Dare to Trust OpenID

Providers can go a lot further than phishing-resistant passwords too. You can bet that VeriSign, which plays big in the market for strong authentication, sees OpenID as an opportunity to improve authentication generally for consumers. It's certainly the best shot consumers have now.

The decision is harder for services, I suppose. As a consumer, I can choose with whom to store my OpenID credentials. A site can't decide that it will accept OpenID credentials from some OpenID sites and not others—can it? Yes it can! There are already sites that support OpenID log-ins, but are using a white list of providers they will support, like AOL and Yahoo! and VeriSign. Casual talk among techies often raves about the potential for anyone to set up an OpenID provider, but in fact, it's likely to be a provider with little support in the real world. If, for example, Amazon.com were ever to use OpenID as an authentication method, it wouldn’t allow you to log on with evil-hackrrzz.org. (Grab that domain, it's available!)

In the formal OpenID spec, there is no actual trust model between providers and “relying parties,” which are the sites to which the user is logging in. All the communication with the provider shows is that there is a user with that ID with a record at that site. In a sense it's at least as reliable as the arbitrary names and passwords you use today to log in.

The more I think of OpenID, the more I think it's in the interests of all legitimate parties. Even a site like Google that competes for users with other big sites is better off, because it becomes easier for Yahoo users to access services on Google. If all goes well, some day soon you may be able to shred that piece of paper with your passwords written on it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.