Dec 03

Logins That Make Sense

Open ID is a technology that has long been overdue. The basis of identity security on the Internet is, essentially, backwards. Not because of intentional wrongdoing on the part of the government, the information technology community or some nefarious plot, but because the Internet is a work in progress that caught the world essentially by surprise.

The way identity is commonly established on the Internet is the login-password duplex. Some sites go further, with double layer passwords and visual recognition cues, but the login-password combination is the basis upon which people do the majority of their business on the Internet. There are other technologies for specialized tasks, such as GNU GPGP and PGP, but the complexity and burden which these tools place on the average user are still prohibitive.

Instead, we are required to maintain a login-password list for, in many cases dozens of sites, each with it’s own specific requirements and login proceedures. It’s very trying, as they say. Although it provides the ability to balkanize access between sites, it clumsy and impractical.

This is where Open ID steps in. Open ID provides the ability for websites to accept authentication once it has already been established at another site. It doesn’t mean the site gets your personal login, it means that it accepts that you are who the Open ID provider says you are, eliminating a redundant step in the authentication process.

There are a number of Open ID providers and sites that are using the technology, and it’s reputation for security has been, so far, spotless. Open Id provides for a new level of integration and sensibile security that can pave the way for an improved Internet experience.

OpenID Foundation website

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • StumbleUpon
  • Reddit
  • YahooBuzz
  • Google Bookmarks
  • NewsVine
  • Facebook
  • Mixx
  • LinkedIn
  • Technorati

One Response to “What Is Open ID?”

  1. Internet Security Researcher says:

    In theory – but Open ID does not and cannot trivially implement trust. Trust is one of the hardest parts of security.

    Imaging this scenario:
    You have a service that you wish to protect from abusive use. So you need authentication and authorisation. You employ a rigorous verification mechanism to ensure that only valid accounts may be creating and will be able to use your service, and not an adversary. You use the Open ID mechanism to manage your user accounts. An adversary creates an Open ID with a service elsewhere that requires a lower level of verification. Your service now cannot tell the difference between the user who you have verified, and any other Open ID account holder, so the adversary now has access to your service.

    This is solved by trust: your service does not trust other Open ID account authorisers (authorities) – but now we don’t have a web-wide Open ID mechanism, we have a standard way of managing account information, which is not much different from a software architect selecting PAM as a back-end security mechanism, rather than Open ID.

    It’s trust that needs solving for most of these problems, not security. It’s trust that breaks most of the easy-to-use mechanisms, as easy-to-use normally means compromise on trust.

preload preload preload