OpenID is as secure as the OpenID provider (i.e. "If someone breaks into your Myspace account they've got access to your OpenID & everything that uses it").
Personally I wouldn't trust it with anything valuable. Most of the OpenID providers have a pretty lousy security track record.
While I agree with voretaq7 that OpenID is only as secure as the OpenID provider, I would have to say that when selecting an OpenID provider to use, care must be taken to ensure that you are using a reputable provider. This same idea applies to everything having to do with security. Google, AOL, and I think even Verisign now offer OpenIDs and these companies / providers do have a good track record.
One of the major advantages of OpenID over home-grown security or some other third-party package is that it puts the authentication aspect of security in the hands of companies with more experience and more resources to handle it than most smaller entities have. They tend to have a better ability to protect their servers and data. As an employee of a small shop, I would certainly trust Google more than myself to correctly configure the servers, firewalls, etc necessary to protect this data.
However, OpenID is just as vulnerable to the most dangerous aspect of all -- the users who pick weak credentials.
OpenID is a way to delegate authentication to a third party. For a high trust application like banking, who you delegate authentication to is a major, major security decision. The openID protocol as it stands is sufficient for any standard that permits either single-factor authentication (the openID auth-token) or delegated authentication to a system that has sufficient authentication safeguards.
The next question: Are any current openID providers secure enough for online banking?
That's a different question, and is probably negative right now. However, there is nothing (technical) stopping, say, a consortium of American banks pooling resources to create a single banking openID provider that follows a stated standard and is audited. That openID provider can use whatever authentication methods it needs, be it SiteKey, SecureID, Smart Card swipe, or whatever else is demanded. I consider this possibility unlikely for the major commercial banks, but the Credit Union community might just try it.
OpenID is as secure as the weakest of (1) the site you are attempting to log in to; (2) your OpenID provider; or (3) the DNS system.
Recommendation:
Use your bank's recommended security/login system, and understand the terms & conditions of service so that you know your rights if your account is compromised.
Do not encourage your bank to adopt OpenID, as this will reduce the security of their service.
Weaknesses:
An immediate consequence of this fact is that OpenID can at best be as secure as the site you are trying to log in to; it can never be more secure.
In the OpenID protocol redirection to your provider is under the control of the site you are logging in to, which leads to trivial phishing and man-in-the-middle attacks. Such attacks will allow a hostile site to steal your OpenID credentials without you knowing, which they can then use later to log into any other OpenID-enabled site as you.
DNS attacks are more complicated, but will allow an attacker to convince your bank that he is your OpenID provider. The attacker logs in using your OpenID, and has his fake provider give authorisation to the bank. In this case the attacker doesn't need to phish you or learn your password or install anything on your computer - all he needs is your OpenID.
Similarly an attack on your OpenID provider will allow the attacker to log in as you on any OpenID-enabled site, without knowing your password.
OpenID is a protocol. The protocol is very secure, however the backend-auth method doesn't have to be. You can run an OpenId portal that will validate a user from a dos box over telnet in Bangladesh.
Is it secure enough for banking? Yes. In fact I wish all banking providers would permit it. Furthermore, if you want to trust banking providers more than other technology providers -- wouldn't it be nice if they would provide it?
OpenID is as secure as the OpenID provider (i.e. "If someone breaks into your Myspace account they've got access to your OpenID & everything that uses it").
Personally I wouldn't trust it with anything valuable. Most of the OpenID providers have a pretty lousy security track record.
While I agree with voretaq7 that OpenID is only as secure as the OpenID provider, I would have to say that when selecting an OpenID provider to use, care must be taken to ensure that you are using a reputable provider. This same idea applies to everything having to do with security. Google, AOL, and I think even Verisign now offer OpenIDs and these companies / providers do have a good track record.
One of the major advantages of OpenID over home-grown security or some other third-party package is that it puts the authentication aspect of security in the hands of companies with more experience and more resources to handle it than most smaller entities have. They tend to have a better ability to protect their servers and data. As an employee of a small shop, I would certainly trust Google more than myself to correctly configure the servers, firewalls, etc necessary to protect this data.
However, OpenID is just as vulnerable to the most dangerous aspect of all -- the users who pick weak credentials.
OpenID is a way to delegate authentication to a third party. For a high trust application like banking, who you delegate authentication to is a major, major security decision. The openID protocol as it stands is sufficient for any standard that permits either single-factor authentication (the openID auth-token) or delegated authentication to a system that has sufficient authentication safeguards.
The next question: Are any current openID providers secure enough for online banking?
That's a different question, and is probably negative right now. However, there is nothing (technical) stopping, say, a consortium of American banks pooling resources to create a single banking openID provider that follows a stated standard and is audited. That openID provider can use whatever authentication methods it needs, be it SiteKey, SecureID, Smart Card swipe, or whatever else is demanded. I consider this possibility unlikely for the major commercial banks, but the Credit Union community might just try it.
OpenID is as secure as the weakest of (1) the site you are attempting to log in to; (2) your OpenID provider; or (3) the DNS system.
Recommendation:
Weaknesses:
An immediate consequence of this fact is that OpenID can at best be as secure as the site you are trying to log in to; it can never be more secure.
In the OpenID protocol redirection to your provider is under the control of the site you are logging in to, which leads to trivial phishing and man-in-the-middle attacks. Such attacks will allow a hostile site to steal your OpenID credentials without you knowing, which they can then use later to log into any other OpenID-enabled site as you.
DNS attacks are more complicated, but will allow an attacker to convince your bank that he is your OpenID provider. The attacker logs in using your OpenID, and has his fake provider give authorisation to the bank. In this case the attacker doesn't need to phish you or learn your password or install anything on your computer - all he needs is your OpenID.
Similarly an attack on your OpenID provider will allow the attacker to log in as you on any OpenID-enabled site, without knowing your password.
More info on OpenID weaknesses and attacks at http://www.untrusted.ca/cache/openid.html .
OpenID is a protocol. The protocol is very secure, however the backend-auth method doesn't have to be. You can run an OpenId portal that will validate a user from a dos box over telnet in Bangladesh.
Is it secure enough for banking? Yes. In fact I wish all banking providers would permit it. Furthermore, if you want to trust banking providers more than other technology providers -- wouldn't it be nice if they would provide it?