OpenID 2.0 and Yahoo: The security angle

Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.

Yahoo is supporting OpenID 2.0 and could triple the number of accounts in the single sign-on framework.

I posted the details on Between the Lines and Techmeme has more, but after some initial enthusiasm I started thinking out loud about security.

Yahoo noted that it pushed for security enhancements to support OpenID 2.0, but it remains to be seen whether it's enough. Why? IDs, once consolidated, become way more valuable. Is there any question that this ID honeypot will be irresistible to hackers? The OpenID framework wasn't targeted because it wasn't worth it. With Yahoo on board OpenID suddenly looks more interesting to hackers.

Sure there's the user convenience of consolidating your user IDs across the Web with a company like Yahoo. As a user I'm on board--until I think about what happens if my ID gets swiped.

Assuming every Web titan winds up participating in OpenID 2.0--and that's a big assumption--a hacker could snag one ID and get the keys to your Web kingdom.

OpenID on its site notes:

For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.OpenID is still in the adoption phase and is becoming more and more popular, as large organizations like AOL, Microsoft, Sun, Novell, etc. begin to accept and provide OpenIDs.

That's fine, but trusting the party that keeps your OpenID data will be critical--especially since a company like Yahoo will be targeted. Perhaps those multiple IDs aren't so bad after all. I'll update once I get beyond the thinking out loud stage.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All