What’s your take on OpenID?
I didn’t know such a sytem already exists until I read a post from Linux.com talking about a Wordpress OpenID plugin. A quick read of the article what the plugin does - it basically converts your Wordpress authentication system into an OpenID authentication system. Sounds cool, but what is OpenID exactly?
Wikipedia defines it as:
OpenID is a decentralized system to verify one’s online identity. While it is not intended to prevent spam or create a trust metric, it solves the single sign-on problem without relying on any centralized website to confirm digital identity. OpenID users identify themselves with a URI or XRI which they own, such as for a blog or a home page. Since OpenID is decentralized, any website can employ OpenID software as a way for users to sign in.
The OpenID website defines it in more details but I would like to quote two paragraphs from them:
To login to an OpenID-enabled website (even one you’ve never been to before), just type your OpenID URI. The website will then redirect you to your OpenID Provider to login using whatever credentials it requires. Once authenticated, your OpenID provider will send you back to the website with the necessary credentials to log you in. By using Strong Authentication where needed, the OpenID Framework can be used for all types of transactions, both extending the use of pure single-sign-on as well as the sensitivity of data shared.
Hmmm, sounds simple and easy to use. That’s cool.
and…
Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.
Well, I’d expect that statement from any project that uses the word “Open” but formally stating it on their official website is much more comforting.
To me, it sounds cool. Really, as it makes life simpler without me having to remember passwords. The need for a password collection is also minimized, if not totally removed, since each person will only maintain one identity for all websites. It’s pretty much like an online version of the National ID system used in many countries and being proposed here in the Philippines.
Upon reading it, one question quickly came into my mind - where are all the data stored? If they’re stored in one central database - then that won’t be a good idea at all since hacking into that one central database system is all it takes to compromise everything. Luckily, the OpenID guys appears to have thought of this as well. Here’s a hint from their website (OK, this is another quote from them)
The first piece of the OpenID framework is authentication — how you prove ownership of a URI. Today, websites require usernames and passwords to login, which means that many people use the same password everywhere. With OpenID Authentication, your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider).
In other words, your data is stored wherever you want them stored - either through a third pary OpenD provider or through your own system. Sounds safe enough. At least that keeps authentication data scattered giving hackers more headaches.
So far, so good. I’l definitely look into this. I might just convert this blog to use OpenID as soon as I get a good grasp on it (when that will be, I can’t promise. Hehehe).
You, what’s your take on it?
Comments
3 Responses to “What’s your take on OpenID?”
Leave a Reply
Links
Categories
Blogroll
Start a Franchising Business in the Philippines
I’m in the the same boat - security seems like a big issue here. You can’t put all your eggs in one basket. If this becomes a hit, which it seems like it could, then the step from hacking a database to writing scripts on false sites that retrieve your data (if you have it stored on your computer) is not such a big step. Moreover, it seems like if this caught on, websites would have to retroactively change their login procedure to allow logins from OpenID. Maybe it will be more straightforward, but if not developers won’t be too happy.
I recently became aware of OpenID myself listening to episode #95 of a podcast called Security Now http://www.twit.tv/sn95
Since then, I have noticed a few sites I use (notably basecamphq.com) have offered OpenID. I took the plunge and have not looked back. Once this catches on, we can have single sign-on with true security and no one owning all the implementation details (*cough* MS Passport *cough*)
I recommend everyone interested in this topic to give the podcast a listen and do some more testing on their own. We’re still definitely on the steep end of the curve here, but I think it will gain momentum and hopefully critical mass. Also, from what I have read, implementation is not hard at all. The OpenID folks have a lot of handy packages for just about all popular web languages. http://openid.net/wiki/index.php/Libraries
@Scott
I just read your comment and I think you may misunderstand how OpenID works. Your credentials are never passed to the authenticating site, only a verification of who you are. For example, let’s say Amazon supported OpenID. When you create an Amazon account you would then tell Amazon which OpenID server you trust (could be your own, could be a third party). Amazon then sends a token to your OpenID server establishing a link.
Next time you go to log in to Amazon, it passes you (and that token) to your Open ID site. You authenticate with your Open ID site and it passes back its own token saying you really are who you say you are. The beauty of this is that Amazon never knows your Open ID password, and that Amazon token is only good on amazon.com. Someone couldn’t hack that communication and then use your Amazon OpenID token to log on to ABC Bank which also supports Open ID.
It is independent, secure and fully under the user’s control, the best of all worlds.