Is open id secure?

OpenID is as secure as the OpenID provider (i.e. "If someone breaks into your Myspace account they've got access to your OpenID & everything that uses it").

Personally I wouldn't trust it with anything valuable. Most of the OpenID providers have a pretty lousy security track record.


While I agree with voretaq7 that OpenID is only as secure as the OpenID provider, I would have to say that when selecting an OpenID provider to use, care must be taken to ensure that you are using a reputable provider. This same idea applies to everything having to do with security. Google, AOL, and I think even Verisign now offer OpenIDs and these companies / providers do have a good track record.

One of the major advantages of OpenID over home-grown security or some other third-party package is that it puts the authentication aspect of security in the hands of companies with more experience and more resources to handle it than most smaller entities have. They tend to have a better ability to protect their servers and data. As an employee of a small shop, I would certainly trust Google more than myself to correctly configure the servers, firewalls, etc necessary to protect this data.

However, OpenID is just as vulnerable to the most dangerous aspect of all -- the users who pick weak credentials.