Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are there any security risks associated with me using OpenID as the authentication method on my site?

Tags:

Is OpenID a secure method of authentication users on a website?

And, if not, what are the security risks associated with OpenID?

like image 687
David Arno Avatar asked Oct 08 '08 11:10

David Arno

People also ask

Is OpenID app harmful?

OpenID itself is secure, however due to its decentralised nature it often assumes that three servers are "trusted". If these servers are not trustworthy then your security is gone.

Is OpenID secure?

Conclusion. OpenID Connect, its predecessors, and other public-key-encryption-based authentication frameworks guarantee the security of the complete internet by having the responsibility for user identity verification in the hands of the most trusted and reliable service providers.

What is OpenID security?

OpenID is a way to use a single set of user credentials to access multiple sites, while OAuth facilitates the authorization of one site to access and use information related to the user's account on another site. Although OAuth is not an authentication protocol, it can be used as part of one.

1 Answers

I agree with many of the points David makes above, so I'm making some points here just for the sake of argument.

For the knowledgeable user, I would argue that OpenID is a more secure form of authentication than many websites provide. Now let me back up that statement. First what do I mean by a knowledgeable user? I would define that person as somebody who is aware of the weaknesses of OpenID and who takes measures to mitigate them:

  • Maintains multiple personas if they don't wish websites to be able to track them effectively.
  • Registers two or more OpenID providers at websites where 24/7 access is an issue.
  • Always logins to their OpenID provider directly. They never login to a page a 3rd party web site has redirected them to.

Many websites do not know how to securely maintain user's passwords. The really nice thing with OpenID is that I get to choose my OpenID provider and thus the level of authentication needed to login to a relying party. For example, I can choose to delegate authentication to Verisign or Trustbearer - both of which provide much stronger authentication techniques than most websites on the web. I would much rather trust an organization which specializes in security with my password than some random web site on the web. So I would argue, that for the knowledeable user, OpenID can be more secure than each website implementing their own authentication system.

All that being said, most users are not aware of the risk factors inherent in OpenID and won't take the steps to mitigate the risks.

like image 151
pyrachi Avatar answered Dec 10 '22 14:12

pyrachi
Sign in to Comment

Related questions

Defining different types of numbers in C#
DocProject vs Sandcastle Help File Builder GUI
How to realise a deployment branch in Git
Future of cmd & powershell
Can I move maven2 "target" folder to another device?
What is Abstractness vs. Instability Graph?
How do I run a command as a different user from a root cronjob?
Detecting "value" of input text field after a keydown event in the text field?
How to determine the (natural) language of a document?
Integrating MSBuild into Visual Studio
Calculating the path relative to some root- the inverse of Path.Combine
Is there a way in the Eclipse debugger to be notified when the state of a Java object changes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!