Friday, May 11, 2012

The #OpenID challenge

At #Translatewiki.net a request was made to support OpenID. The beauty of OpenID is that it reduces the number of websites that store your password. This makes browsing the Internet arguably safer.

The translatewiki staff is hesitant to support yet another nice to have extension. It has been burned by accepting LiquidThreads in the past. LiquidThreads is a great idea and it provides a much better user experience but it has not been properly supported. There is a promise for a release somewhere in an unspecified future.

Wikinaut did take over the OpenID extension support. He provided patches updated the documentation and equally important, he runs it on his own MediaWiki wikis. The need for support seems to be fulfilled, the question is not only if translatewiki is interested but also if the WMF is interested in providing improved security.
Thanks,
     GerardM

4 comments:

Ryan Lane said...

I don't feel that OpenID provides additional security, but instead provides convenience.

If anything OpenID is slightly less secure, since we are spreading the authentication surface across every OpenID server available. Additionally, we'd of course want to ensure that we still allow people to log in directly through our sites and still allow password resets, otherwise an OpenID provider going away could permanently lock out users. This means we have two attack surfaces per user rather than one.

GerardM said...

Most people re-use the same password on many websites. What OpenID provides is having only one website where this password is known.

It is unrealistic to think that people know where they have a profile let alone that they reset their password when needed.

Security has more attack vectors then YOUR server directly.
Thanks,
GerardM

Ryan Lane said...

I understand the concept of what OpenID theoretically means for security. I'm talking about OpenID in practice.

GerardM said...

My practise is not server side security. Not providing a service like OpenID means that the users you serve do not have the security option that does serve them well.

That is OpenID in practice.
Thanks,
GerardM