Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How safe is openID?

Tags:

security

authentication

openid

Is this something that can be used for highly secure information or should it be bypassed for a single site authentication system? This may be a stupid question (as it does not sound secure) but I would like some advice.

like image 518
John Avatar asked Jul 07 '10 02:07

John

2 Answers

OpenID itself is no less secure than the traditional username+password login.

Obviously, you're entrusting a large part of the security to the provider - e.g. brute force prevention, password size policy, etc.

Wouldn't use it for online banking for example, not while the OpenID protocol itself is insecure, but due to the use case.

highly secure information

Financial info? DoD Top Secret? Really secure information isn't available via the internet, only on the local network or through a VPN, which is moving a chunk of the security to the network level. Really really secure information is on a computer with no network connection...

There is the theory that the user, having just one password to use for their OpenID account, has the possibility to choose a decent strength password, less likely when they have to remember x passwords.

like image 131
Pete Avatar answered Sep 27 '22 19:09

Pete

OpenID is technically sound, but can be baffling for some users. I recommend browsing through the responses to this question. For very private information I would be cautious about using OpenID because:

  • Since the login is being used so widely and so frequently there are more opportunities for the password to be accidentally disclosed. A particular worry would be if another OpenID-enabled site which the user is registered on one day asks them for their actual password...some users might enter it without thinking, not realizing that they are circumventing the OpenId security model.

  • If you have doubts about the security of OpenID, users might also have these doubts. From a business point of view, is it worth the risk of being perceived as insecure? (Of course, this is at least better than the other way around -- bad security being perceived as safe!)

There is a trend towards offering OpenID login on social networking sites and such, but I doubt we will see it being adopted very much for protecting extremely sensitive data.

like image 40
Todd Owen Avatar answered Sep 27 '22 18:09

Todd Owen
Sign in to Comment

Related questions

Role based security for OSGi
Ruby on Rails 3.2.13 - Brakeman - Session secret should not be included in version control
Calling a secured WebService from jQuery safely
Dynamically set the data source for SSRS reports without unattended execution account?
Liquibase & Spring how to use separate user for schema changes
Does Azure API Management include WAF functionality?
Does MySQL have a cryptographically secure random number generator?
iPhone and Crypto Libraries
Authorization & User info in a Service Layer (.NET application)
Sign data with MD5WithRSA from .Pem/.Pkcs8 keyfile in C#
Isolated Storage misunderstanding
Security of string resources
Restrict HTTP Access to Elastic Beanstalk
JwtSecurityTokenHandler says signature of JWT valid after changing 1 char
What is un-secure about NSUserDefaults, is manual encryption safe?
I found a lot of weird string in my database, someone trying to get into my site?
express-session secure: true
Why json hijacking can be prevented using POST method?
Ok, so I've encrypted my data now where do I hide the key?
Identifying whether a certificate is der encoded or base 64 encoded

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!