[Ed. The OpenID protocol is rapidly gaining momentum in the social networking arena. Exemplifying the momentum OpenID is gaining, Symantec recently announced that it would support OpenID in its Security 2.0 identity offering. As it is gaining visibility the OpenID protocol is being scrutinized more closely by those looking for it to handle identity usage in higher value applications. In this process, a discussion has arisen about OpenID's susceptibility to phishing attacks, and what the protocol might do about this fact.
This conversation has spurred a wider community to seriously consider the problem, both in OpenID and the more general case of any browser based identity protocol. Scott Kveton, CEO, JanRain, Inc. has written the following summary of this conversation to date. – Phil Becker]
David Recordon announced the latest draft of OpenID 2.0 to the OpenID general mailing list last week. The discussion that followed involved the lack of support in the latest specification for dealing with phishing. The argument is that since your OpenID could get you into all of the sites you visit on a regular basis, it will become a much bigger target for phishing from attackers. As the argument goes, users will actually be worse off than they are today because they will no longer be protected by just having one account that goes to one site hacked, they'll have all of them compromised at once.
Several people, including Microsoft's digital identity architect Kim Cameron, blogged on this raising considerable concern from the OpenID community and those looking to adopt the technology.
The most worrisome scenario was when a user is redirected to their OpenID provider to enter their password. The user has to trust that the OpenID enabled site they are trying to login to will redirect them to their identity provider and not some bogus phishing site. Really anytime a user has to enter a password into the browser we have cause for concern. However, once the user has logged in, they don't have to enter their password into the browser again until their session times out. This is actually an interesting opportunity. More on that in a bit.
As the discussions continued, several ideas emerged on ways to tackle the OpenID phishing problem:
- Require external authentication via SMS, email or some other out-of-band method when doing the login.
- Develop an identity manager, extension or plugin for the browser that allows you to define your identity to the browser first.
- Deploy something like Yahoo! sign-in seal or MyOpenID's Personal Icon on OpenID providers.
- Create an option on OpenID providers that will not allow logins via password after being redirected to your OpenID provider. The user is force to manually enter the URL of their OpenID provider or use a bookmark that they have already setup.
- Use CardSpace to authenticate with the OpenID provider.
Taken by themselves, these techniques don't give users enough protection against the risks they face. However, if you put a combination of them together, you have a much more compelling means with which to fight phishing.
Phishing has always been a difficult problem to solve but solutions exist on sites like eBay, PayPal and Amazon. The burden, however, has always been placed on the users to implement these personalized solutions. Unfortunately, its not practical to expect that users will setup all of these anti-phishing tools for every single site they go to.
Enter OpenID. With OpenID, users build a strong relationship with their OpenID provider. They visit it everyday when they turn on their computer or open a new browser window. Users will be able to setup several different anti-phishing measures on their OpenID provider and reap the benefits on every single site they go to. What we have here is the interesting opportunity I alluded to before. By employing the anti-phishing tactics described above and as OpenID begins to gain widespread adoption, we will see those very tools being a driver of OpenID.
The tough thing about these options is that they are difficult if not impossible to mandate in the OpenID specification without taking away from the core strength and main driver of adoption of OpenID today -- simplicity. However, several of these features already exist on OpenID providers. Discussions are happening with Mozilla to integrate support for OpenID into Firefox 3.0. There are several extensions out that allow you to set visual queues for specific sites like your OpenID provider. And we already know that CardSpace and OpenID are working together. Not only that, the OpenID and CardSpace community are having discussions on how to leverage each other's strengths to benefit users everywhere.
In spite of all the concerns, OpenID continues to gain adoption at a rapid pass. We are seeing 10 - 15 new OpenID enabled sites coming on-line each day. They are adopting the technology because of its simplicity, because it is decentralized, because it does just one thing really well. The technology will continue to evolve and will mature to answer the security implications we can think of today and as well as the ones that will come up in the future. Most importantly, the response from the OpenID community has been astonishing and proof positive that this vibrant group of people is ready to deliver the next generation of digital identity.