Some time back I wrote OpenID: the bad and the ugly which was mostly just a redirect to Stefan Brands’ “The problem(s) with OpenID”. Numerous conversations later I am still finding that most Internet users – even developers who understand web security – just don’t grok OpenID security.
And finally I know why: “you” and “your account” have boundary issues.
When I say “an attacker can target a web site and access your account” these people hear “an attacker can target a web site that I use, attack me, phish my details, steal my OpenID and access my account”. Because that’s the most common mode of attack against password-based authentication on the web.
But it’s not how you attack OpenID. There is no “you” in many OpenID attacks. There is just the attacker and your account … make that your ex-account.