. . NEWS ALERT

5/09/08 -  If you have  a Windows XP  PC that uses an AMD chip, you should read this article before updating to  Service Pack 3  (SP3) .  Some  systems are having reboot issues.
Home arrow Term to Learn arrow General arrow OpenID Makes Account Login Easier
OpenID Makes Account Login Easier Print
Thursday, 31 January 2008
OpenID has been getting a lot of press lately. Part of this attention is everyone wishes that OpenID becomes the solution to our online identity management problem. After all, no one likes creating more accounts when there could be a single sign on identification system. The good news is you may already have an OpenID if you use some of the popular online services. The bad news is not everyone has embraced this URL based identity system.

What is OpenID and why would I want one?

OpenID is a system developed by Brad Fitzpatrick that simplifies your online identity management. As we move through the Internet, we interact with many websites. These websites might store your photos or project information. They could also be websites where you wish to join an online conversation. Regardless of the intent, these websites want you to first identify yourself. In a day, you might type a half dozen usernames and passwords. But what if websites allowed you to use a universal or single sign-on to identify you?

The single sign-on concept isn’t new. If you’ve created a Google account, you know your username and password work throughout their domain. I can use my Gmail account in Google calendar, Gmail, Webmaster central, AdWords and so on. In this case, Google handles the account verification.

The appeal of OpenID is that you can go between domains. For example, the same OpenID I use to sign on to Basecamp.com can be used to log into Plaxo.com/. I don’t need to remember the account specifics for each site since it is constant. I simply use my OpenID URL to log in.

Where can I use OpenID?

You can already use OpenID on thousands of websites. These sites either reference OpenID or display the OpenID logo as shown in the thumbnail below. There is also a searchable OpenID directory.

OpenID-logo
Click to enlarge

One reason OpenID has gained interest is several big players have pledged their support. Of particular interest is Yahoo!, which controls many web properties. The other advantage is that many people have a Yahoo! ID.

In the thumbnail below, the site pibb.com allows me to log in using three methods that I’ve labeled. You’ll note that item 1 allows me to sign in to this site through Yahoo! In this case, Yahoo! is acting as an OpenID provider. I could just as easily use my own OpenID provider (2). Moreover, many popular online services such as AOL, Technorati, and Blogger to name a few are also OpenID providers. As you can see, OpenID is vendor neutral.

OpenID-logon-example
Click to enlarge.

What is an OpenID provider?

An OpenID provider plays a key role in the process. They are the service that validates you using their identity server. They also keep track of your relationships with sites. Unlike previous identification systems like Microsoft’s Passport, which relied on one provider, OpenID has many providers offering identity servers. This is one reason why OpenID is called a distributed system. No identity provider controls the system.

I should mention that validation is different from verification. Verification usually means proving your identity to a service. In other words, an OpenID provider isn’t going to ask me to prove who I am by coming into an office with a picture ID. Instead, I can validate my account by knowing my password (in the case of Yahoo!) or proving I have control of an email address or domain name. This is comparable to the procedure you would encounter if you created an account with a website.

There are many OpenID providers with differing services and privacy policies. Some are common names like Yahoo!, AOL and Blogger. The advantage to these providers is many people already have a relationship with the company.

You’re not limited to just these providers and you can use more than one OpenID provider. Since the OpenID provider knows the relationship you have with other websites, you may want to maintain several providers. For example, you may wish to have one identity for work and another for home.

Some OpenID providers offer other services such as myOpenID and VeriSign's Personal Identity Provider. myOpenID allows you to create a public identity page. You might think of this as an enhanced contact card where you chose what information to display. VeriSign Labs provides a Firefox add-on called Seatbelt that detects if you’re on a web page that allows OpenID. You can also hot swap between OpenIDs from different providers. As example, I added myOpenID to the Firefox Seatbelt add-on.

Firefox-Seatbelt-with-multiple-OpenID-providers
Click to enlarge.

What do I need to get an OpenID?

Creating an OpenID is easy. After testing three providers, I would say the hardest part was figuring out the CAPTCHA. Each of the providers I tested used CAPTCHA to thwart computer-generated accounts from spammers.

To create an OpenID,

1. Find an openID provider that you like. OpenID.net maintains a nice listing with tips.

2. Read the Privacy Policy for your provider.

3. Create your account.

4. Activate your account. Most services send an email confirmation message to you.

5. Note your OpenID URL. It usually follows the convention of http://account_ name.openid_provider.com/ but may vary for security reasons.

6. Test your openID on a service you use or pibb.com.

When you test your openID, you’ll see that once you enter in your OpenID URL, the website temporarily redirects you to your OpenID provider. You can then create a relationship with the site and exchange data if you wish. Once you’re authenticated, you’re sent back to the website.

OpenID Concerns

OpenID is an evolving system that solves a problem many people run into and raises concerns for others. Some people are concerned with phishing attacks. They worry that someone could set up a site that requests your OpenID but rather than redirecting you to your OpenID provider, they put up a fake page and capture your information. The concern is valid, but each of the providers I tested had features you could enable to detect this problem. You can also hear a good Security Now! podcast (episode #11) on this topic, which discusses some of these issues. As the podcast above mentions, you should get in the habit of looking at your browser to make sure you’re on a secure site.

Other people are more concerned that these OpenID providers know too much about you. Although it’s true that these providers do know sites you have a relationship with, I’m not certain it’s too much information. Part of this problem can be addressed by using several providers. Once you have an OpenID you’re not required to use it on every site that allows it. You can still maintain direct relationships with websites. You can also remove a relationship you have with an OpenID provider.

Fortunately, OpenID lets you go at your own pace. The easiest way to start is try the service on a website where you’ve not created an account login. As you become used to the service try converting an existing web account login to an OpenID log in. This can be bit a bit trickier as some sites are learning how to implement OpenID. If you find you don’t like having a single log on or have security concerns, you can delete the relationships with your OpenID provider.

Related Password Management Articles

How to create a password management plan 
Last Updated ( Wednesday, 16 April 2008 )
 
[ Back ]