Is open id secure?

Question

Is open ID secure, for example can you use it to log into bank accounts?

Yes, 2.0 is very secure. Go read http://en.wikipedia.org/wiki/OpenID "OpenID does not provide its own form of authentication, but if an identity provider uses strong authentication, OpenID can be used for secure transactions such as banking and e-commerce." — Evan Carroll, Feb 09 '10 at 17:15
Yeah, I think the real question is... Is your OpenID provider secure? — Andor, Jun 23 '10 at 02:01

score 8 · Accepted Answer · answered Feb 09 '10 at 15:48

8

OpenID is as secure as the OpenID provider (i.e. "If someone breaks into your Myspace account they've got access to your OpenID & everything that uses it").

Personally I wouldn't trust it with anything valuable. Most of the OpenID providers have a pretty lousy security track record.

answered Feb 09 '10 at 15:48

voretaq7

79,345
17
128
213

1

I think you're overlooking the advantages of OpenID and writing them off as mere convenience. – Evan Carroll Feb 09 '10 at 17:04
3

@Evan: OpenID has lots of advantages - in fact I use OpenID for the SO trilogy sites. None of the advantages negate my security concerns however, and I certainly wouldn't trust my OpenID provider's security with my bank account information :-) – voretaq7 Feb 09 '10 at 17:15
2

Sure they do, how about reducing your statement `OpenID is as secure as the OpenID provider`, to `X is as secure as the X provider`: in which case you're not stating anything at all. While your statement is true, it is inane: I think anyone with knowledge enough to set up and maintain OpenID is probably at least as qualified as a bank on the merit that one is selling a technical solution, while the other is selling a financial one. Yes, I trust Google/Yahoo/Verisign much more than I trust Washington Mutual – Evan Carroll Feb 09 '10 at 19:32
3

@Evan - Any service is *by definition* only as secure as the provider. My opinion is that OpenID, while a valuable protocol, does not offer sufficient structural guarantees as to the security of its providers for **me** to trust it for critical authentication. You're free to disagree with my assessment, but I stand behind what I've said. – voretaq7 Feb 09 '10 at 19:42
3

@Evan, you seem to be rather passionate about this subject, even to the point of being obsessed. Perhaps you need to take a step back and have another look. The fact that YOU trust OpenID doesn't make it secure. We are not the first to distrust it and certainly won't be the last. As for the convenience factor, that's not the topic of the question. – John Gardeniers Feb 09 '10 at 20:13
Sure enough, I'll leave it at this then: @vortaq7: I don't believe any of your arguments are specific to OpenID, and I don't see any of your arguments suggesting a fundamentally more secure approach. @john: I agree trust is subjective, feel free to argue technical merits. I'd like to hear someone defend the other position: ad-hoc unstandardized protocols for verification against an anonymous auth. – Evan Carroll Feb 09 '10 at 20:35

score 5 · Answer 2 · answered Feb 09 '10 at 17:19

5

While I agree with voretaq7 that OpenID is only as secure as the OpenID provider, I would have to say that when selecting an OpenID provider to use, care must be taken to ensure that you are using a reputable provider. This same idea applies to everything having to do with security. Google, AOL, and I think even Verisign now offer OpenIDs and these companies / providers do have a good track record.

One of the major advantages of OpenID over home-grown security or some other third-party package is that it puts the authentication aspect of security in the hands of companies with more experience and more resources to handle it than most smaller entities have. They tend to have a better ability to protect their servers and data. As an employee of a small shop, I would certainly trust Google more than myself to correctly configure the servers, firewalls, etc necessary to protect this data.

However, OpenID is just as vulnerable to the most dangerous aspect of all -- the users who pick weak credentials.

answered Feb 09 '10 at 17:19

DCNYAM

1,039
7
14

1

Google, Verisign, etc. are probably providing "reasonably secure" OpenIDs, but *anyone* can be an OpenID provider, and the whole concept of OpenID (as I understand it) is to accept a valid OpenID from any provider so people don't have to set up a bunch of different accounts. Someone selecting an insecure OpenID provider (or one with insecure password recovery) could be *almost* as dangerous as users who use `abc123` as their passwords... – voretaq7 Feb 09 '10 at 17:25
2

