Security Analysis of OpenID

Pavol Sovis, Florian Kohlar, Jörg Schwenk

In "Securing Electronic Business Processes - Highlights of the Information Security Solutions Europe 2010 Conference", 2010.


OpenID is a user-centric and decentralized Single Sign-On system. It enables users to sign into Relying Parties by providing an authentication assertion from an OpenID Provider. It is supported by many leading internet companies and there are over a billion accounts capable of using OpenID. We present a security analysis of OpenID and the corresponding extensions and reveal several vulnerabilities. This paper demonstrates how identity information sent within the OpenID protocol can be manipulated, due to an improper veri?cation of OpenID assertions and no integrity protection of the authentication request.

[Camery Ready]

Tags: Identity Management, OpenID, Single Sign-On