[security] how secure is openid? advise pls..

Tue Feb 10 17:00:18 UTC 2009

>I need to be on a watch of what people do. So can i atleast restrict 
>them to use only one id with which they login the first time? 
>because i have to calculate their usage and all and fix them 
>specific download quotas. so i shud make sure that the user doesn't 
>use another openid to login and continue using the website. pls 
>advise..

Um . . . no, OpenID (and this applies to any authentication system) 
is not the answer. There is NO authentication system (and don't trust 
anyone in the world who tells you otherwise) that can guarantee you, 
over the anonymity of the 'net, a given user is not someone who has 
dealt with you before. Simply impossible. Individuals (important 
distinction from users, here - an individual is any person at the 
other end of a keyboard, users are how you know them at your site) 
cannot be FORCED to use the same credentials consistently. You 
*might*, conceivably, receive an offer from some mercenary team that 
would meet (on your behalf) potential "clients" (wannabe "users"), 
babysit them 24/7, and give you a call every time the individual was 
about to log in so you could confirm their username - but this is an 
exception, not the rule, and in any case unfeasible for your 
non-profitable music site ;)

Unless you're the RIAA . . . but even they haven't gone that far. Yet ;)

You can limit your popularity with certain OpenID's, in an attempt to 
combat such tactics as "subdomain1.user.com, subdomain2.user.com, 
subdomain3.user.com", but what do you do if you see 
"profile.yahoo.com/D1105508B89AFBBF162C4B88966"? (Note: probably not 
a valid URI for Yahoo, just a quick example.) Does this mean that 
users are availing themselves of an ability to present a different 
URI to an OP on each authentication, to avoid tracking? Perhaps it 
simply means that the user has created more than one Yahoo account? 
(Which, by the way, are free.) How do you propose to keep the user 
from trying "another OpenID" when that OpenID is the very method by 
which you would identify users?

You can track their IP address (this could be part of an 
authentication system, complementing OpenID), banning numbers and 
then entire blocks with excessive use (the exact definition of 
"excessive" being up to you), but some of them will just go through 
free proxies. This is self-limiting; if more than one person uses a 
proxy, you just catch it faster. If you do go that route, automate 
it, because new proxies are always becoming available (and old ones, 
disappearing), and you don't want to waste your time on that endless 
task.

I don't recommend it, though; you can go a long way with such 
countermeasures, and STILL have problems. You can hope to keep the 
costs down to manageable levels, at best. But users who want to 
"cheat" will still do so; *they* can outthink *you* - not all of 
them, and not all of the time, but a few of them will always be 
slipping through. The strategy I recommend is *rewarding* users for 
staying with a single OpenID: make the benefits outweigh whatever 
short-term gain they might receive, so users won't *want* to cheat 
that way.

This *would* encourage people to use the same OpenID for logging in, 
no matter where they are. Find out which OP's (if any) offer a unique 
password for logging in to predefined sites (OSP: one-site-password), 
and recommend them to users, so the OP doesn't became a gateway to 
all that user's *other* sites if they log into your site from a 
public terminal.

-Shade