OpenID and the Phishing Gold Rush
A major French Telecom yesterday announced support for the OpenID lightweight identity management standard. Some people are really excited about this. I'm sorry to say a lot of those are probably phishers who are thinking the great Phishing Gold Rush of '07 is about to begin. Federated identity management (FIM) is hard and the OpenID standard provides some convenience elements of FIM but not enough security.
Here's the take from the "excited" side of the debate over at Read/Write Web:
Orange SA, a subsidiary of France Telcom, announced today at the Digital ID World conference in San Francisco that France Telecom will act as an OpenID server-agent. That means the company will verify the identities of their 40 million users immediately, without the need for another account to be created, for any other site on the web that supports OpenID.This according to Six Apart's David Recordon who blogged and Twittered excitedly from the event. Recordan, an expert in emerging identity issues, says that the move makes France Telecom the world's first major telco to support OpenID.
Now for counterpoint. Stephan Brands at the Identity Corner sums up the arguments against OpenID:
OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords. (Of course, local password store utilities already do that; more on this later.)
Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.
Brands has a long post on security, privacy, trust and usability issues with OpenID that is well worth the time to read. He summarizes a number of other arguments against OpenID with links to other detailed comments, including one from Ben Laurie who concludes::
I’m reluctantly forced to come to the conclusion that the OpenID people don’t care about phishing, since they’ve defined a standard that has to be the worst I’ve ever seen from a phishing point of view.
I for one am not trading security and privacy for convenience.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
