Recently OpenID has gained traction as a way to simplify management of the many web accounts most Internet users have. With this increased exposure, it has garnered praise for saving time and giving users greater control over their online identity. OpenID has also raised questions about its security, and whether it represents a step backwards that leaves users less secure. Critics point to the “single-password” nature of many OpenID implementations, and argue that keeping all your eggs in one basket is by definition more easily cracked, via either a phishing attack against your OpenID provider, or by an old-fashioned password sniff or brute-force attack.
Leaving alone the fact that various OpenID providers offer additional security features such as phone verification and SSL certificates, I still disagree with the assertion that having a parent account for a group of sites is necessarily less secure. Users are free to maintain multiple OpenID accounts if they choose, which will limit the payout for cracking into any one OpenID account. Here I will try to address the phishing/personal security and single-password aspects of OpenID use.
Phishing
As OpenID gains more widespread adoption, it will be the target of increased phishing attacks. Nobody disputes this, or the fact that having a single portal for multiple accounts is an attractive phishing target. Phishing has been an increasingly common attack vector and have increased in their sophistication (as shown on this list of popular attacks from back in 2006). Fortunately, user understanding and general awareness has increased as well, and browser manufacturers have worked to help users identify attacks in progress. This back-and-forth between the forces of good and evil certainly isn’t ever going to end, and being vulnerable to a certain attack vector isn’t going to be the death knell of any new technology, since pretty much everything is vulnerable to one attack or another.
In my experience, one benefit of increased OpenID adoption has been for users to question their online security. Often a person will dismiss outright the technology as insecure, but once they have discussed it, will have a better understanding of OpenID in particular and their security in general. Even if that individual decides not to use OpenID as a part of their online identity management, they very well may become more knowledgeable while making the decision, and always have the option available if they later change their minds.
Single Password
How many web accounts do you access on a daily basis? How many more every couple weeks or each month? When you log into twenty, much less thirty or forty different accounts, how do you remember all the usernames/passwords?
– Keep the same password for everything, and never forget it or save it? A 2008 Accenture study noted that 88 percent of the 800 people surveyed have just one online password. Bad idea, folks. Additional demerits awarded if the username/password combo is saved in the browser to avoid filling in that same password each login.
– Write them down, either in a separate (maybe hidden or password-protected) file or on a piece of paper you keep in your desk? Do you obfuscate the site/username/password list to make it more difficult for another person to figure out? If we accept the results from last year’s study by Accenture, nearly half of Internet users in the United States write down their passwords in some format.
– Save the information in the browser’s or OS’s password manager? Here is another eggs-in-one-basket approach, and though it may require access to the physical machine, it is conceivable that this could be cracked through a browser exploit. Is this data encrypted, for instance with the Firefox password manager? With a strong password for the encryption key, this may be a stronger approach which could help reduce your vulnerability if someone gains access to your machine. Encryption may not help during a browser session however, as typically the browser ‘unlocks’ it after asking for the master password at the start of a session.
– Don’t do either and remember them all? At this point, how complex and varied is each password? For less frequented sites, how many times do you go back to ‘forget password’ and have an unencrypted, interceptable email sent which will either contain a link to reset the password, if not the plaintext password itself? Further, each time you signup at a new site ‘they’ have an email address, and probably some variation of your password scheme–if not a password that you already use elsewhere on the Web.
Since online identity management is a mix of convenience and security, a combination of the latter two approaches works well enough for me. As such, OpenID can fit into my strategy. Bank accounts, OpenID passwords, and other information get strong, unique passwords which are never saved or written down. (In fact, with recent exploits it may be best to do all your banking within a separate browser altogether from your general-use browser.) A few other non-essential accounts are encrypted and saved in the browser’s password manager. As previously mentioned, providers such as MyOpenID.com provide options like a SSL certificate and/or password combination that increases the security of your account.
I trust my OpenID provider to manage multiple accounts because it really only does one thing — keep track of my password, which doesn’t give a lot of openings to be cracked. Their sole responsibility (handshaking with the relying party, then validating my identity) is encrypted using an open protocol to which both sides must adhere. Even if it’s not using https:// (and with most providers it seems to), the underlying data is scrambled using Diffie-Helman, which I see as sufficiently secure for the purpose. If I used another provider that handles one of my other online accounts, such as AOL (Instant Messenger), Yahoo, or Google (who pretty much knows everything about everyone already), it would be because I already trust them to a certain degree with my information, as demonstrated by my use of their other services.
While OpenID may not be any more secure than individual email/passwords, it is not necessarily less secure either. With the additional bonus of more convenient web browsing and simplified account creation, I am a proponent of the technology. I want to see where this goes, and how we refine the model over time. Your comments are appreciated.
