Don’t Make Your Blog an OpenID Provider

I’m a big proponent of OpenID. Last week when Will Norris unveiled version 3.0 of his wp-openid plugin for WordPress? I was there in person.

One of the new features in Will’s plugin is the ability for a WordPress blog to act as an OpenID provider. I know there’s some logic behind this feature, but it’s not for Joe Blow with a Blog to take over the world as yet another provider. My buddy Adam wrote a piece at Webmonkey titled Make Your Blog an OpenID Provider, but I respectfully disagree with that proposition.

In an OpenID world, my OpenID will allow me to access all sorts of electronic resources. Some of those resources might be of minimal security concern, such as leaving a blog comment or signing into a bookmarking service. Other resources might warrant tighter security, such as a core e-mail account, domain registrar, or financial institution.

A simple username/password really isn’t strong enough security for my most important information, yet that’s the security provided by WordPress if used as the OpenID provider.

Ideally an OpenID provider will offer some form of multifactor authentication involving something other than a simple password. Vidoop offers their image shield in conjunction with an activated, trusted web browser. JanRain offers a phone call system. Verisign’s Personal Identity Portal allows for a fob-based rotating password. If OpenID is going to be used to protect sensitive information, it should be done with a secure system such as these.

The wp-openid plugin does allow for delegation, meaning one could use their blog URL as their OpenID URL, while using the authentication services of a more secure provider such as the ones I’ve named. Using the plugin to allow OpenID login or delegation is excellent, and something I’d recommend, but configuring one’s WordPress blog as their ultimate OpenID provider is probably a less-than-ideally-secured step away from what I see as the long term goal of OpenID adoption.