Wednesday, September 23, 2009

The Risk of OpenID

OpenID seems a promising standard for user authentication. If service providers support OpenID, users can login without creating another pair of account and password. Ideally, a user need only remember one pair of account and password. However, such convenience comes at a cost. The only pair of account and password or the OpenID provider becomes a Single Point Of Failure. If you ever forgot your password or the Identity Provider withdrew your account because you didn't login in the past three months, you will have no way to login to any of the services. Here, we assume that the service providers only accept authentication from OpenID providers. This also applies to other forms of third party authentications.

For users, care should be taken on choosing OpenID providers. Users should keep their OpenID account active and secure the password. For service providers, they should allow other ways of authentication besides OpenID. Users should not lose the service if they lose their OpenID.

OpenID is not that open, not even as open as telephone numbers which could be transfered among telephone service providers.

No comments:

Post a Comment

Please post your comment here. ;)