the concept seems flawed to me.
As has been mentioned already, data is sent between a site and the OpenID provider and back again. Whenever data is exchanged, it can be compromised. No system is 100% secure; not even SSL (HTTPS). It's a difference if data only travels from me to a side and back to myself or if it also travels from that side to another one and back again.
If an OpenID provider is hacked and the hacker gets the login data of all users (after all they are lovely centralized in one place!), just think of the impact!
Just to name a few. I also fail to see the big advantage of OpenID. For the user they say
- Faster & easier registration and login
- Reduced frustration from forgotten user name/password
- Maintain personal data current at preferred sites
- Minimize password security risks
Okay, let's analyze that.
(1) How often do you register for a page a day? 200 times? If I register for 2 pages a week, that is already a damn lot. Usually rather for 2-3 a months at most (actually Stack Overflow, or my OpenID provider to use Stack Overflow, was the last page I registered and this was not quite yesterday). So when you register for 2 sites a month, you don't have the 5 minutes it takes to fill out a form? Come on, don't be ridiculous.
(2) How? Because it uses the same password everywhere? "This is no future, this is a bug", most security experts would say. Or because it allows me to recover my password via mail? Well, actually almost any side I use allows me to do so. Despite that, my Firefox remembers my passwords quite well, stores them encrypted on disk (using a master password) and this encrypted database is back-uped regularly to never get lost.
(3) Well, this is probably something positive... however, my name has never changed so far, my e-mail address won't either as it's one of the domain I use and forwarded to a real address (so the real one can change, I just update the forward and everything works as before). My street address? Well, some people move a lot. I only moved once in my whole life so far. However, most sides don't need to know my street address. Sites where I see no reason for having the people know this information, but that demand me to fill it out for registering, just get a faked one. There are very little sites on the whole Internet that know my real address (actually only those that may ever have to send me a snail mail or where I might order goods).
(4) Actually I see it the other way round. It maximizes the security risk. How would it minimize the risk?
Mecki
2008-10-08 13:24:34
If you do use a different password for every site you visit, you're ahead of the game and OpenID has less to offer you. Most users don't, and so for each new site they sign up with, they give away their password to all the other sites.See also http://blog.wachob.com/2007/01/openid_is_a_pla.html
keturn
2008-10-08 23:05:33
@keturn, You beat me to it. :-) While users _should_ use different passwords for each site, the reality is that most people don't want to do that. I've started using different passwords for each site now thanks to PasswordMaker.org but that's just recent.
Onorio Catenacci
2008-10-09 11:48:48
What if you're ID provider was Google, or another big player? Think how important your email login is - and yet you trust your email provider with that.
Sam Murray-Sutton
2008-10-17 13:13:21
Counter-arguments to each: 1) It's primarily the ratio of time to register / (time to register + do activity that requires registration). If I want to leave a comment that takes 3 minutes to write, and registration takes 5, then I'm not going to do it. If it's 10 seconds to use openid, then i will.
FryGuy
2009-01-07 21:44:45
2) It doesn't "use the same password everywhere." The openid consumer never sees the password. If I lose my "common" password, then I need to go to each site and reset it. Most of my passwords are in firefox as well, however, when I go to other computers, I forget them and it's a pain.
FryGuy
2009-01-07 23:22:22
3) Your name could change if you were female and got married. Lots of people get new email addresses.
FryGuy
2009-01-07 23:23:51
4) This I think is more the average user that uses the same password, or similar passwords on multiple sites. By never giving your password out to sites, there is 0 risk of compromising your password. Alternatively, people use less secure passwords in order to remember them, which decreases security
FryGuy
2009-01-07 23:27:03
+5
A:
OpenID does add another party to the authentication process which you must treat as a trusted component. It's quite similar in that regard to any application that allows account recovery by e-mail, but whereas your email messages are transmitted in cleartext, you may choose to communicate with OpenID providers only over verified HTTPS connections.
Review the Security Considerations section of the specification.
For a great description of the weak spots in OpenID and a demonstration of how a good OpenID provider can give an experience that's much more secure than the traditional easily-phished password, see this short video by Kim Cameron from his Identity Weblog.
keturn
2008-10-08 22:52:49
+5
A:
I agree with many of the points David makes above, so I'm making some points here just for the sake of argument.
For the knowledgeable user, I would argue that OpenID is a more secure form of authentication than many websites provide. Now let me back up that statement. First what do I mean by a knowledgeable user? I would define that person as somebody who is aware of the weaknesses of OpenID and who takes measures to mitigate them:
- Maintains multiple personas if they don't wish websites to be able to track them effectively.
- Registers two or more OpenID providers at website where 24/7 access is an issue.
- Always logins to their OpenID provider directly. They never login to a page a 3rd party web site has redirected them to.
Many websites do not know how to securely maintain user's passwords. The really nice thing with OpenID is that I get to choose my OpenID provider and thus the level of authentication needed to login to a relying party. For example, I can choose to delegate authentication to Verisign or Trustbearer - both of which provide much stronger authentication techniques than most websites on the web. I would much rather trust an organization which specializes in security with my password than some random web site on the web. So I would argue, that for the knowledeable user, OpenID can be more secure than each website implementing their own authentication system.
All that being said, most users are not aware of the risk factors inherent in OpenID and won't take the steps to mitigate the risks.
Emanuel
2008-10-16 17:01:36
A:
OpenID can be made more secure if you choose to ignore all OpenID providers that do not support HTTPS
jm04469
2009-04-24 11:52:41