[OpenID] Trust + Security @ OpenID

[Simon Willison]

On 7/8/07, Brendan Taylor <whateley at gmail.com> wrote:
> I especially don't understand why the RP cares about "integrity of the
> authentication process". Surely it should be the user's responsibility
> to select an OP with the security they require.
>
> I think this is going in the wrong direction; I would be very
> disappointed if OpenID lost its decentralization, and I'm not sure why
> people think it needs to.

I've been calling this the "outsourcing the security of our users"
problem. Site owners are uncomfortable about relying on the security
of the user's chosen OpenID provider - after all, if they pick a bad
one then the site's own security measures are null and void.

My counter-argument is that if the site has a "I've forgotten my
password" feature that uses e-mail to verify the user, they're already
outsourcing the security of their users to that user's chosen e-mail
provider, and OpenID changes nothing.

That argument holds up well for many sites, but there are some sites
(such as banks) that don't provide an e-mail recovery service,
presumably precisely because they don't want to rely on the security
of the user's email service. In those cases, whitelisting OpenID
providers based on their security measures seems like a reasonable
option. In fact, it's a great use case for OpenID - if someone has
gone through the effort to do highly secure, phishing resistant
two-factor authentication suitable for use with online banking, OpenID
is a great way for that achievement to be re-used by other sites that
need the same level of security.

Cheers,

Simon