“Holy crap! A single unique ID that will give me access to any website would be freaking sweet!” That was my initial response when I first heard about OpenID and what the project envisioned. It reminded me of the computer systems in sci-fi movies where the heroes didn’t have to memorize dozens of passwords to save the day. Then again, these advanced computer systems always seemed to be the downfall of the mighty civilization. Is this the kind of future that we really want?
OpenID is similar to a single sign-on system but with much larger goals. Instead of using the same login within a small group of software applications, OpenID allows users to login to any website that supports the protocol. This is accomplished by outsourcing authentication to multiple 3rd party services. The local website is still responsible for everything else such as authorization. Having a single unique ID to provide access to any website on the internet is truly a tantalizing idea. After hearing that MySpace and possibly Digg would support OpenID I decided to try it myself.
Real World Tests
I decided to perform a real world test and jump completely on the bandwagon. I even went so far as to install the openid wordpress plugin on this website for the week. I created a clickpass account to get started and was surprised by how easy the entire process was. It only took 10 minutes to create my identity and setup my website to delegate control so that I could use my own domain instead of the clickpass URI that was provided. I authorized my blog and existing account with slicehost and everything worked as advertised.
I continued by creating an account at The Pragmatic Programmers and buying “Agile Web Development With Rails.” Registration was odd requiring me to create an account normally and then link my OpenID afterwards, but once it was linked and authorized everything worked as expected: a single ID giving me access to 3 websites and any others that supported the protocol.
Security
Security can be a problem and depends on the OpenID provider. Some companies implement the protocol in a way that is more resistant to attacks. For example myOpenID provides 2-factor authentication via an automated phone system which makes it much more difficult to a potential hacker to gain access during the authentication step, although not impossible. OpenID is subject to the same weaknesses of the current internet infrastructure that affect all traffic on the internet. For example, moving authentication to a 3rd party means that the user must leave the current website to authenticate themselves. This is the perfect opportunity for a phishing attack. From a security standpoint this only scratches the surface so please take a look at the Links of Interest for further reading.
Will financial institutions adopt this new technology? They are under obligation to keep your account information secure but the security of your ID rests in the hands of your OpenID provider. This does not seem like a risk that financial institutions would be willing to let their users take without requiring a release of liability. If sites began to allow only their approved providers it would throw the whole system into chaos. Obviously this is an unacceptable solution but how else do you guarantee the security of customer data?
Reliability
What happens if your OpenID provider suffers from a power outage, hardware or network failure, or DoS attack? You can’t login to any of your websites that depend on that authentication server. Unless the site you’re trying to login to allows you to fall back to a normal username/password login you are plum out of luck until service is restored.
Do you trust that your provider will take the necessary measures to preserve the integrity of your information through thick and thin? If disaster strikes, are you able to get in contact with your provider for fast resolution? These questions are hard to answer because there are no precedents. Despite being an open technology there is nothing to stop a provider from turning sour.
Decision Time
The idea of what OpenID brings to the table is truly enticing, however it introduces too many points of failure. Normally, if a website goes down I can continue carrying on my other business on different sites. On the other hand, if my OpenID provider goes down I can’t do anything on sites that require authentication until service is restored. The benefits of having a single login becomes the downfall of the system.
The increased security risks compounded with the additional failure points tips the scale for me. In my opinion OpenID is not acceptable for anything more than simple identity confirmation when posting comments on blogs. It is not a satisfactory solution for critical authentication purposes. Although I think this kind of a future is what we all look forward to I do not think that it is ready yet. The major underlying problems with the current internet infrastructure based around the browser needs to be resolved first.
Links of Interest
http://en.wikipedia.org/wiki/OpenID
http://www.gnucitizen.org/blog/openid-a-security-story/
http://idcorner.org/2007/08/22/the-problems-with-openid/
Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.
That’s a pretty good and concise analysis of the problems we’re facing with OpenID. Certainly the standard security recommendations apply to OpenID as you would expect with any secure web application: use of SSL, making sure OpenID Providers are not vulnerable to CSRF and XSS attacks, etc.
With regard to redundancy, remember that you can delegate your domain to multiple providers in priority order, so that if one goes down, you have others. If your personal domain goes down, that’s another story, but is the basis for the argument of allowing users to link multiple OpenIDs at the relying party level.
With respect to security and phishing, I’d encourage you to look at the work we’re doing at Vidoop, both with our secure OpenID provider as well as our more experimental in this space.
I agree that OpenID has a long way to go before we see it used in more high-risk use cases like banks, but as you’ve pointed out, it’s perfectly fine for a lot of things right now. With that in mind, why not leave the wp-openid plugin installed for blog comments? If you have any problems with the plugin, please do let me know.