subscribe to our feed.
For end users like you and I, the Internet can be a very fractured place. With each new website, message forum, or networking site, the list of user accounts a user has to maintain can become rather lengthy; don’t you wish you could consolidate all of these accounts under one “banner”? OpenID and the OpenID Foundation are looking to do just that. Instead of being a run-of-the-mill password management software, OpenID is a whole protocol foundation, which opens up some fantastic new opportunities.
At it’s base, a user’s OpenID is a single digital identity that allows for proving your identity across multiple websites. There are a few distinguishing characteristics that make OpenID different from a single sign-on service like the Microsoft Passport service. For one, OpenID is an open standard (though not open-source, at least, as far as I understand it) that is completely free for any website to adopt and develop services for, or even for a website to become an OpenID provider. Two, instead of providing a user name or email address, you’re actually identifying yourself with a website extension of an OpenID provider. For example, if PaulTech were to become an OpenID provider, you would create a Persona with PaulTech that would be supplied to every website that you log into via your OpenID identifier.
Your PaulTech identifier would look something like this:
http://username.gopaultech.com/
Once verifying that you indeed want the sample website to use the identifier of your choice (you are not limited to multiple identifiers), you would have to authenticate your identity at your OpenID provider’s website; in this case, PaulTech. Once this is done, you approve the exchange and you’re logged in. This seems like a lot of site jumping, but every website I’ve come across with OpenID has made it completely automatic to login, verify, and approve your trust root. Your “trust root” basically says that you are willing to provide your identity to the sample website, and there are options to provide it once, or provide it forever, or not provide it at all. The trust root is an important part of the process; phishers may attempt a “man-in-the-middle” style snatch, which would give them access to your identity, though no control over how it’s used or the capability to change the information contained herein.
There are some concerns over OpenID security, however; mostly at the OpenID provider points. If a provider’s database is compromised, a hacker would have access to change and manipulate your OpenID persona. The danger here is mitigated by the existence of many, many OpenID providers. A security fracture at Yahoo!’s provider database will only compromise Yahoo! provider users. Therefore, the onus of database security falls to the provider, and you should use providers you trust; now, who you trust is entirely up to you as a user. Also, the OpenID transaction places some new responsibilities on the end user: the “quality” of the persona transaction is entirely up to the user. Haphazardly releasing your persona to every website you login to is just fine, as long as you pay attention that the websites you are using are actually the ones receiving your persona.
Now, if you really would like to check out this new technology, you’ll need a list of OpenID providers, found here at the OpenID wiki. Personally, I stuck with myOpenID, the first provider on that list.
If you’re worried about OpenID not catching on, well, don’t be. With companies like AOL, Google, IBM, Microsoft, Myspace, Verisign, Symantec, and Yahoo! acting as OpenID providers, I’m fairly sure 90+% of the Internet is in reach. Other websites, like LiveJournal, SourceForge, Wordpress, and the BBC. Also, if you’re a “Digg“er, rumors of them moving to OpenID have started to surface.
The only question is: How long until Facebook falls?
Pictures courtesy of: Pibb, myOpenID, OpenID.net;
If you would like to make a comment, please fill out the form below.
Recent Comments