Learning the OpenID problems
Continuing my recent discussion about OpenID and considering OpenID usage for authenticating to OSGeo services, I wanted to make a short review of its disadvantages. The OpenID advantages are well-known and can be described with a short statement:
open, decentralized, free framework, which allows Internet users to control their digital life with single identity
Stefan Brand collected number of opinions about OpenID and compiled a very interesting post on his blog about problem(s) with OpenID. Stefan’s blog entry is pretty long, so to understand his findings easier, I decided to abstract key thoughts on that matter.
Stefan summarized main problems and sources of OpenID criticism as follows:
OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID consumer.
Next, complaints about the OpenID framework are presented in a few categories, which I’m going to summarize below.
The most serious complaint is about lack of security and vulnerability on phishing attacks as well as browser exploits based on XSS and CSRF. Another problem was pointed by Kim Cameron: OpenID is as strong, and as weak, as DNS
. It’s also easy to imagine user’s computer attacked with trojan or key logger sniffing her OpenID password. It could eventuate in giving attacker access to all identities controlled by user’s OpenID.
These insights let to consider OpenID as a broken authentication, though:
This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value.
The privacy issue is next. OpenID providers do recycle unused or orphaned user IDs and
if an OpenID is recycled, the new owner will be able to access the previous owner’sâ data if the RP is not aware that the OpenID has changed ownership.
Some users find problematic or unethical fact that [OpenID] identity provider is able to track all websites you log into
. The tracking capability may be used for purposes like users profiling and cross-sites profiling - sounds like a big brother reality.
OpenID is very easy to use, also for unexperienced Internet users. However, OpenID use requires more client-side intelligence than today’s standard Web browser
. These two seems to stay in contradiction.
A good privacy on the Internet means: untraceability, unlinkability, authenticated anonymity and pseudonymity, and minimal disclosure
. However, OpenID’s simplistic URL architecture seems fundamentally incompatible with these privacy features
.
What about trust? OpenID is supposed to play a role of an identity system. In common understanding, an identity system is based on trust. There is no authority that can promise OpenID mloskot.myopenid.com is Mateusz Ĺoskot. The implication is The OpenID is not a trust system
but OpenID is an identity transport system but without trust
. Why? Because no trust, no identity
.
Usability and adoption also seems to be questionable. Some experts prove that OpenID can be easily replaced with password managers available in popular Web browsers. Another issue is selection of trusted OpenID provider and the fact that there are many providers, but still not enough sites and consumers.
An interesting and realistic issue is availability of OpenID services. The decentralization, an OpenID’s strength is also considered as its weakness: If your openID server goes down then youâre locked out of all of your other web accounts that used that login.
Patents. It seems possible that some aspects of OpenID patented and parties have made claims that OpenID is covered by their patents
.
As a word of disclaimer, I’m not the author of the concerns presented above and this is not my aim to criticise the concept of OpenID system. I’m just a member of Internet users hordes who is interested in OpenID applications. All the comments above helped me to understand OpenID better, so I collected and rewritten them here in more adoptive, I believe.
Authors of all citations I used above can be easily find in Stefan’s blog post.
May 23rd, 2008 at 2:28 am
Interesting post… I work for a company called Vidoop and we operate an OpenID provider at http://myvidoop.com
myVidoop uses our RecognitionAUTH technology which is resistant to all the prevalent forms of hacking you mention. Without requiring any additional hardware or software we have a image based two factor authentication system. You can create an OpenID and check it out for free. We also offer a password manager for storing/organizing your traditional logins and passwords, support OpenID delegation, custom activity reports, and more. Verisign also offers a secure OpenID option using tokens.
Identifier recycling was addressed in the OpenID 2.0 spec. and the IPR policy has been set.
OpenID is only a component in the identity stack, there is an excellent description of everything that goes into someone’s identity beyond OpenID here: http://blogs.oracle.com/talkingidentity/2008/05/05
Aside from that the usability and adoption critiques of OpenID are still very much valid. Though with so many great people/companies working with/on/around OpenID I expect things will keep improving.
May 24th, 2008 at 5:28 pm
Kevin, thanks for the comment. I have to confess I haven’t read the OpenID 2.0 but good to hear it addresses the recycling issue. I like the OpenID concept and I use it, in spite of known problems. I just believe it’s good to be aware of its pros and cons, just as its good to know how use e-mail communication in safe way.