Best IT Recipes

Are there any security risks associated with using OpenID as an authentication method on my site?

Is OpenID a safe way to authenticate users to a website?

And if not, what are the security risks associated with OpenID?

+21
security openid
Oct 08 '08 at 11:33
source share
9 answers

In fact, I always did not like OpenID for various reasons.

  • I have to trust the OpenID provider to whom I provided my data. I trust certain parties to a certain extent, but only because I can trust Stack Overflow, I do not automatically trust any of the well-known OpenID providers.

    1. If my OpenID password is compromised, all of my sites on which I use OpenID are compromised. Usually I chose a different password for each site that I use, but I can not with OpenID.

    2. I generally don't like the Persona concept. Despite the fact that they ask me before sending any data, it just does not seem correct that one provider has this information, and other services may request it. Well, I should not use it if I do not like it, but the concept seems to me wrong.

    3. As already mentioned, data is sent between the site and the OpenID provider and vice versa. Whenever data is exchanged, this can be compromised. The system is not 100% protected; not even SSL (HTTPS). It makes a difference if the data only moves from me to the side and back to itself, or if it also moves from this side to the other and back.

    4. If the OpenID provider is hacked and the hacker receives login information for all users (after all, they are beautiful centrally in one place!), Just think about the impact!

Just to name a few. I also do not see the big benefits of OpenID. For the user they say

  • Faster and easier registration and login
    • Reduced frustration with forgotten username / password
    • Maintaining personal data on preferred sites
    • Minimize password security risks.

Well, let it analyze it.

(1) How often do you register per page per day? 200 times? If I register 2 pages a week, that’s a hell of a lot. Usually, most likely, it’s 2-3 months maximum (in fact, Stack Overflow, or my OpenID provider to use Stack Overflow, was the last page I registered, and it was not quite yesterday). So, when you register for 2 sites per month, you do not have 5 minutes to fill out the form? Come on, don't be funny.

(2) How? Because he uses the same password everywhere? β€œThis is not the future, this is a mistake,” said many security experts. Or because it allows me to recover my password by mail? Well, in fact, almost any side I use allows me to do this. Despite this, my Firefox remembers my passwords very well, stores them in an encrypted form on the disk (using the main password), and this encrypted database is regularly updated to never get lost.

(3) Well, this is probably something positive ... however, my name has not changed, my email address will not be either as one of the domain that I use, and redirected to the real address (therefore, the real one can change, I just update forward, and everything works as before). My address? Well, some people move a lot. So far, I have only moved once in my entire life. However, most parties do not need to know my address. Sites on which I see no reason for people to know this information, but which require me to fill out it for registration, just get fake. All over the Internet there are very few sites that know my real address (in fact, only those who have ever had to send me street mail or can I order goods).

(4) Actually, I see it the other way around. It maximizes security risk. How does this minimize risk?

+7
Oct 08 '08 at 13:24
source share

I agree with the many points that David does above, so I am making a few points here just for the sake of argument.

For a knowledgeable user, I would say that OpenID is a more secure form of authentication than many websites provide. Now let me confirm this expression. First of all, what do I mean by a knowledgeable user? I would define this person as someone who knows about OpenID's weaknesses and who takes steps to mitigate them:

  • Supports multiple characters if they do not want websites to be able to track them effectively.
  • Register two or more OpenID providers on sites where a 24/7 problem is a problem.
  • Always connects directly to the OpenID provider. They never go to the page that the third-party website redirected to it.

Many websites do not know how to safely maintain user passwords . A very good thing with OpenID is that I choose my OpenID provider and, therefore, the authentication level necessary to enter in the relying party. For example, I can choose Verisign or Trustbearer authentication delegation - both of which provide much stronger authentication methods than most websites on the Internet. I would rather trust an organization that specializes in security with my password than some random website on the Internet. Therefore, I would say that for a knowledgeable user, OpenID can be more secure than every website that implements its own authentication system.

All that is said, most users are not aware of the risk factors inherent in OpenID, and do not take steps to reduce risks.

