Cautious approach to OpenID
There has been a lot of discussion and acceptance of OpenID recently almost to the point of hype, however I am a little skeptical about OpenID and wanted to point out why. OpenID has been defined as a single sign-on service for your digital identity, and certainly has some of these capabilities, however I question how secure it is and will probably stay away from OpenID for now. At the same time I am really interested in the Identify space and the progress being made by the OpenID folks, so I thought I would outline OpenID, give some nice examples of where to find more information, and at the same time point out some of my security concerns with OpenID.
Here is Wikipedia's Definition of OpenID:
OpenID is a decentralized single sign-on system. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. Instead, they only need to be previously registered on a website with an OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in; OpenID solves the problem without relying on any centralized website to confirm digital identity.
As most folks know, Yahoo has opened it's doors to OpenID, but has it really opened it's doors or just allowed it's users to take advantage of other OpenID sites. Either way, Yahoo does have a nice introduction and overview of OpenID for new users ....
Are you tired of creating a new account on every website you use? Do you avoid new websites because they come with yet another username and password? Do you paste stickies with password hints all over your computer monitor?
OpenID is an open technology standard that solves all of these problems. The OpenID technology will allow you to use your Yahoo! account to sign in to hundreds of websites! And this list is growing every day...
Once you enable your Yahoo! account for OpenID access, you can simply tell any OpenID enabled website that you are a Yahoo! user. You will be sent to Yahoo! to verify your Yahoo! ID and password and then signed in to the website. Its that easy!
So Still not convinced Take our handy-dandy OpenID tour to learn more or visit the OpenID homepage
So OpenID is really a URL based sign-on service which allow folks to login to sites that support OpenID, and there are many sites that support OpenID. However, OpenID is relying on your URL, HTTP and your Browser for security and therefore is open to phishing attacks and man-in-the-middle attacks. What is needed is another form of authentication like a smart card or the use of an SSL cert to ensure that your authentication is going to and returning from your OpenID provider and has not been compromised. A good example of this would be Trustbearer Labs. They are a OpenID Provider and increase security by expanding your credentials thru the use of USB devices, smart cards and biometric tokens that provide that extra level of security to ensure that your URL has not been compromised. This is a great option, however this could be too complicated for the majority of folks and who will continue to use OpenID as is.
Now, I want to assure you that the Security and Phishing problems associated with OpenID have been publicized, however with the growing adoption of OpenID, most of the information published in the last 3 to 6 months has been positive, focusing on adoption and not the security concerns. Here are a three posts that shed a different darker light on OpenID. The first is from Stefan Brands and the Identity Corner blog called The Problems with OpenID, Stefan points out the phishing problems and documents posts from others highlighting their concerns. The second post is from Scott Kveton who highlights the need for a third level of authentication like Info Cards and an Identify Manager in a post called OpenID and Phishing, and the third and most recent post is from Marshall Kirkpatrick from ReadWriteWeb called The Troubles with OpenID 2.0. Marshall questions the motives of the big players and points out that most of the big players allow their users to access other OpenID sites with their credentials, but do they allow other OpenID sites to access their applications with credentials from other OpenID sites? A good example of this is
Can a Yahoo user log into a Goggle Blogger account with their Yahoo credentials and visa versa ?
Now, after all this negative talk, I want to let you know that I am open and excited about OpenID, Identify Management and new forms of authentication. I do think that this is just the beginning for Identity and Authentication. We are on the road toward hardening and improving our authentication technologies and OpenID is just the start.
Comments