Back

Pitfalls in OpenID

I read some fuzz about "identity problems" related to OpenID. However, until Christmas I couldn't really get to the root of the relation between "identity theft" and OpenID. I was quite surprised to see how easy it is to "steal" an identify via OpenID.

The problem with OpenID is that the authenticating side only reports back the success of the authentication to the authorizing side, but not who has authenticated. Therefore, it is possible that two different people can authenticate at the same URL but look as the same user for the authorizing side.

The problem arises from the underlying concept of OpenID that assumes that one user is identified by a URL - with the emphasis on unique. This means that the authorization side of the OpenID exchange expects that a given URL will authenticate exactly one user. However, this condition is not necessarily valid for all URLs that are connected to OpenID providers (the authentication side).

For example, all blogs on blogspot are OpenID providers for the authors of a blog. This allows blogspot authors to connect their blog URL for OpenID authorization at other services. Given to the one URL authenticates one User concept of OpenID, it is possible to connect an entire group of blogspot authors to a single OpenID authorized account of another service. This can happen if one blog has more than one author. This may not come to the users attention, because every user of the URL is asked individually if the OpenID authorization is OK. This leads to the impression that the authentication reports different identities to the authorizing service, which does of course not happen. Instead, the authorizing service thinks that all authenticated responses from a OpenID provider of a URL will authorize the same user account.

Therefore, it is necessary for all users who use OpenID for getting authorised access to a service, to double check if they are the only user who can authenticate with the chosen URL.