+10
Oct. 16 '08 at 17:01
source share

OpenID is inherently unsafe. It works on your site, redirecting the user to the site of the open ID provider, and then takes the identifier back from this site. This provides uncertainty in both directions. You must trust the identifier that is returned (since you cannot authenticate the user yourself), and easily manage the proxy server for the open provider of user identifiers, which allows you to steal their username and password.

OpenID is great for something like Stack Overflow, where it doesn't matter, someone personifies you. Using OpenID for sites with more serious - on a personal level - content is extremely risky. For example, if you use OpenID for your email, then anyone who steals your identifier can access your email. Then they could in turn send password reminder requests to other sites that you use to get passwords for these sites. In the worst case scenario, you can use OpenID for a bank account or have a bank that sends email reminders to your email account ...

OpenID has many other security issues. You can find more information in "Online Privacy . "

+6
Oct 08 '08 at 11:35
source share

OpenID adds the other side to the authentication process, which you should consider as a trusted component. This is very similar to any application that allows you to recover data by email, but while your emails are transmitted in clear text, you can only communicate with OpenID providers through trusted HTTPS connections.

Review the Security Considerations section of the specification.

For an excellent description of weaknesses in OpenID and a demonstration of how a good OpenID provider can provide a much more secure experience than a traditional easy-phishing password, see this short video by Kim Cameron from Identity Weblog .

+4
Oct 08 '08 at
source share

OpenID can be made more secure if you decide to ignore all OpenID providers that do not support HTTPS

+2
Apr 24 '09 at 11:52
source share

I think the main weakness of most OpenId providers is that they offer password recovery via email. This reduces the security of OpenId to the level of security of my email provider. If someone gets access to my email account, he can effectively steal my identity (with or without OpenId).

Using OpenId for authentication makes it easy to steal ym. Just access my email account and reset my OpenId password. Nothing more is needed (instead of 100 reset requests for each of my Internet accounts).

Even worse, if an attacker changes my email account password, it will be very difficult for me to prove that I am the original owner of this OpenId account. An attacker can change the associated email account to his own, so I can’t reset the password even if I return my email account later.

It is enough to access the password recovery email that my OpenId provider sends to steal my identity.

OpenId providers offer to disable email password recovery and provide a more secure way to recover lost password. Something is based on a postal address, passport or bank account (things that I trust more than an email account).

As long as an OpenId account can be intercepted by simply accessing one email, it is no more than one single point of failure.

See also: http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security , where the link "Weakest channel: email password mail reset. "

+2
Nov 09 2018-11-11T00:
source share

While this thread is old, I wanted to add my 2 cents. I think OpenId has one flaw that no one seems to care about. When I authenticate with Yahoo, it actually registers me with Yahoo. It should not register you with yahoo, it should simply confirm that you have the correct credentials with yahoo. When you exit my application, you still register with Yahoo. If you leave the shared computer and the other goes to yahoo, you will be logged in. Because when you authenticate using Yahoo, they also register you on their service. They should just authenticate you, not register you. I talked about this with several people and even demonstrated it with stackoverflow.com (which has a terrible logout mechanism, when I delete the logout, I expect it to logout, rather than click another logout button) . Try this output from yahoo or gmail. Close all your tabs, and then log in to stackoverflow with yahoo / gmail. Then exit .. (make sure you delete the exit twice). Now go to yahoo or gmail, you're logged in. Now I get the message "Do not use a shared computer, you must log out of Yahoo / gmail, etc." ... All are not developers with a MIS degree or computer science, my mother-in-law thinks when she leaves Stackoverflow that she still will not go to Yahoo. Perhaps I missed some kind of parm or something that really would have forced what I want, but, of course, not in the documentation telling you how big OpenId is !!!

+1
Jun 29 '13 at 17:40
source share

Uch. MyOpenID reports unconfirmed email addresses, just made a test for this. It seems that email should be trusted only for some whitelist providers, such as google / yahoo and several others. I will link the code here if anyone is interested.

0
Apr 22 '12 at 13:33
source share

I like Verisign VIP access that sites can use, and there is a nice little iPhone app that lets you create your own generated token, like secureID

-one
Sep 11 '09 at 2:00
source share


More articles:


All Articles