Does Yahoo! OpenID 2.0 support open up security concerns?

Did you notice that Yahoo! has supported the OpenID 2.

Did you notice that Yahoo! has supported the OpenID 2.0 digital identity framework? OpenID (it says here) is an open framework that allows you to consolidate your Internet identity and thereby eliminate the need to create separate IDs and logins at all of the various web sites, blogs, photo-streams and profile pages you may visit.

OK competition time. If any number of a users’ identities are brought together, what’s the first word that comes to mind?


Alright, so that’s two words – but you get the point.

This is just a public Beta of course, but it will mean that in addition to Yahoo! Services, anyone with a Yahoo! ID will be able to use the same ID for access to any of the 9,000 sites that currently support OpenID.

OK OK I may be looking for problems where they don’t exist. The official line on security is as follows. “Yahoo’s implementation is based on the OpenID 2.0 specification, which was finalised in December 2007 and includes new features that improve the security and usability of OpenID, making it the most user-friendly single sign-on and online user-authentication standard. Yahoo! users who log in with their Yahoo! ID on OpenID sites will have the added protection of Yahoo!’s sign-in seal wherever they go on the web, providing additional security and ensuring that no email or IM addresses are revealed or disclosed as part of any login process, protecting users from phishing or other attacks.”

So that’s alright then? Well, Yahoo! aren’t fools are they? In fact I’m quite a fan and have met co-founder David Filo personally. But if you Google (or indeed if you Yahoo!) the term “OpenID security concerns” you’ll get a list of blog entries from techies everywhere asking questions about security concerns for their own real world implementations of OpenID. A note of caution to end, this blog entry is not meant to be alarmist or deliberately negative – simply to make sure we do discuss these things before they get out of hand. Call it healthy discussion, call it typical British tech journo cynicism or simply call it wariness to knew ‘cure-all’ solutions in an increasingly security-aware world.