OpenID
OpenID is an open decentralized framework for identity management. In other words, it’s a scheme for a single sign on username and password that any website can use.
It’s an interesting idea. I like the idea of it, the thought of having a single definitive presence online. However, I can think of many more reservations:
Security is an obvious one. The most secure safe system in the world is still potentially useless if the human being at one end is willing to share their credentials (e.g. their password) willy nilly. I’ve seen too many office workers who stick their system password to their monitor on a post-it note, let alone the hoards who seem content to swap their passwords for chocolate. And even IT Professionals aren’t immune from being tricked into giving their passwords. In fact, according to some beer-mat statistics, they might even be worse. If one password is all you need to access many resources, the potential damage when/if that password is compromised is that much higher.
Privacy is another issue. If log-ins are unique on a per-site basis, it’s harder for a profiler to collect information from multiple sources and tie them to an individual. If you know that individual has the same identity on multiple sites, collecting that information becomes trivial. Privacy is a funny one, though, because that ability to link data across different contexts is potentially a powerfully useful one in terms of user enablement.
There are pragmatic issues to consider as well: in order for such a system to be a success, it has to be popular and widely implemented. This requires some big companies to overlook significant corporate advantages in having their own authentication data. It might be somewhat naive to hope this will happen without some considerable advantages to reward them for doing so.
I’m sure commenters can think of several others; despite that all, though, I’m still cautiously liking the idea: I can’t help it, I’m a romantic fool cursed with cynicism.
June 1st, 2007 at 1:18 pm
“I can’t help it, I’m a romantic fool cursed with cynicism”
LOL I like that. Although it would appear to be a very Irish/Welsh sort of thing.
The other flaw that comes to mind is the general issue of identiy theft. Nevermind giving someone your password, if they have the details of your one profile, you might as well give them your passport too! Wouldn’t this system be a similar victim to Microsoft in that if you are too successful all the hackers will go after it. Being anonymous is sometimes better security than actually being secure.
June 1st, 2007 at 1:20 pm
Security is definitely the big one. OpenID differs from other attempts to provide single sign-on infrastructure in that you can run your own OpenID authentication system on your own servers, unlike Passport and other similar schemes that required you to hand your life to Microsoft on a plate.
However, I’m still yet to be convinced about the value of single sign-on for the net at large. Sure, it’s great to have SSO in a corporate environment where my login applies to the computer, the phone, my email, an online CRM package, etc. etc., but in most net usage there really shouldn’t need to *be* any connection between my activities on one site and my activities on another.
I mean, would I want the readership of the asterisk mailing list being able to link me to my hentai reviews?
June 1st, 2007 at 1:23 pm
One advantage is that you don’t have to worry about people not knowing whether yamahito from yamahito.net is the same yamahito as yamahito.com - or worry about people registering your identity on another website before you have the chance to.
June 1st, 2007 at 1:37 pm
Microsoft kind of tried it with Passport, and encouraged large sites to partner with them, and that turned out to be a fairly big failure (and is now pretty much solely used by Microsoft), so an open alternative is probably even less likely to succeed (unless people like Google spend loads of money to convince people to sign up, but Google seem quite happy to convince everyone to create a Google account and use all of their free services in return for a slight invasion of privacy). People might be more likely to adopt it if people can run their own servers, but I am curious as to what information is shared between servers to make OpenID work. And what happens if there’s a rogue server? What if an OpenID sign on is really a phishing site? Once they have your one and only password, they can go anywhere they like and log in as you.
Most people involved in IT security will tell you that password reuse is a bad thing, but a lot of people like the idea of single sign on, but the two are somewhat mutually exclusive. Remembering and typing passwords is a bit of a pain, but alternatives (certificates, tokens) aren’t convenient, and half of the web still seems happy to communicate over HTTP (take this comment, for instance).
Minotaur says, there shouldn’t need to be any connection between most sites, and I agree. But with the increase in Web 2.0 there seems to be a push for interaction between sites and convenience is often being picked over security.
As for IT people revealing their password for chocolate, I’d like to think that they revealed a password and not their password. The others probably did reveal their actual password, and it’s probably the same password they use for MSN. Fools.