My husband has been working on a pet project lately that needs to have a user login system. Although he could build one himself or purchase a system, he is probably going to go with OpenID. Using OpenID simplifies the project immensely and is probably more secure than anything he or I could write. Already it is estimated that there are over 160-million OpenIDs with nearly ten-thousand sites supporting OpenID logins (http://openid.net/what/). But it does beg the question, how secure is OpenID?
OpenID is “an open, decentralized, free framework for user-centric digital identity (http://openid.net)”. Basically, a user sets up an account with one of several OpenID Providers (openid.net, aol.com, etc.). The provider keeps the username, password, email and all sorts of other account information the user wants there. When the user goes to a site that uses OpenID authentication (blogger.com, lol.com, and more), they enter their OpenID and are redirected to the Provider’s site. Here they enter their credentials and grant access to the referring website. That is the process in a nutshell, but see this video for a really great, succinct explanation.
The driving idea behind OpenID is to have only one set of credentials for all your online identities. This way you do not have to remember which username goes to which website and passwords for each. Sounds pretty good… but what happens if your OpenID is compromised. An adversary has access to ALL your online accounts. The consequences of a compromised OpenID are intense. On the other hand, people generally use the same username and password for everything anyways, which is definitely a security problem and has the same consequences of a compromised OpenID.
Benefits of OpenID are that small businesses and developers do not need to implement their own login system, users can change personal information or passwords once and have it apply everywhere, and users are less likely to do dumb things like write lists of usernames and passwords.
However, OpenIDs have some problems also. First, OpenIDs are URLs- for example, http://inkblotpassword.com/id/jessica. For an average user, a URL is difficult to remember and very unfriendly. Personally, I think users would get used to it just as they have with email addresses. There is nothing innately harder about URLs. The OpenID system is prone to phishing attacks because the user is redirected to the provider’s page which could easily be imitated. There have been problems with CSRF attacks (cross site request forgery attacks). One of the largest providers, MyOpenID.com site, had this issue, but when notified, they reacted promptly. Another issue is that the set of specifications that a provider must implement is fairly small. There are no requirements on the strength of passwords or even to have a password. From a security standpoint, OpenID just adds another layer of complexity for things to go wrong. It also puts a burden on the user to choose a provider they can trust.
With all this in mind, is OpenID a good system? Will it prove to be the downfall of the Internet as some naysayers have speculated? Or will it bring about a revolution in convienence? Should a website use OpenID as their username and password management system? Would it be an acceptable system for banks or other financial institutions?
Single sign-on and universal login sites have actually been around for a while. .NET Passport service, Google Checkout / login, and even your UW NetID are recent incarnations of these services. The trouble with them lies in the fact that, while it would make sense for the internet to use a single interface for authentication (and thus not requiring you to make a new account on a new site every time you wanted to view a technical article), it is virtually impossible to push a standard of any kind of the entire world wide web.
While systems of this type are rather useful, newer ones, as this OpenID seems to be, with their trademark secured in 2006, simply fragment the single sign-on market even more, requiring end sites to choose between newer startups, and older more established sites.
I can’t imagine it being the downfall of the internet, or having much more of an impact than establish portal login technologies such as .NET and Google Checkout have had. Even as larger companies such as AOL and Yahoo jump on the OpenID bandwagon, the entirety of the internet will never fall under a single login with its current architecture. I think for the average user, OpenID will simply become yet another password to be stored via Firefox’s ‘Remember password’ dialog.
RE: “From a security standpoint, OpenID just adds another layer of complexity for things to go wrong.”
OpenID certainly adds complexity to a system (your web application would have to authenticate and interface with someone else’s system), but in a lot of ways this complexity might be worthwhile. If you have an SSL cert, implementing a secure login system might not be too big of a deal, but for a lot of small businesses the cost of a cert might not be feasible. (The base cost appears to be $400 per year, which seems a bit steep to ensure that users’ passwords are safe, especially if the passwords aren’t protecting credit numbers or anything “essential.”)
The alternatives to OpenID require having a database of user information (passwords), and these would have to be stored in some non-human-readable format, which might not occur to non-techie types. (And I remembering reading about reddit storing passwords in plain-text awhile back). The most naive case also transmits passwords across the wire (or wireless) in plain-text, which is easily picked up by a packet sniffer. Solutions to the problem of sending passwords across the wire in plaintext exist (you can hash it with javascript before you send it), but they still leave sites vulnerable to replay attacks, and the fact of the matter is that most sites won’t be hurt if someone’s password gets stolen.
Conclusion: I wouldn’t ever let someone other than my bank store my bank password, etc. (Which may or may not be a bad thing, time will tell), but for sites like Facebook or Google, having an open login system might be ok. (Most people probably use the same passwords anyway). I would be curious what sort of nefarious schemes Google and Facebook would cook up to track browsing display ads if they were both on the same login system…
I think the emergence of efforts like OpenID are great steps in the right direction. Moving profiles to centralized locations–as opposed to scattered across multiple possibly makeshift databases–should make security easier. Like keeping the cash in the bank instead scattered among all the city’s buildings, it sets up a single point of defense. If a vulnerability in the system is detected, it only needs to be fixed at that centralized point. Putting it another way, making the weakest link strong is easier when fewer links exist.
For users, single sign-on eliminates the redundancy of setting up and maintaining the same profile information in each separate website they use. Ultimately, I imagine a system where the *only* required user input is in how much information to reveal. For instance, a simple interface may prompt the user, upon checkout of an item, “Send Amazon.com your address and credit card? Yes, No, Always”. No sign-ups, no logins, no forms. Perhaps through a browser-to-server key-based authentication scheme, even the need for manually entering passwords for authentication can be eliminated in an evolution of Firefox’s password-autofill hack.