Using OpenID for authenticating users grows in popularity and, in fact, makes a webapp easier to use.
But what are the security considerations one should bear in mind when deciding whether to implement an OpenID or not?
Is it suitable for any kind of webapp? Or are there categories of web applications which should not use such a way of handling authentication of users?
Is it ok to use OpenID for e-commerce applications?
I think it makes sense to offer signup via OpenId, but not require it, even for ecommerce websites.
The reason for this, is that tech-savvy users (still the core userbase for openid) can decide whether to take that risk, or not.
The sites that I would not recommend using OpenId, are either highly sensitive sites, e.g. bank sites, or private/corporate systems where you want control of the users' identities, too (ala Enterprise-Centric Identity, as opposed to User-Centric Identity).
There is a clear advantage to using OpenId, since you dont have to manage users' identities, including passwords, resetting, security, etc, and accepting the risk that involves.
Each OpenID provider has a trade-off of security features and drawbacks. For example:
Features
Google, Facebook, MyOpenID, and Verisign all offer varying degrees of two factor support. (Verisign being the most secure IMHO)
They all support Javascript free operation (for security paranoid users)
Privacy and enhanced anonymity with MyOpenID and LiveID (not many others though)
Password change policy
Signin Seal (Yahoo, ADFSv2 )
Flaws
Many sites don't offer the same HTTP header security as documented here. This means some sites are more vulnerable to MITM, FireSheep, token replays or Clickjacking than other sites.
There is really no consistency at all among the various sites.
And this is just the beginning. I have a more detailed post with many valuable hyperlinks here. There, I'm comparing all the security features of the major OpenID providers and requesting from the community any other features or IDP's we should consider.
If you discover an IDP with security features not listed, I'll encourage anyone to post there.
Is it suitable for any kind of webapp?
I would say that Verisign would be a trusted name for higher security scenarios, assuming the end user opted in for all the bells and whistles. I'm not a fan of the configuration of their HTTP headers (repeat link). Just make sure your relying party (website) protects itself from replayed cookies from the RP and from previous sessions.
If you're using Windows / IIS as a relying party, I can send more info your way to protect against the scenarios I mention in the previous paragraph.
Additional Research
Microsoft has a detailed whitepaper of OpenID security issues here. I emailed the authors and they released an analyzer at http://sso-analysis.org/ the analysis tool is available here: http://sso-analysis.org/aaas/brm-analyzer.html
I don't think it is good idea to use openid for e-commerce website, but it is okay to use for social networking websites and information websites.
Reasons are:
I wouldn't use OpenID for anything for the simple reason that I just don't know the inner workings of it well enough. In general though I would say this;
By outsourcing your access management to it you are setting yourself up for a fall should something happen with one of the main providers.
Lets say for example that google decides to start being evil and sells your user's passwords on to a third party, that third party gain access to your site and does stuff on the users behalf.
The user will not be pissed at Google, they will be pissed at you.
And whilst in this extreme situation you have laws behind you I don't know if you would have a case if your user information was leaked in other forms.
