OpenID

Dear Community,

what do you think about using OpenID for Challenge-Sites?

Here is some information: Wiki, YouTube (simple explanation), some information from Google and Yahoo!.
A longer video from GoogleTechTalks is also online.

Plaxo published A Recipe for OpenID-Enabling Your Site

Software I'd suggest: OpenID-Selector (JavaScript) and lightopenid (PHP).
Stackoverflow uses something very similar to the OpenID-Selector.

I really like OpenID and I would like it to get used in some more websites.

Reasons for OpenID:
* Too many passwords: I don't trust some challenge websites I've found and for all of them I don't want to use a password which might get critical (so I have to use different passwords for eBay, Amazon, Email, Server, and the Challenge websites. Even if I used the same password for all challenge-websites, that were 5 different passwords)
* Too many usernames: Quite often I have the problem, that I don't remember my username for challenge websites, as moose is used quite often and I have to take moose2, themoosemind, ...
* Easier Registering: With OpenID and attribute exchange you don't have to fill a form. No Email-confirmation
* Easier Login: Most of the time you don't have to type in your password again
* More possibilities of proving your identity: The OpenID protocoll doesn't need a special login. The identity provider may identify the user like he thinks its the securest way. This means, a two-way authentification is also possible. You could additionally get a SMS with a random code to log in each time you use OpenID. German users could also use the new identity card with a "Komfortlesegerät" to prove their identity.

Privacy:
If you like to do these, ask the user if it's ok for him to publish his OpenID!
* (Possibly) easier Challenge Accounts registration in wechall: If other websites displayed the OpenIDs of the users, wechall.net could directly sync the sites.
* "Discovery" possbile: If a new User registers at wechall.net with OpenID, wechall.net could automatically check if this OpenID is already at other challenge sites (if they allow search for OpenID) and add these sites to the wechall-profile without bothering the user with registering Email-Adresses.

Concerns agains OpenID:
* It is basically a method of re-using a password. This is never a good idea. -> Password re-using is already happening. So OpenID wouldn't change anything.
* If the system of the OpenID provider is somehow compromised it then gives access to the linked services
* Once the OpenID-Account is hacked, the attacker knows the sites which use OpenID and has the account for logging in.

This got suggested already, but i think a centralized login system is not a good thing.

What happens if your password is exposed?

Quote from Gizmore

What happens if your password is exposed?

If the security problem is on the Challenge-Website:
* Without OpenID:
** If you used the same password everywhere: The attacker gets your Email-Adress. If you have emails from other services in there, all those services can be used by the attacker. Even if not, he might try the critical ones (Amazon, eBay, PayPal ... )
** If you used different passwords: Only the account for this service is concerned
* With OpenID: Nothing, as the password isn't stored on the Challenge-Website. He gets the URL, which is public.

If the security problem is on your OpenID provider:
* All services connected with OpenID are concerned.

So the OpenID provider has to be secure. OpenID should always be optional, so the people who have security concerns can simply not use it. By the way, here is the right place of the TechTalk for this question.

If you look carefully, while OpenID makes things more convenient, it's just a method of reusing the same password on different sites, which is not a good practice.

I myself think the Internet needs a revolution. The current authentication mechanisms are getting more and more complicated but still security hasn't been ensured.

Quote from quangntenemy

If you look carefully, while OpenID makes things more convenient, it's just a method of reusing the same password on different sites, which is not a good practice.

Of course it is a method of reusing the same password. But only the way how we would reuse the passwords would change. If you have a different password for each site, you could also with an optional OpenID-login use different passwords. However, I'm quite sure nobody uses a very different password for each site. Some might have a standard-password like "thisismypass" and add some string for each website. So, for wechall they might use "thisismypass+wechall" or something simmilar.

As I already mentioned, I use completely differnet passwords for websites which need to be more secure, like bank accounts. As I am registered at over 30 websites, I don't use a different password for all of these. For many of them, like the challenge pages, it would be annoying if my account would get hacked, but it wouldn't do more harm. I would use one OpenID for those pages, where I am already using the same passwords.

Quote from quangntenemy

I myself think the Internet needs a revolution. The current authentication mechanisms are getting more and more complicated but still security hasn't been ensured.

You know that you can use any authentification method with OpenID which you would like to use? I added a paragraph "More possibilities of proving your identity" to my first post.
I guess two way authentification is a way more secure than any login-mechanism which is in use on all the challenge-websites.

I have always had issues about the security of such systems. As much as OpenID is apparently 'safe' I still believe that any one system which then grants access to other services provides more of a risk to the user because if this one system is somehow compromised it then gives access to the linked services just as if a password is reused on any site and the password is discovered.

Remember, what is classed as 'safe' at the moment, may not be in a year or so due to the rise of new exploits and I for one would not take that chance.
I think if OpenID were an option for the challenge sites then Revolution Elite would not implement it.
Regards,
Ian

So you think the OpenID-protocol itself (not an implementation) might be insecure?
Do you think OpenID is generally a bad idea or only for challenge-websites?

By the way, a bank where I've been for some years started to offer online banking. I tried it and changed my password, but they only allowed passwords with at most 5 alphanumeric characters! Do you think an OpenID solution, where I could choose an identity provider which allows me to use a better password would provide more of a risk to the user? (I changed the bank quite shortly after, but I was astonished of this restriction. Their deposit account is over one milliard euro, so I think the bank isn't very small and they belong to a much bigger group of banks).

Why i think that OpenID is "bad"?

Simply maybe because it one password for all. And there wouldbe enought to compromise OpenID once to compomice all.

For that sites that I think is not secure i use random generated password + autologin (unique pass dont give access to other site logins).

For proving your identity make cert .

OpenID with one account "for all" dont allow you to be anonym if you whant to be so.

And also I dont remember any site that i have used a lot that have OpenID type login.

Usign fast and easy logins make many users. But dont meant that he will stay and solve something. Atleast register->email->accept will afraid some one who whant to see what that is. People
who whant to solve dont need easy login they need challanges =].

Quote from freeartman

Jun 30, 2011 - 16:18:02

For that sites that I think is not secure i use random generated password + autologin (unique pass dont give access to other site logins).

What do you do if your system crashes (e.g. the HDD has a defect -> total loss of all data stored on this device)?

Quote from freeartman

Jun 30, 2011 - 16:18:02

And also I dont remember any site that i have used a lot that have OpenID type login.

stackoverflow.com as all stackexchange websites, userstyles.org, luxsci.com, sourceforge, wikitravel, zooomr, claimID, possibly all sites with drupal or wordpress and a lot more in the openiddirectory. You don't use any of them?
One of the (paid) developers of MediaWiki, the software that runs on Wikipedia, thinks about implementing OpenID. It's not his first priority, actually its quite at the bottom of his todo-list, but at the latest when it gets implemented in MediaWiki you'll know a Website which consumes OpenID.

I dont use any of this sites that is in the list. Only registred on some of them but dont think that i need them.

If system crashes I can easely restore all passwords with email( for email i remember my pass.). Every site has "Restore password" button. If afraid from crash make backups if not its you responsebilty
(i dont afraid from crashes, i more afraid from updates then crashes.).