Jun 24 2008

OpenID is for low impact identity

Published by at 5:59 am under Blogging,Simple Security

Last year Michael Santarcangelo and I organized a Security Roundtable with Dan York to discuss OpenID. All three of us like the technology, we like the idea, but we decided that OpenID is only for sites and systems where a compromise would be of little or no concern. In other words, it’s a great project for verifying commenter’s ID ‘s when posting to your website, but it’s not such a great authentication method for logging into your blog yourself. And now Dana Epp has discovered that Six Apart (makers of Movable Type) feel the same way.

I understand Dana’s desire to use OpenID as an authentication for his blog, but that’s not what it was meant for.  After all, the setup of an OpenID account is fairly simple and merely requires putting a code snippet on a website or blog you control (Please correct me if I’m wrong, I haven’t setup or used an OpenID account in over a year.  Which is a telling stat in itself).  Given the rate of web server compromises, that’s not a very high bar for a hacker to have to hurdle to compromise an ID.  If all you’re using your ID for is commenting on various blogs, that’s not a big deal, but when you start using it for more serious authentication, that becomes a much more important concern.

I’m glad that an organization like Movable Type understands the limitations of OpenID.  While I’m sure some comment spammers are trying to break OpenID, the majority of the bad guys are probably ignoring it as a low impact authentication method.  It would be nice to have a way to verify your identity across the Internet, but the reality is any identification method that becomes used in more important targets is going to become the target of intense attack.  I’d rather see the people behind OpenID understanding the limitations of their project and treat it appropriately.  There are already too many projects that shoot for the stars and end up falling flat on their faces.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “OpenID is for low impact identity”

  1. Peteron 25 Jun 2008 at 4:39 am

    I agree completely. OpenID is the same as using the same logon and password at every site. Which is a very bad security practice. For low value accounts it might be fine, but unless you are going to combine it with other multi-factor methods it is never going to be accepted for high-value accounts.

  2. Dana Eppon 25 Jun 2008 at 9:58 am

    Interestingly enough, I disagree. I think OpenID CAN be used in this manner, depending on the strength of the IdP. That’s my point in why I want to be the person to decide on the provider(s) I trust.

    We have our own OpenID provider at our office, which uses our two-factor authentication tokens to log in. So now an identity tied to a URL is further enforced with a strong authentication check. This is why HealthVault decided to NOT support all OpenID providers, but stronger providers that they have a higher level of credential validation and trust with.

    MovableType could make a setting to allow MT administrators to decide if an IdP is trustworthy enough to allow authentication with OpenID. It would be no different than how they configure LDAP now.

    It is a risk based decision. Would I trust company data access from an IdP like Yahoo or AOL? No way. Would I trust our own systems that fall under our corporate security policy. You bet. It should be MY choice.

    Your position on low impact identity makes sense. However, that is because the weakness in OpenID is a single, static password that may be shared, stoken or easily guessed. There ARE stronger technical safeguards for authentication like two-factor authentication, smart cards and Information Cards that can raise the bar and make that validation more “trustworthy”, while still allowing companies to have SOME control.

    ie: Using OpenID delegation, a staff member could have their URL be set to their personal blog, delegated to our IdP which we trust. He or she can then log in at any time, and we have assurance of WHO they are, and that they are allowed access to our systems. If they then leave the organization and are revoked access on our IdP, their identity is still their own and can be redirected to another IdP. As a company, I don’t CARE if their personal blog is hijacked and their OpenID URL is compromised, they won’t get in as we won’t trust whatever provider it now points to.

    If the guys at MovableType wanted to use OpenID, they could add it in a heart beat. It’s not that dififcult to add into their authentication harness if they can support standard passwords and LDAP. The fact they don’t should be a concern. I no longer believe its just because they don’t trust it. I believe its because there is no commercial value in it yet… no demand.

%d bloggers like this: