Tag Archives: user-centric identity

Does OpenID Really Open Anything?

I have a secret place where I store all my login/password pairs for all websites I’ve ever visited and decided to create an account. There are close to 100 entries there. Wouldn’t it be nice to have one login/password to rule them all? Well, that’s what OpenID is promising.

If you were creating your little website to do your business, wouldn’t it be nice to have somebody else to manage user accounts, deal with password re-setting, etc. Or, what’s more important, would you get more users if you didn’t have to ask them to fill out your user registration form? Of course.

Inspired by Google moves towards single sign-on with OpenID I did my little research and here are the findings.

Why bother?

The idea is that the user creates her one and only profile with the identity provider of her choosing. She receives an OpenID login name (something like http://myprovider.com/u/janedoe), sets her password and provides some other identity attributes such as email address, etc. With this OpenID login name she can sign in to any OpenID-enabled website (called relying party). Instead of requesting a password, the website redirects user to the login page of the identity provider who requests and validates password and sends back the status with requested attributes. User knows what attributes are shared. Point is, there is one and only one digital representation of the individual in the whole Web (some might choose to have more than one identity but that’s different story).

How do I get an OpenID?

Well, if you are a Google or Yahoo registered user, you already have one (check offical OpenID site for a list of OpenID providers). Your login name just looks a bit different (URL instead of typical email address). 

Where can I log in using OpenID?

At the time of this writing (and depending of who you ask) the number of sites supporting OpenID is between 10,000 and 20,000. Hint: look for a  badge next to the login box.

Funny thing: although Google, Yahoo and some other big players eagerly provide OpenID, they do not support login with OpenID unless it is their OpenID! Yes, you can’t log in to Google with Yahoo account, sorry. At least, not yet. It’s not a technology barrier, it’s marketing.

What do I need to do to support OpenID on my website? There is a standard communication protocol to implement (the OpenID specification) and many Open Source libraries that do the job. The simple step-by-step tutorial can be found in A Recipe for OpenID-Enabling Your Site.

How secure OpenID is?

That’s the big problem. Imagine that there is somebody who wants to steal your identity. What he has to do is to set up a website that offers OpenID login and another website that pretends to be your OpenID provider. You provide your OpenID to the first site and you get redirected to the second which – what you think – is your identity provider (but it’s not). You type in your password. Right now the thief knows your OpenID and the password so he can log in as yourself into any OpenID-enabled website in the world. That is similar to phishing but much more dangerous because you loose control of the access to all your personalized websites at once. For that reason do not expect your online bank to accept OpenID anytime soon. And if you do financial or other transactions involving sensitive information online, you are not going to use OpenID login either.

Interesting discussion of the models that can be used to strenghten authentication mechanisms can be found in Usability of Stronger Authentication Options.

A few days ago the OpenID Foundation announced that PayPal is joining their Board of Directors. Well, they surely know something about security.

What else is there?

One alternative is identity federation based on OASIS Security Assertion Markup Language (SAML) protocol. It is mainly used today in B2B scenarios, mainly to provide single sign-on and account linking. But it lacks this user-centric, self-asserted identity appeal that OpenID has.

The other is information card architecture and specifically its implementation by Microsoft called CardSpace. The identity card selector is already implemented in Vista but it lacks production implementation on the application server side. Yes, your identity card is bound to your Windows operating system.