If you run a Web site-let’s say a storefront-that manages user information, you need to authenticate your users. It’s dangerous business, but you have to do it and you have to do it well. Screwing up could ruin your reputation.
And yet you’re also part of a big problem for users: the proliferation of IDs. Think of all the log-ins you have all over the Web. Some sites have you log in with a username, which is probably the same as your username on all others. And some have you log in with an e-mail address (a pretty good system in its day). And then you need a password. Do you use the same one everywhere? Not a good idea; one of those sites gets compromised and your ID everywhere else is compromised. Plus, you’re not in the authentication business, so you’re probably not going to do the best job possible.
There are personal solutions available, like RoboForm, but the Internet needs a systemic solution, and one is available in the form of OpenID. OpenID is a standard for authentication by third parties. Instead of asking you for your log-in, a site could ask you for your OpenID, which takes the form of a URL, such as myname.openid-provider.net. In fact, with the newer 2.0 version of OpenID, you may just have to provide the domain, such as yahoo.com (yes, Yahoo supports such usage for its members).
At this point, the process is redirected through an HTTP 302 redirect to that provider, which authenticates you by whatever means have been arranged. It could just ask for a password, but it could be stricter than that. For instance, it could demand two-factor authentication, such as that I discussed in a recent column. Some sites, such as VeriSign Labs’ and Ping Identity’s SignOn.com, have added phishing-resistant log-ins with features reminiscent of Bank of America’s SiteKey. Oh, and I have to mention VeriSign’s OpenID Firefox plugin, SeatBelt.
And there’s a fair amount of excitement around OpenID among third parties, tops of which is the news that Google, IBM, Microsoft, VeriSign and Yahoo have joined the board of the OpenID Foundation. The foundation doesn’t own the standards of OpenID per se, but facilitates the standards and development process. With a board like that, OpenID is either unstoppable or doomed. I don’t see why this group would conspire against OpenID, so I’ll just assume it’s a good thing for now.
So can you trust OpenID? Paul Ferguson, a senior techie at Trend Micro, says (in what appears to be a personal blog) no. I know Paul from security mailing lists and he’s got a point, but I think he throws out the baby with the bathwater. His point is that you, the user, have to trust that the OpenID provider will securely store your credentials and handle them responsibly, and that they could easily screw this up. Therefore, he won’t be using it.
I also think that I wouldn’t trust just any OpenID provider, but I would trust, for example, VeriSign, which has been in the OpenID provider business from the very early days. VeriSign is high on it, and (for what it’s worth) the company even goes to the trouble of putting an EV SSL certificate on the site. Why do I trust VeriSign? I don’t know, call me naive, but it runs trusted authentication infrastructure for very big businesses. Seems to me the industry as a whole has bought into OpenID in theory, and if anyone can implement it well, VeriSign can.
Providers Can Go Further
Providers can go a lot further than phishing-resistant passwords too. You can bet that VeriSign, which plays big in the market for strong authentication, sees OpenID as an opportunity to improve authentication generally for consumers. It’s certainly the best shot consumers have now.
The decision is harder for services, I suppose. As a consumer, I can choose with whom to store my OpenID credentials. A site can’t decide that it will accept OpenID credentials from some OpenID sites and not others-can it? Yes it can! There are already sites that support OpenID log-ins, but are using a white list of providers they will support, like AOL and Yahoo! and VeriSign. Casual talk among techies often raves about the potential for anyone to set up an OpenID provider, but in fact, it’s likely to be a provider with little support in the real world. If, for example, Amazon.com were ever to use OpenID as an authentication method, it wouldn’t allow you to log on with evil-hackrrzz.org. (Grab that domain, it’s available!)
In the formal OpenID spec, there is no actual trust model between providers and “relying parties,” which are the sites to which the user is logging in. All the communication with the provider shows is that there is a user with that ID with a record at that site. In a sense it’s at least as reliable as the arbitrary names and passwords you use today to log in.
The more I think of OpenID, the more I think it’s in the interests of all legitimate parties. Even a site like Google that competes for users with other big sites is better off, because it becomes easier for Yahoo users to access services on Google. If all goes well, some day soon you may be able to shred that piece of paper with your passwords written on it.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.