Does OpenID Really Open Anything?

I have a secret place where I store all my login/password pairs for all websites I’ve ever visited and decided to create an account. There are close to 100 entries there. Wouldn’t it be nice to have one login/password to rule them all? Well, that’s what OpenID is promising.

If you were creating your little website to do your business, wouldn’t it be nice to have somebody else to manage user accounts, deal with password re-setting, etc. Or, what’s more important, would you get more users if you didn’t have to ask them to fill out your user registration form? Of course.

Inspired by Google moves towards single sign-on with OpenID I did my little research and here are the findings.

Why bother?

The idea is that the user creates her one and only profile with the identity provider of her choosing. She receives an OpenID login name (something like http://myprovider.com/u/janedoe), sets her password and provides some other identity attributes such as email address, etc. With this OpenID login name she can sign in to any OpenID-enabled website (called relying party). Instead of requesting a password, the website redirects user to the login page of the identity provider who requests and validates password and sends back the status with requested attributes. User knows what attributes are shared. Point is, there is one and only one digital representation of the individual in the whole Web (some might choose to have more than one identity but that’s different story).

How do I get an OpenID?

Well, if you are a Google or Yahoo registered user, you already have one (check offical OpenID site for a list of OpenID providers). Your login name just looks a bit different (URL instead of typical email address). 

Where can I log in using OpenID?

At the time of this writing (and depending of who you ask) the number of sites supporting OpenID is between 10,000 and 20,000. Hint: look for a  badge next to the login box.

Funny thing: although Google, Yahoo and some other big players eagerly provide OpenID, they do not support login with OpenID unless it is their OpenID! Yes, you can’t log in to Google with Yahoo account, sorry. At least, not yet. It’s not a technology barrier, it’s marketing.

What do I need to do to support OpenID on my website? There is a standard communication protocol to implement (the OpenID specification) and many Open Source libraries that do the job. The simple step-by-step tutorial can be found in A Recipe for OpenID-Enabling Your Site.

How secure OpenID is?

That’s the big problem. Imagine that there is somebody who wants to steal your identity. What he has to do is to set up a website that offers OpenID login and another website that pretends to be your OpenID provider. You provide your OpenID to the first site and you get redirected to the second which – what you think – is your identity provider (but it’s not). You type in your password. Right now the thief knows your OpenID and the password so he can log in as yourself into any OpenID-enabled website in the world. That is similar to phishing but much more dangerous because you loose control of the access to all your personalized websites at once. For that reason do not expect your online bank to accept OpenID anytime soon. And if you do financial or other transactions involving sensitive information online, you are not going to use OpenID login either.

Interesting discussion of the models that can be used to strenghten authentication mechanisms can be found in Usability of Stronger Authentication Options.

A few days ago the OpenID Foundation announced that PayPal is joining their Board of Directors. Well, they surely know something about security.

What else is there?

One alternative is identity federation based on OASIS Security Assertion Markup Language (SAML) protocol. It is mainly used today in B2B scenarios, mainly to provide single sign-on and account linking. But it lacks this user-centric, self-asserted identity appeal that OpenID has.

The other is information card architecture and specifically its implementation by Microsoft called CardSpace. The identity card selector is already implemented in Vista but it lacks production implementation on the application server side. Yes, your identity card is bound to your Windows operating system.

Advertisements

4 responses to “Does OpenID Really Open Anything?

  1. Hello,
    Nice article, specially about security. But I can’t agree with this : “Yes, you can’t log in to Google with Yahoo account, sorry. At least, not yet. It’s not a technology barrier, it’s marketing.”.
    It looks like marketing, but it is also a big technical problem. If Google would allow you to login with others OpenID providers, how could you then login on gmail with mobile devices? If you use technology like J2ME (Mobile GMail client) or Windows Mobile, you can’t redirect user to some other OpenID provider login page (and how it will look on mobile device?) and then redirect back to mobile application.

  2. @Matic
    Thanks for comment. You’ve got the point there. Accessing email service via SMTP/POP/IMAP would not be possible with OpenID. You would have to use either the browser or a dedicated client (via combination of OpenID and OAuth for instance). Google Mobile could be adapted to make this possible (no need to use SMTP/IMAP) but I wouldn’t be able to use my Nokia Messaging to access Gmail.
    Definitely there is a technical challenge here, but I think in the end it’s not about the protocols. It’s not only those who provide email services that refuse to be a relaying party (MySpace for instance). It’s not a coincidence that all the big players happily provide OpenID but refuse to accept one provided by competitors. See how Facebook is gaining an edge with Connect. To me the business rationale behind this approach is quite similar to iPod and Kindle model – if you are in a position to grab a large part of the market (like Google or FB), you want to lock your users in and become the standard.

  3. Pingback: Social Media User Expectations Dish | Test And Try

  4. Excellent items from you, man. I’ve take note your stuff prior to and you are simply too great.
    I actually like what you have received here, certainly like what you are stating and the way in which in which you are saying it.
    You make it enjoyable and you still take care of to stay it
    sensible. I cant wait to learn far more from you.
    That is actually a wonderful site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s