More sign-ups for OpenID

Date January 20, 2008

Hot off the back of Yahoo! implementing OpenID, Google goes and does the sameOpenID is an identity/authentication system, much the same as Windows Live ID is.

As many commenters have said, this is a good thing for the project, and for security in general.  Although generally it’s considered "bad" to have a single accounts/sign-in for multiple systems (a breach in one means that all others could be compromised), it’s sometimes better to consolidate functionality where one knows it operates correctly.  The more code we can shift to libraries/services that have already been fully reviewed and QA’ed, the better.  Take cryptography for example – no-one in their right mind writes a new crypto library/function.  You use the ones that already exist because it’s less effort, and less prone to mistakes (through peer review and QA).  Leave developing "new" ones to the experts.

Any federated identity/authentication system is prone to issues, not only because of the complexity of the system, but also because it is a very likely place to attack based on the .  OpenID appears to be pretty good (I’ve not had a serious look at is as yet), but there’s still some major issues [PDF link] with the system.  The main technical one is to do with phishing and man-in-the-middle attacks (the rogue/malicious identity provider), whereas others revolve around privacy and usage issues.

I’m really not too sure how I feel about OpenID.  In some ways I like that there’s an alternative to LiveID/CardSpace/Passport, but in the limited review I’ve done on both system, OpenID doesn’t seem to be as secure or as well thought out.  Microsoft have said that they would support OpenID, but I’ve not seen them actually do this yet.  They certainly wont be a consumer of OpenID’s, but I can’t see it’s terribly difficult for them to be a provider.

The one thing I will add to this topic is that all of these system rely on single factor authentication – just username and password.  Some systems try and "fake" two factor through the use of user-provided images (like BoA’s SiteKey, which has it’s own issues).  What I would like to see in any shared identity/authentication, perhaps as an option that I’d pay a premium for, is system which uses things like RSA Tokens, smart cards, in order to add to the overall security.  Many other organizations (McAfee/Foundstone included) and even some sites (ETrade for example with certain accounts), so I think it’s probably a very simple value-add.  It wouldn’t entirely remove the issues I’ve pointed to above, but would make breaking such systems more difficult and limit the exposure of some attacks.

Category Posted in Industry

3 Responses to “More sign-ups for OpenID”

  1. January 21st, 2008 at 1:20 pm

    Steve Pinkham said:

    VeriSign is doing some cool work with OpenID that addresses both the issues you have.
    Seatbelt is a Firefox Extension that does an excellent job of addressing the phishing / MITM problems of OpenID by federating the login process.
    See https://pip.verisignlabs.com/seatbelt.dohttps://pip.verisignlabs.com/seatbelt.do for (slightly) more information.
    It works with other OpenID providers, but defaults to VeriSign’s service. The only downside I’ve found so far is it adds a HTTP header to ALL your traffic, which looks like this:
    X-OPENID-ANTI-PHISHING: VeriSign’s OpenID SeatBelt/1.0.0.3325
    If a vulnerability is found in the plugin, it’s easy to pick out the vulnerable surfers to your website.
    Also, they offer a keyfob or credit form factor token which acts as a strong second factor for authentication. It’s available for $5 through PayPal, and will work with Ebay, PayPal and/or VeriSign’s OpenID service.
    More information on the tokens is available at https://idprotect.verisign.com/learnmore.v
    and https://www.paypal.com/securitykey.
    VeriSign will also take $30 for you for a purple cased version of the same token if you wish…
    The combination of the above makes me feel quite comfortable using OpenID, in preference to most any other login scheme currently available. Hopefully plugins or native functionality similar to SeatBelt will appear for Opera, IE, and Safari, extending the plausibility of using OpenID in a secure manner everywhere.

  2. January 22nd, 2008 at 7:56 pm

    Mike said:

    Thanks for th info Steve. I’ve not seen the seatbelt plugin, and to be fair it doesnt give that many details on the page(s), but I still can’t see how it can protect from, say, a phishing site tricking a user to enter in creds to it’s own authentication providor. I’ll have to look into it a bit deeper.

    Nice to see that there’s a single sign-on solution that is using 2nd factor auth. I though there must be one out there somewhere, but not being a PayPal or eBay customer, I’ve not come across this yet. Anyone else with any examples?

  3. May 21st, 2008 at 10:00 am

    Web Worker Daily » Archive OpenID: A Contrarian View « said:

    [...] don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>