At the Forge - OpenID

An introduction to OpenID, an open-source, distributed, single sign-on solution for Internet applications.

Thank goodness for Firefox. Yes, it's a great browser. Yes, it has all sorts of wonderful plugins that let me do everything from debugging my Web applications to checking the weather forecast. And, the fact that it works across multiple platforms makes it even better.

But, as Web-based applications become an increasingly integral part of my life, I've grown dependent on Firefox's ability to remember my passwords. It might be silly, or even a bit pathetic, but there is no way I can remember all the different passwords I've created over the years. This is especially true for sites where I've changed my password on occasion, either because my current password expired or because I decided to change it.

This also means that when I use a different browser, or even a different computer, I'm often at a total loss. Sure, I remember some of my passwords, but there is no easy way for me to keep track of all of them without writing them down somewhere. So, I do the digital equivalent—storing them in my browser—and make sure I have my laptop with me wherever I go.

Juggling multiple passwords isn't new, of course. Even before the growth of Web applications, people were logging in to different computers, networks, e-mail accounts, database systems and so on. A number of companies made quite a bit of money from “single sign-on”, offering back-end solutions that allowed people to log in to a single computer, providing them with access to many different ones.

But, although the problem might not be new, its scale is unprecedented. We no longer are worried about several hundreds or thousands of individuals keeping track of a dozen passwords, with access to an IT support department. Rather, we now have to worry about many millions of people, each of whom has dozens of passwords and little or no technical support for any of them.

Moreover, each Web site has its own particular needs, not to mention its own unique user interface. And, to top it off, the world is quite different from a corporation; you can't impose a standard solution from above. Rather, there must be a way to introduce competition into the equation, such that individuals can choose their own single sign-on provider.

Over the years, a number of companies have tried to enter this space for Internet applications. Perhaps the most famous (or infamous) was Microsoft's .NET Passport (now known as Windows Live ID), which was launched with great fanfare—and quickly attracted a great deal of negative attention related to privacy concerns. Even if Microsoft's product was technically excellent (and I'm not knowledgeable enough to judge it), people did not want to be told with whom they must entrust private and sensitive data.

An increasingly popular solution to this problem is OpenID. OpenID is not necessarily a new technology; it has existed in some form or another for several years already. However, it rapidly is picking up steam—so much that right before I wrote these words in February 2008, we saw Microsoft, Google, IBM, VeriSign and Yahoo embrace OpenID.

Now, it's true that the number of sites supporting OpenID is currently small—numbering about 8,000 at the time of this writing. However, the number is growing rapidly, and I expect the pace will pick up as the aforementioned Internet giants begin to get involved.

What if you're smaller than Google or Microsoft? Is OpenID worth adding to your site? Is it relatively easy? The answer to both questions, I'm happy to say, is yes.

This month, I discuss the user side of OpenID—how you register for an OpenID and how you manage it. I also explain how the OpenID specification takes into account the fact that you might eventually need to change providers.

The Basics of OpenID

The term OpenID refers both to a person's unique identifier and to the standard describing all the technology around that identifier. To create an OpenID, you must register with an OpenID provider. Once you have registered your OpenID, it is the provider that authenticates you for every OpenID-enabled application you use. In other words, the OpenID provider is responsible for checking your identity, which normally means confirming that the user name and password you enter are acceptable.

Thus, logging in to a site with OpenID means the following happens:

  • You tell the Web application you want to log in with the OpenID protocol.

  • You enter your OpenID (more detail on this shortly) into the application's login screen.

  • The application sends you to the login screen for your OpenID provider.

  • If the provider accepts your credentials (normally, your user name and password), it asks you to confirm that your identity may be exported to the Web application, and if it may do so in the future as well. Obviously, if you indicate you are willing to share your identity with this Web application in the future, you will skip this step in the future.

  • Once allowed to export your identity to the Web application, you are returned to the original application you wanted to use, logged in and ready to use it.

Notice there are a few important differences here between OpenID and a “standard” login system. First, users authenticate against a different site from the one they are trying to use. This is similar to making a purchase via Google Checkout or PayPal, both of which require that users authenticate themselves and authorize the purchase amount on their own sites, rather than on the site belonging to the on-line store.

Some critics of OpenID say that users may be surprised or confused by the switch from one site to another, but I think Google Checkout and PayPal have demonstrated that a reasonable number of people are not put off by switching back and forth. Moreover, I have read that Firefox 3 will include some integrated OpenID support, which might remove some of the need to switch sites—or at least make it appear more integrated. However, I've been using the beta of Firefox 3 for several months and have yet to experience such integration.

And, although I use the term Web application, there is no requirement that OpenID be used only for Web-based applications. I expect that as OpenID takes hold, a large number of Internet-based applications, obviously including those that run on the Web, will use OpenID. However, there's no reason why non-Web applications and services couldn't use OpenID as well. I even can imagine a day when you might use OpenID to enter your house or confirm your identity to your burglar-alarm company. In the world of OpenID, end-user applications are known as consumers, just as the OpenID authentication systems are known as providers.

Most OpenID providers authenticate users with a user name and password. Over time, we can expect them to go in other directions as well—for example, using biometric authentication systems. And, although OpenID providers currently offer their services for free, it's not hard to imagine a time in which some companies will charge for OpenID services, while others will support themselves via advertising. Because users can switch OpenID providers at any time, and because users have a choice as to which one they will use, we can expect both competition and ingenuity to be the rule.

One company, Vidoop, has a particularly interesting authentication mechanism, in which users select a pattern of images as their “password”. Each time a user wants to authenticate, a set of images—including those that the user has selected—appears on a 3x3 grid, with each image in a randomly selected location and a random letter placed next to it. This effectively creates a one-time password, which users enter by typing the letters associated with the ordered set of images they originally chose.

Finally, I should note that you can create and use as many OpenIDs as you like, just as you would normally create as many user names as you like on a Web site. Some people do this to separate their work ID from their personal ID, or just because they prefer not to put all of their eggs in one authentication basket. Regardless, OpenID allows you to do this—although it is ironic that a single sign-on solution would spur people to create multiple identities.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Anonymous's picture

You make Firefox look like the best thing since sliced bread. Firefox is not as good as Opera and Safari these two browsers are closed so they are more secure. Try Opera on your Linux Box. I use Safari on all my Mac's I did try the OS X version of Firefox the UI and everything is ugly!

"Firefox is not as good as

Anonymous's picture

"Firefox is not as good as Opera and Safari these two browsers are closed so they are more secure."

Are you serious!? Obscurity is not security. Does obscurity work for IE?

Is it safe?

goblin's picture

Well... Is it?