As major Internet players back OpenID, we were reminded of an Amsterdam computer student pointing out a trio of scenarios that makes the prospect of OpenID’s single sign-on method a scary prospect.

Usernames and passwords stopped being the end-all to online security years ago. Yet it’s the model touted by OpenID as a way to make one’s browsing more convenient.

Big name Internet players have bought in to the promise of a system where one’s OpenID just works across a variety of sites. But security pros know that their tasks require finding a balance between convenience and security, and Marco Slot demonstrated how OpenID could be too much convenience and too little security.

Slot presented three scenarios where phishing someone’s OpenID credentials presents little more of a challenge than writing (or copying) some PHP code. Two of the methods can be guarded against by providers who prudently consider the consequences.

The third scenario, a basic OpenID login box set up on a malicious web page, cuts the OpenID provider out entirely. Someone enters their credentials, and the evil people end up with a login combo that probably works on more sensitive sites.

Feed the login combo to a script that checks it against common financial and retail sites, and if the person used that username and password to login to any such site that does not offer an additional security factor, it’s game over.

As noted in a lengthy roundup of commentary on the Identity Corner blog from last August, the issues presented by OpenID don’t end with phishing. Tracking visits to websites by OpenID users is one example.

This discussion comes about as Google’s App Engine project debuted, and one coder created an application that turns a Google Account login into an OpenID credential. AdWords/AdSense clients in particular should be wary of using their Google Account this way. One bad phish could make finances very sick.