Is OpenID a secure method of authentication users on a website?
And, if not, what are the security risks associated with OpenID?
Is OpenID a secure method of authentication users on a website?
And, if not, what are the security risks associated with OpenID?
OpenID is inherently insecure. It works by your site redirecting the user to their open ID provider site and then accepting an ID back from that site. This provides insecurities in both directions. You have to trust the ID that comes back (as you have no way of authenticating the user yourself) and it is easy to operate a proxy to the user’s open ID provider, that allows you to steal their username and password.
OpenID is fine for something like Stack Overflow, where it doesn’t really matter if someone impersonates you. Using OpenID for sites with more serious – on a personal level – content is extremely risky. If you use OpenID for your email for example, then anyone stealing your Id can access your email. They could then in turn send password reminder requests to other sites that you use in order to get passwords for those sites. In the worst case, you could use OpenID for a bank account, or have a bank that sends password reminders to your email account...
There are numerous other security problems with OpenID. You can find more information in "Privacy on the Internet".
Actually I always disliked OpenID for various reasons.
I have to trust the OpenID provider who I gave my data. I do trust certain sides to certain degrees, but just because I may trust Stack Overflow, I don't automatically trust any of the well known OpenID providers.
If my OpenID password is compromised, all my sites where I'm using OpenID are compromised. Usually I would chose a different password for every site I'm using, but I can't with OpenID.
I don't like the Persona concept at all. Even though I'm asked before any data is sent, it just doesn't seem right that one provider has this information and other services can request it. Okay, I don't have to use it if I don't like, but the concept seems flawed to me.
As has been mentioned already, data is sent between a site and the OpenID provider and back again. Whenever data is exchanged, it can be compromised. No system is 100% secure; not even SSL (HTTPS). It's a difference if data only travels from me to a side and back to myself or if it also travels from that side to another one and back again.
If an OpenID provider is hacked and the hacker gets the login data of all users (after all they are lovely centralized in one place!), just think of the impact!
Just to name a few. I also fail to see the big advantage of OpenID. For the user they say
Okay, let's analyze that.
(1) How often do you register for a page a day? 200 times? If I register for 2 pages a week, that is already a damn lot. Usually rather for 2-3 a months at most (actually Stack Overflow, or my OpenID provider to use Stack Overflow, was the last page I registered and this was not quite yesterday). So when you register for 2 sites a month, you don't have the 5 minutes it takes to fill out a form? Come on, don't be ridiculous.
(2) How? Because it uses the same password everywhere? "This is no future, this is a bug", most security experts would say. Or because it allows me to recover my password via mail? Well, actually almost any side I use allows me to do so. Despite that, my Firefox remembers my passwords quite well, stores them encrypted on disk (using a master password) and this encrypted database is back-uped regularly to never get lost.
(3) Well, this is probably something positive... however, my name has never changed so far, my e-mail address won't either as it's one of the domain I use and forwarded to a real address (so the real one can change, I just update the forward and everything works as before). My street address? Well, some people move a lot. I only moved once in my whole life so far. However, most sides don't need to know my street address. Sites where I see no reason for having the people know this information, but that demand me to fill it out for registering, just get a faked one. There are very little sites on the whole Internet that know my real address (actually only those that may ever have to send me a snail mail or where I might order goods).
(4) Actually I see it the other way round. It maximizes the security risk. How would it minimize the risk?
OpenID does add another party to the authentication process which you must treat as a trusted component. It's quite similar in that regard to any application that allows account recovery by e-mail, but whereas your email messages are transmitted in cleartext, you may choose to communicate with OpenID providers only over verified HTTPS connections.
Review the Security Considerations section of the specification.
For a great description of the weak spots in OpenID and a demonstration of how a good OpenID provider can give an experience that's much more secure than the traditional easily-phished password, see this short video by Kim Cameron from his Identity Weblog.
I agree with many of the points David makes above, so I'm making some points here just for the sake of argument.
For the knowledgeable user, I would argue that OpenID is a more secure form of authentication than many websites provide. Now let me back up that statement. First what do I mean by a knowledgeable user? I would define that person as somebody who is aware of the weaknesses of OpenID and who takes measures to mitigate them:
Many websites do not know how to securely maintain user's passwords. The really nice thing with OpenID is that I get to choose my OpenID provider and thus the level of authentication needed to login to a relying party. For example, I can choose to delegate authentication to Verisign or Trustbearer - both of which provide much stronger authentication techniques than most websites on the web. I would much rather trust an organization which specializes in security with my password than some random web site on the web. So I would argue, that for the knowledeable user, OpenID can be more secure than each website implementing their own authentication system.
All that being said, most users are not aware of the risk factors inherent in OpenID and won't take the steps to mitigate the risks.
OpenID can be made more secure if you choose to ignore all OpenID providers that do not support HTTPS