OpenID 2.0 and Yahoo: The security angle

Summary:Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.

Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.

I posted the details on Between the Lines and Techmeme has more, but after some initial enthusiasm I started thinking out loud about security.

Yahoo noted that it pushed for security enhancements to support OpenID 2.0, but it remains to be seen whether it's enough. Why? IDs, once consolidated, become way more valuable. Is there any question that this ID honeypot will be irresistible to hackers? The OpenID framework wasn't targeted because it wasn't worth it. With Yahoo on board OpenID suddenly looks more interesting to hackers.

Sure there's the user convenience of consolidating your user IDs across the Web with a company like Yahoo. As a user I'm on board--until I think about what happens if my ID gets swiped.

Assuming every Web titan winds up participating in OpenID 2.0--and that's a big assumption--a hacker could snag one ID and get the keys to your Web kingdom.

OpenID on its site notes:

For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.OpenID is still in the adoption phase and is becoming more and more popular, as large organizations like AOL, Microsoft, Sun, Novell, etc. begin to accept and provide OpenIDs.

That's fine, but trusting the party that keeps your OpenID data will be critical--especially since a company like Yahoo will be targeted. Perhaps those multiple IDs aren't so bad after all. I'll update once I get beyond the thinking out loud stage.

Topics: Enterprise Software, Browser, Legal, Security, Social Enterprise

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.