OpenID
Sometimes I feel like a user account collector. For almost any website or web application it is now possible/necessary to open a user account to enable certain functionalities. From a security and privacy perspective, I once intended to use a strong, different password for each site. Unfortunately, I abandoned this intention already after a few days since this would lead to remembering up to a hundred different passwords. You would think it should be easier, and it can be!
OpenID is an open source authentication mechanism which makes it unnecessary to have to open and enter a separate user account with accompanying password for each site. What it boils down to is you enter a URL instead of a password (for example, http://bart.ic-s.nl). This URL, called an identifier in OpenID terms, refers to your OpenID provider. Your OpenID provider takes care of the actual authentication, so that is the only location you actually register a password! If you want to log on to the website where you entered your OpenID, you will be redirected to your OpenID provider where you log in with your user name and password and you will be returned to the site where you wanted to log on as a registered user. For security reasons you authorize each site once for using your OpenID.
The most obvious advantage of using OpenID, is you only register a password at one location and only adapt it in that one location if need be. But there are other important advantages of using OpenID. If you use OpenID for multiple sites, you only have to enter your user name and password once to log in. You automatically get logged in on all other sites you use your OpenID for, because you already logged in at your OpenID provider. This reduces the number of times you have to sign in to merely once a day or session in your web browser.
Another OpenID use advantage is you can register your ID separately from your OpenID provider. If you are the lucky owner of your own domain, with just a few lines of html in your website you can have your identity forwarded to an OpenID provider. For instance: in the example http://bart.ic-s.nl you add a reference to the OpenID provider such as http://www.myOpenID.com on the html page that appears with this URL. Suppose I am not satisfied with the service and/or possibilities of myOpenID.com, it is then very easy to switch the reference to a different OpenID provider, e.g. livejournal.com. And the good thing is, I don’t need to change a single thing on any of the sites I signed in! This makes your OpenID, if you use your own domain, independent of any OpenID provider.
So for users, OpenID offers many advantages, but what added value is there for website providers? The first thing of course is increased website accessibility. From personal experience I know registration on a website still proves to be a barrier for users. In case of similar “content”, I always choose the website where no registration is required. If you could use you existing OpenID, this barrier would be a lot lower.
In addition to increased accessibility, OpenID offers even more opportunities for website providers. By using OpenID, it is in fact fairly easy to realize single sign-on. If one’s own identity management system is used, it is by no means trivial to set this up. OpenID’s architecture offers this out of the box. If the provider prefers to own the authentication process, it is possible to set up one’s own OpenID provider.
One group that could benefit from OpenID use and that I haven’t mentioned yet are companies. Besides personal use of websites, an increasing number of people have accounts on numerous websites and web applications of, for example, suppliers. This poses a potential security risk, especially if users treat set passwords laxly. The reason for this is that in most cases the internal password and user management are well arranged in for example active directory or Apple’s open directory, but the organisation neglects central management of these sorts of accounts. If an employee leaves the company, it is often forgotten to delete or deactivate these accounts. With OpenID this is easily prevented: if the organisation sets up a central OpenID provider under its own domain, for example URL http://OpenID.ic-s.nl//, and this gets linked to the internal directory for authentication, a deactivated user can no longer log in on all sorts of external websites using his OpenID! It could even be established which sites users can use their OpenID for to increase control even further. Besides control of deactivated accounts, this could also ensure users only use one single password that complies with internally set standards. This prevents Post-IT notes with passwords and improves the overall organisation security!
Despite the benefits to all parties, many website providers seem wary to offer access to OpenID use. Technically there are not so many reasons to withhold this, it’s probably more a question of feeling. As website operator you obviously like to stay in control and it seems easier to have the authentication take place in your own, trusted environment. Fortunately, there is a growing number of parties that offer OpenID, including some big names as AOL, Microsoft, and livejournal. With the gigantic growth of the number of websites with active users and the growing importance of security within organizations, I believe it is only a matter of time before OpenID will be more widely accepted. So there is good hope in a few years time my collection of accounts has shrunk considerably, making on-line life easier and more secure!
Leave a Reply
Archives
Learn more about our services.