I’m a big proponent of OpenID. Last week when Will Norris unveiled version 3.0 of his wp-openid plugin for WordPress? I was there in person.
One of the new features in Will’s plugin is the ability for a WordPress blog to act as an OpenID provider. I know there’s some logic behind this feature, but it’s not for Joe Blow with a Blog to take over the world as yet another provider. My buddy Adam wrote a piece at Webmonkey titled Make Your Blog an OpenID Provider, but I respectfully disagree with that proposition.
In an OpenID world, my OpenID will allow me to access all sorts of electronic resources. Some of those resources might be of minimal security concern, such as leaving a blog comment or signing into a bookmarking service. Other resources might warrant tighter security, such as a core e-mail account, domain registrar, or financial institution.
A simple username/password really isn’t strong enough security for my most important information, yet that’s the security provided by WordPress if used as the OpenID provider.
Ideally an OpenID provider will offer some form of multifactor authentication involving something other than a simple password. Vidoop offers their image shield in conjunction with an activated, trusted web browser. JanRain offers a phone call system. Verisign’s Personal Identity Portal allows for a fob-based rotating password. If OpenID is going to be used to protect sensitive information, it should be done with a secure system such as these.
The wp-openid plugin does allow for delegation, meaning one could use their blog URL as their OpenID URL, while using the authentication services of a more secure provider such as the ones I’ve named. Using the plugin to allow OpenID login or delegation is excellent, and something I’d recommend, but configuring one’s WordPress blog as their ultimate OpenID provider is probably a less-than-ideally-secured step away from what I see as the long term goal of OpenID adoption.
[tags]openid, wp-openid, wordpress, identity, security[/tags]
{ 4 comments… read them below or add one }
Aaron, I couldn’t agree more. I strongly believe it is important for an individual to have the ability to run their own OpenID provider, if they so choose. Having near zero barrier to entry is one of the things that makes OpenID great. That being said, I think some of the OpenID providers that are available today (especially the three you mentioned, along with some of the newer ones using Yubikey) have much better security than WordPress currently does. I could certainly put all my money under my mattress and rest assured that I have complete control over it, but for now I find putting it in a bank a better option.
But wait, I was about to go to OpenID for everything! Actually no, all my secure stuff is staying with the original, slightly more seriously secure, security apparatusii.
But I look forward to locking down my OpenID stuff even better over the next few weeks and enabling my ID to work with more and more of my sites, sites I use, and other such.
Especially since, I always want your feedback on my articles and you won’t use stuff that doesn’t use Open ID!
argh!
A good post to make people consider if they really want to entrust their identity to the security of their blog – made me reconsider my plans.
Do you perhaps end it by contradicting yourself – if I enable openId delegation on my personal blog – surely the same security consdierations come into play – does it matter if I use verisign if someone can hack into my blog and redirect to another openId provider to validate me?
That's a good point Al… if one has weak security on their blog, someone could potentially hijack that redirect and point it to another OpenID provider. Just another factor for consideration.