OpenID 2.0 and Yahoo: The security angle

OpenID 2.0 and Yahoo: The security angle

Summary: Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.


Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.

I posted the details on Between the Lines and Techmeme has more, but after some initial enthusiasm I started thinking out loud about security.

Yahoo noted that it pushed for security enhancements to support OpenID 2.0, but it remains to be seen whether it's enough. Why? IDs, once consolidated, become way more valuable. Is there any question that this ID honeypot will be irresistible to hackers? The OpenID framework wasn't targeted because it wasn't worth it. With Yahoo on board OpenID suddenly looks more interesting to hackers.

Sure there's the user convenience of consolidating your user IDs across the Web with a company like Yahoo. As a user I'm on board--until I think about what happens if my ID gets swiped.

Assuming every Web titan winds up participating in OpenID 2.0--and that's a big assumption--a hacker could snag one ID and get the keys to your Web kingdom.

OpenID on its site notes:

For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.OpenID is still in the adoption phase and is becoming more and more popular, as large organizations like AOL, Microsoft, Sun, Novell, etc. begin to accept and provide OpenIDs.

That's fine, but trusting the party that keeps your OpenID data will be critical--especially since a company like Yahoo will be targeted. Perhaps those multiple IDs aren't so bad after all. I'll update once I get beyond the thinking out loud stage.

Topics: Enterprise Software, Browser, Legal, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Always use a different password for each member registration

    This is something that security officials commonly state, it seems to be a wise guide line and the adoption of this technology may make the ability to follow this guideline nonexistent. Is this good? On the one hand this is certainly more convienient for the end user, but on the other hand end user's are making themselves more vulnerable by using one identity for every website they become a member of. All it takes is one successful exploit of this system and everyones identity is toast, password authentication is flawed in this aspect. A more respectable method of authentication would be the use of smart cards or finger print scanners.

    - John Musbach
    John Musbach