Security Aspects for OpenIDs

saran | May 1 - 2010

As OpenIDs can be used to sign into multiple websites, the value of an OpenID increases with each additional site for which the OpenID is used. Users should take precautions to ensure that their account at their OpenID Provider is safeguarded against being compromised, including having a strong password, and keeping their account information up to date.

OpenID provider uses a client certificate to sign in, 2 factor authentication.

Users should only enter their password on their system’s login screen. They also have to check that their OpenID providers ID is displayed on their browser’s address bar if the OpenID provider offers a HTTPS identifier, the user should log into Relying Person,RP with the https://prefix to their identified authorization protocol. A Protocol like OAuth helps one to share their data without sharing their password.

Some OpenID providers may offer an HTTPS identifier, then they log into RPs with the https://prefix to their identifier.

When using a shared computer, users should remember to log out of their OpenID provider after completing their work. They should see that they log out of each RP. Your OpenID provider cannot automatically log the user out.

RPs should always protect against XSS attacks. Any URL that updates data on the user’s behalf must be XSRF protected.

Relying parties should implement RP Discovery by publishing a discovery document. This discovery document could be discovered that lists their OpenID end points. By this method OpenID providers can verify the legitimacy of an authentication of report.

RPs should not use OpenID to authorize monetary transactions. Assertion for monetary transaction may contain PAPE(Provider Authentication Policy Extension) message that indicates that the user is authenticated with assurance level NIST Level 0.