Ben Laurie blathering

Using OpenID Responsibly

Some guy called Thomas asks the very reasonable question (where “this problem” is the OpenID phishing problem):

Too much of all of this discussion around OpenID focuses around whether or not it’s OpenID’s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.

Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?

So, the answer to this is: you should only accept OpenID logins from providers that use unphishable authentication. How can you know what authentication they use? Well, right now you can’t, but a group of us are about to work on the OpenID Provider Authentication Policy Extension (a.k.a. PAPE) which will enable you to find out.

Until then, my answer continues to be “just say no”, if you are a website maker. If you are an OpenID user, then the answer is to find a provider that supports unphishable authentication – at least you will be safe, even if the rest of the world continues to suffer.


  1. By the same logic, would you advocate against developers using Google’s authentication API as encouraged by App Engine? Google’s authentication system has no protection against phishing, and App Engine encourages developers to use their authentication API which includes clicking through to a Google login page which could well be a phishing imitation.

    The OpenID phishing concern isn’t unique to OpenID.

    Comment by Simon Willison — 23 Jun 2008 @ 8:41

  2. In addition to Simon’s valid point that many other online authentication mechanism are subject to phishing – I would say that because of the long-time concerns the OpenID community has had in this area, OpenID is the *lest* vulnerable to phishing these days. That is because providers have really been focusing on making the experience as secure as possible. Vidoop’s imageshield technology, myOpenID’s ability to accept client-side TLS certs, phone calls, and to display a cookie-based image, and’s “bookmark takes you to HTTPS page” solutions all make phishing a lot harder than with many other authentication options (such as email+password, which is trivial to phish, like Facebook et al are all the time).

    I also think it’s important not to confuse security concerns (having to do with what an attacker can do even if you’re careful) with phishing concerns (what an attacker can do if he steals your credentials).

    Comment by Stephen Paul Weber — 20 Aug 2008 @ 13:00

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress