My idea is ...

I want to read more about security

There is very little information on the site about the security of OpenID. I believe that there are big potential problems with identity theft if someone can login on a lot of different sites with one ID.

Additionally I want to know how I can be sure I'm actually logging in on an OpenID enabled site. How can I see that I'm not being scammed into giving away my username and password to a host of very personal sites?

7 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • AdminChris Messina (Admin, OpenID) commented  ·   ·  Flag as inappropriate

    Thanks for pointing this out. We do need more information about security on the site.

    There's a good write up about OpenID and security here:

    Http://OpenIDExplained.com/

    Quote:

    Is OpenID secure?

    OpenID is no less (or more) secure than what you use right now. It's true that if someone gets your OpenID's username and password, they can usurp your online identity. But, that's already possible. Most websites offer a service to e-mail you your password (or a new password) if you've forgotten it, which means that if someone breaks into your e-mail account, they can do just as much as they can if they get your OpenID's username and password. They can test websites with which they think you have an account and ask for a forgotten password. Similarly, if someone gains access to your OpenID, they can scour the Internet for places they think you have accounts and log in as you... but nothing else.

    Regardless of whether you use OpenID or not, you should be careful about your username and password. When you type your username and password, make sure you're actually on the website you think you are (i.e., check the address).

    As for your second question... always make sure to watch the URL bar when signing in to your OpenID provider — that is, ONLY give your password to the website that you got the password FROM — never give out your password on someone else's website.

    OpenID ONLY works when you're redirected back to your identity provider at least once. If someone else is asking for your OpenID password who is NOT your provider, then it's a scam.

Feedback and Knowledge Base