[OpenID] Trust + Security @ OpenID

Mon Jul 9 07:20:06 UTC 2007

Simon Willison wrote:
> 
> I've been calling this the "outsourcing the security of our users"
> problem. Site owners are uncomfortable about relying on the security
> of the user's chosen OpenID provider - after all, if they pick a bad
> one then the site's own security measures are null and void.
> 
> My counter-argument is that if the site has a "I've forgotten my
> password" feature that uses e-mail to verify the user, they're already
> outsourcing the security of their users to that user's chosen e-mail
> provider, and OpenID changes nothing.
> 

I caught your TechTalk at Google recently where you raised this point, 
and I must admit that I'd never drawn that parallel before, but now that 
you mention it I can't disagree. "Forgot Your Password?" is just, as I 
think you put it, "Single sign-on with an intentionally bad user 
experience."

But on with the point at hand...

> That argument holds up well for many sites, but there are some sites
> (such as banks) that don't provide an e-mail recovery service,
> presumably precisely because they don't want to rely on the security
> of the user's email service. In those cases, whitelisting OpenID
> providers based on their security measures seems like a reasonable
> option. In fact, it's a great use case for OpenID - if someone has
> gone through the effort to do highly secure, phishing resistant
> two-factor authentication suitable for use with online banking, OpenID
> is a great way for that achievement to be re-used by other sites that
> need the same level of security.
> 

I think that in the short term a more readily-workable solution for 
high-security sites like banks is to combine OpenID with other 
locally-enforced security measures. I wouldn't mind just swapping out 
step one of my bank's login process -- enter your ridiculously long and 
opaque account number -- for OpenID and keeping the "PIN" and "secret 
memorable word" steps. (Though some may argue that my bank's service 
isn't that secure to start with, I guess.)

Hopefully further down the line we'll have more infrastructure in place 
to give incentives for more secure authentication mechanisms without 
resorting to whitelists with all of the drawbacks that implies.

The Assersion Quality Extension that David and co have been working on 
is targeted at this very problem, allowing providers to declare what 
authentication mechanisms they can support so that relying parties can 
discriminate based on this rather than on simply saying "I've never 
heard of NewbieOP so I'm not going to let them play". Sure, it's 
possible for OPs to lie, but presumably reputable OPs wouldn't lie and 
users wouldn't use unreputable OPs. (And if they do, I suppose one can 
always resort to blacklisting!)

We're not quite there yet, though. I think in the short term OpenID can 
be deployed in combination with other mechanisms in situations where the 
current protocol base in inadequate.