It would appear that the only dangerous person around is the user. They are the ones who select what the password is, if they use OpenID and whom it should be. Should it be our responsibility to protect them from themselves? – Chris Feb 09 '10 at 17:36
2

If you're running a service that accepts OpenIDs for authentication you could easily black-list untrustworthy providers, or white-list known good providers. That way you can avoid providers that allow user to set an insecure password. – GAThrawn Feb 09 '10 at 17:41
1

@Chris: As long as we have to stand in front of the blame storm when an account is compromised, yes - at least partially. (That's why some sites have password policies like ">= 8 characters, alphanumeric + at least 1 special character"). – voretaq7 Feb 09 '10 at 17:49
@voretaq7: anyone can be a Bank too. – Evan Carroll Feb 09 '10 at 19:35
@Evan: anyone can be a bank but banks often have some level of responsibility for their clients money even in the face of mistakes made by the client. In that case the banks would need to be very careful about letting customers choose any random openID provider, whose password policies they can not change and can not provide support for. – Mr. Shiny and New 安宇 Feb 10 '10 at 14:26

score 5 · Answer 3 · answered Feb 09 '10 at 18:25

OpenID is a way to delegate authentication to a third party. For a high trust application like banking, who you delegate authentication to is a major, major security decision. The openID protocol as it stands is sufficient for any standard that permits either single-factor authentication (the openID auth-token) or delegated authentication to a system that has sufficient authentication safeguards.

The next question: Are any current openID providers secure enough for online banking?

That's a different question, and is probably negative right now. However, there is nothing (technical) stopping, say, a consortium of American banks pooling resources to create a single banking openID provider that follows a stated standard and is audited. That openID provider can use whatever authentication methods it needs, be it SiteKey, SecureID, Smart Card swipe, or whatever else is demanded. I consider this possibility unlikely for the major commercial banks, but the Credit Union community might just try it.

I would consider VeriSign PIP and probably MyOpenID secure enough for banking. — user1686, Feb 09 '10 at 18:59

score 2 · Answer 4 · answered Feb 07 '11 at 17:38

OpenID is as secure as the weakest of (1) the site you are attempting to log in to; (2) your OpenID provider; or (3) the DNS system.

Recommendation:

Use your bank's recommended security/login system, and understand the terms & conditions of service so that you know your rights if your account is compromised.
Do not encourage your bank to adopt OpenID, as this will reduce the security of their service.

Weaknesses:

An immediate consequence of this fact is that OpenID can at best be as secure as the site you are trying to log in to; it can never be more secure.

In the OpenID protocol redirection to your provider is under the control of the site you are logging in to, which leads to trivial phishing and man-in-the-middle attacks. Such attacks will allow a hostile site to steal your OpenID credentials without you knowing, which they can then use later to log into any other OpenID-enabled site as you.

DNS attacks are more complicated, but will allow an attacker to convince your bank that he is your OpenID provider. The attacker logs in using your OpenID, and has his fake provider give authorisation to the bank. In this case the attacker doesn't need to phish you or learn your password or install anything on your computer - all he needs is your OpenID.

Similarly an attack on your OpenID provider will allow the attacker to log in as you on any OpenID-enabled site, without knowing your password.

More info on OpenID weaknesses and attacks at http://www.untrusted.ca/cache/openid.html .

score 1 · Answer 5 · answered Feb 09 '10 at 21:12

1

OpenID is a protocol. The protocol is very secure, however the backend-auth method doesn't have to be. You can run an OpenId portal that will validate a user from a dos box over telnet in Bangladesh.

Is it secure enough for banking? Yes. In fact I wish all banking providers would permit it. Furthermore, if you want to trust banking providers more than other technology providers -- wouldn't it be nice if they would provide it?

answered Feb 09 '10 at 21:12

Evan Carroll

2,245
10
34
50

1

Just because a bank is entrusted with your money, does that make them qualified to handle digital identities? – Chris Feb 09 '10 at 21:32
1

@chris: No, it doesn't. but that seems to be the trend for this thread. I'd rather banks stick to handling money and use google for handling my authentication. The point being, it doesn't matter who you trust, someone other than the bank, or the bank: if every bank was an openid provider and consumer you could use their authentication on google, or google's on the bank -- OpenID is just the protocol to permit them to communicate. – Evan Carroll Feb 10 '10 at 17:05

Is open id secure?

5 Answers5