One of the annoying things about surfing around the web is that just about every website you visit wants you to create an account for yourself. To make matters worse, all of those accounts want to know a lot of the same information about you: your name, your address, your phone number, etc. Not only is typing that information over and over again more likely to result in a typo, it’s also tedious.
Most websites also make you choose a username and password so that you can log in when you visit the site. If you’re like 99% of the other web surfers out there you make your username and password the same for all of the sites you visit. From a security perspective that’s a dangerous thing to do since it means that if any of those sites get compromised it may be possible for a hacker to learn your username and password and log into any of those other sites while masquerading as you.
Wouldn’t it be great if you could create your account information once and have that information shared across all of the websites you visit? How about logging into your account once and not having to log in again as you surf around the web? OpenID is an open-source technology which may someday be able to turn that promise into a reality. How does it work? Let’s check it out.
Getting an OpenID account
The first thing you have to do when using OpenID is, ironically, to create a new account. I know, I know — that’s exactly one of the things we’re trying to avoid with OpenID. Well, think of this step as a necessary evil. The idea is that you’ll create your OpenID account once and then you’ll be able to use that account on any site which supports OpenID.
So, where do you go to create this OpenID account? This is one of the more intriguing aspects of OpenID. There are actually a number of sites which allow you to create a free OpenID account and you’re free to use any of them. There are slight differences in the services, though — some of these services, for instance, allow you to use a secure (HTTPS) connection when you log in, while others don’t. Here’s a partial list of sites which you can use to create your account. You can, of course, create accounts at more than one of these sites, although that kind of flies in the face of the whole OpenID concept.
- AOL (if you already have an AOL account you can just use that as your OpenID account — check it out at http://openid.aol.com/screenname)
- http://pip.verisignlabs.com (Verisign calls their OpenID solution “PIP” – “Personal Identity Provider”)
- http://idproxy.net (let’s you use your Yahoo ID as your OpenID)
The “username” which you get as a result of creating your account has a syntax that’s a bit different than what you’re used to seeing in a username — it looks more like a a web address (instead of a username of “skippy” the username will be something like “skippy.pip.verisignlabs.com”). That’s certainly a bit harder to type but the idea is that you’ll only have to type it in once for your entire browsing session. The syntax used in that username is also instrumental in making the whole OpenID system work, and we’ll see why in the following example.
An OpenID Example
Rather than try to explain the process that a user goes through when he logs into a website using OpenID let’s just look at an example. Here’s what happens when you log into the OpenID-enabled site WikiTravel:
- You go to the WikiTravel site and enter your OpenID username (skippy.pip.verisignlabs.com, for instance). You don’t enter a password at this point — only your OpenID username
- The WikiTravel site looks at your OpenID and determines which site you’re using as your OpenID provider. In the case of “skippy.pip.verisignlabs.com” the site knows that the OpenID provider is http://pip.verisignlabs.com .
- WikiTravel contacts that OpenID provider and passes it a few pieces of information, including the name of the OpenID username you’ve entered.
- Your browser redirects to the OpenID provider’s site (http://pip.verisignlabs.com). Your provider already knows the username that you’ve entered but now it wants you to enter your password.
- After you successfully enter your password the OpenID provider will ask you if you want to authorize the site you’re trying to hit (WikiTravel) to use your OpenID name. It’s at this point that the provider may also ask what, if any, additional information you’d like the provider to pass back to WikiTravel on your behalf. Maybe you’d like to pass back just your e-mail address, maybe you’d like to pass back your e-mail address and your shipping address, or maybe you’d like to pass everything back. (This is handled differently by different OpenID providers and is one of the features which distinguishes one provider from another.)
- Your browser sends you back to WikiTravel with a “cookie” signaling that you’ve successfully authenticated through your OpenID provider (http://pip.verisignlabs.com). At this point WikiTravel makes its own call to your OpenID provider to make sure that the entire transaction was handled properly.
- You get logged in WikiTravel and whatever personal information you authorized your OpenID provider to send to WikiTravel becomes part of your WikiTravel account.
It’s important to note that you still have an account at WikiTravel which contains your name, phone number, shipping address, etc., just like you would have had if you’d decided not to use your OpenID and had registered for an account the “normal” way. One benefit that using your OpenID account provides you is that you don’t have to enter all of that personal information, since you allowed the OpenID provider to share that information with WikiTravel.
From a security perspective OpenID tackles a number of issues. The most obvious security benefit is that you’ll no longer have your username and password stored at all of the sites you visit. Instead, those sites will have your OpenID, but won’t have your password stored anywhere and, in fact, won’t have any direct access to your password at all. Remember, the OpenID provider simply tells the site you’re visiting whether or not you logged on successfully, not what password you entered.
A less obvious security benefit has to do with the fact that many of the OpenID providers allow you to sign in using SSL (the “s” in “https”) so that the logon is encrypted and is protected from snoopers. Using one of these OpenID providers in essence makes the logon portion of all of the OpenID-enabled sites which you visit secure. Even if the site you’re visiting has no SSL capabilities once you enter your OpenID you get redirected to the OpenID provider’s page which will be using SSL and that means that your entire logon transaction is encrypted.
There is one major concern regarding OpenID, though, and it has to do with a possible “phishing” attack. A phishing attack is when a site pretends to be another site is order to trick the user into entering information. In the case of OpenID the possibility exists that the site you’re visiting is either intentionally evil or has been compromised. You enter your OpenID and the site redirects you to a site that looks just like your OpenID provider’s site. Everything looks right to you so you enter your OpenID password. The “fake” provider site captures that username and password and can now log into other OpenID-enabled sites pretending to be you. How likely is that to happen? Not very, but it’s one of the major problems that the OpenID community is working to eliminate altogether.
The benefits of OpenID won’t be realized until there are more sites out there which allow users to register and logon using OpenID. At the moment there are only a handful of sites which are OpenID-enabled, although that list seems to be growing rather quickly (there are partial lists kept at http://www.openiddirectory and https://www.myopenid.com/directory). There are also extensions for popular applications like WordPress (via the WordPress OpenID Plugin) and PHPBB (via the PHPBB OpenID Extension) which make it easier for existing sites to retool themselves to accept OpenID registrations and logins.
Some of the larger players are also interested in OpenID, including AOL and Microsoft. AOL, in fact, recently created an OpenID account for each of their 63 million registered users (if you have an AOL account your OpenID name is http://openid.aol.com/screenname) and Microsoft has expressed interest in using OpenID in conjunction with its CardSpace initiative (built into Vista). Many other popular sites (such as Digg) have said that they’re planning on integrating OpenID, although that integration hasn’t shown up yet.
What OpenID is still missing is the “killer” application which will push the technology to the forefront of the internet. OpenID is already starting to gain a lot of traction — imagine what would happen if a company like Google would allow users to register using an OpenID account on any of their various properties (think GMail or YouTube). Until that killer application comes out, though, OpenID will have to just continue to gain momentum one site at a time.
OpenID is a great solution to a number of vexing internet problems. If you happen to notice that one of the sites you visit is now accepting OpenID registrations and/or logons go ahead and try it out. If none of the sites you visit can handle OpenID yet you can always see how it works on the WikiTravel site. Either way I think you’ll find it a simple, elegant solution to the problem of identity on the world-wide web.