Are there any security risks associated with me using OpenID as the authentication method on my site?

Question

Is OpenID a secure method of authentication users on a website?

And, if not, what are the security risks associated with OpenID?

Answer 1

I agree with many of the points David makes above, so I'm making some points here just for the sake of argument.

For the knowledgeable user, I would argue that OpenID is a more secure form of authentication than many websites provide. Now let me back up that statement. First what do I mean by a knowledgeable user? I would define that person as somebody who is aware of the weaknesses of OpenID and who takes measures to mitigate them:

• Maintains multiple personas if they don't wish websites to be able to track them effectively.
• Registers two or more OpenID providers at websites where 24/7 access is an issue.
• Always logins to their OpenID provider directly. They never login to a page a 3rd party web site has redirected them to.

Many websites do not know how to securely maintain user's passwords. The really nice thing with OpenID is that I get to choose my OpenID provider and thus the level of authentication needed to login to a relying party. For example, I can choose to delegate authentication to Verisign or Trustbearer - both of which provide much stronger authentication techniques than most websites on the web. I would much rather trust an organization which specializes in security with my password than some random web site on the web. So I would argue, that for the knowledeable user, OpenID can be more secure than each website implementing their own authentication system.

All that being said, most users are not aware of the risk factors inherent in OpenID and won't take the steps to mitigate the risks.