Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are the advantages and disadvantages to using OpenID?

I'm currently debating whether I should use OpenID login for one of my websites. OpenID may be harder for me to implement because I already have registration and login code written, but this is just a time consideration. What advantages and disadvantages are there to using OpenID in contrast to, say, a traditional website user account system.

like image 973
waiwai933 Avatar asked Jul 20 '09 00:07

waiwai933


People also ask

What are the possible drawbacks of the OpenID system?

The disadvantages are (I could imagine): Hostile OpenID providers (spam?) authenticating their spambots etc. Other security concerns by allowing a third party to authenticate your users.

Which of the following are the benefits of using OpenID support?

A great benefit of using OpenID is its easy integration with basic apps. However, there is more to its seamless integration. OpenID has numerous features and security options to match specific requirements. Depending on the needs of a business, there will be enterprise requirements that OIDC needs to match.

What is a risk of using OpenID Connect?

Phishing. There are two common phishing attacks in the OpenID Ecosystem. Phished OP Page - A rogue RP can redirect the user to a phished OP page where the user will be tricked into entering their OP credentials. Realm Spoofing - A malicious RP can craft an authentication Request with an openid.


3 Answers

Advantages

you have a single sign-on which is actually pretty cool, in particular for people having a lot of accounts here and there.

The openid server provides basic info about the user, saving the need to write down the usual basic info every time. In this sense you save the hassle to your users.

It enhances the traditional user/pass mechanism pretty well. There are many sites around providing both systems at the same time.

Moves trust of honesty from multiple parties to only one. At the moment, I don't know if any of the sites I am registered on stores my password in clear text to steal it and tries to use it on other sites assuming that I have the same password.

The technical advantage of delegation. You are not forced to use the same provider. You can switch.

Disadvantages

You still have to provide user/password to those who don't understand the new paradigm or they don't have an openid (maybe they have it, but they don't know). If it's a broad range of people your are trying to address, then you could scare them away.

Also, I would not use it for anything serious. I would not trust my bank asking me to login with my openid, but also many e-commerce sites as well. It's ok for unimportant things.

The openid provider can track user's habits, as they receive all the auth requests. That's why I deployed my personal provider.

Finally, as far as I saw, many cases of openid servers move the password in cleartext, but this is my understanding and I could be wrong. I deployed my own openid provider, and I went to great deal so that the password was transported via https, even if my openid is marked as http

like image 171
Stefano Borini Avatar answered Nov 02 '22 16:11

Stefano Borini


The main advantage that I see, although not necessarily applicable in your case if you want keep your existing system, is that I don't have to worry about storing passwords.

Too many people use the same password (or a small set of passwords) for everything, so if my site was compromised (and I'd hope I was sufficiently skilled enough to prevent that, but security is a multi-layers beast, so anything to add extra security in is good in my book) then the attacker couldn't get hold of the password.

For the user, they can now legitimately have just one password for everything. They use an OpenID Provider that they trust rather than having to trust any tom dick or harry on the internet with a website.

like image 40
Colin Mackay Avatar answered Nov 02 '22 15:11

Colin Mackay


Well taking SO as an example it supports both. I login using my Google Account through OpenID but I still need to have an account/username to link to my OpenID. I assume that you're only allowing logins through OpenID but not for your users to login using your site as an OpenID server.

So to clear things up; You can use a lot of your login/logout code and you will need it because the only difference is that you authenticate through a third-party instead of your own database. In pseudo-code imagine this:

authenticate_from_db(String username, String password)
{
      fetch username and password where username = username
      if username = username and password = hash_of(password)
      { 
           return true;
      } 
      else
      {
          return false;
      }
}

authenticate_from_openid(String openId_provider)
{
     provider = contact_openID_provider(openID_provider)
     if(provider)
     {
         login.username = map(returned_user, your_db)
         return true
     }
     else
     {
        return false;
     }
}

So you see, mostly the authentication process is changed while your own is still also used.

The advantage is pretty clear:

  • Allowing users to login with existing accounts through their OpenID provider.
  • Your existing users could optionally login through their OpenID provider

The disadvantages are (I could imagine):

  • Hostile OpenID providers (spam?) authenticating their spambots etc
  • Other security concerns by allowing a third party to authenticate your users

I want to underline that supporting OpenID should not change anything for your existing users.

OpenID users still need to have an account, they're just authenticated through a third-party.

like image 36
hannson Avatar answered Nov 02 '22 16:11

hannson