Wednesday, July 23, 2008

OpenID picks up steam

How many user names and passwords does a person need, anyway?

The first answer that springs to mind is "one". I don't think this is necessarily the right answer, though. I probably don't want to have the same credentials attached to my bank account as to my more frivolous pursuits, just like I don't want to have my safe deposit key open my front door or unlock my bicycle.

On the other hand, one of the annoying facts of web.life is that seemingly every single thing you use wants a user name it can identify you by. And if you give a mouse a user name, he'll probably want a password to go with it ... This gets old quickly.  While "one" is probably not the right answer, "dozens and dozens ... I don't even know how many" probably isn't either.

In practice, of course, most people come up with a few user names and passwords and use them over and over again. That's the equivalent of having the same key fit lots and lots of little locks, and as long as there's not anything too valuable behind any of those locks, it's probably OK. On the other hand, if anyone steals that key, you end up having to change lots and lots of locks.

In the virtual world it's a bit worse, even. While you have the only copy of a physical key, every service you sign up for potentially has a copy of your user name and password. I say "potentially" because there's a standard technique (hashing) for not knowing a user's password, but what are the chances of every single service using it correctly, or at all? [Note that if a site just stores a hash of your password (as it should), it's still possible for an attacker to figure out your password, buy guessing and seeing if any guess matches the hash.  If you have a good password this is much, much harder (assuming the site is using a "cryptographically strong" hash, but it's not impossible]

The correct answer to "how many user names and passwords" is probably "as many as I like, but no more than that," realizing that in some cases you'll need, or at least should need, a completely unique ID whether you like it or not. So how do we do that?

Your typical login goes like this:
  • Who are you?
  • I am Sir Galahad of Camelot
  • What is your quest?
  • I seek the holy grail
  • What is your password?
  • python
  • Hmm ... do we know a "Galahad"? Does the password match our records? Yes? You may pass ...
Now change this just a little:
  • Who are you?
  • I am Sir Galahad of Camelot
  • What is your quest?
  • I seek the holy grail
  • How do I know you're Galahad of Camelot?
  • Ask http://roundtable.ct/galahad
  • Hmm ... http://roundtable.ct/galahad, do you know this "Galahad"? (Galahad deftly turns around, whips out his web-enabled Sword of Righteousness, logs in to roundtable.ct and tells it to accept the bridgekeeper's request for authentication) Yes? Do I trust this roundtable.ct? I suppose so. You may pass ...
Dodgy analogies aside, this is the basic approach behind OpenID [Note: that's openid.net, not .com] What's happened is that instead of keeping track of names and passwords directly, the bridgekeeper, being OpenID-aware, agrees to take an OpenID provider's word for it. Galahad, for his part, only has to be able to tell his OpenID provider (roundtable.ct in this case) to accept the bridgekeeper's request. The OpenID URL serves as his user name and whatever procedure he uses to log into his OpenID provider -- maybe a password, maybe a smart card, maybe a retina scan or whatever -- is good enough for the bridgekeeper.

If you like all that, there's still the little question of getting people to use the scheme. This requires two things to happen. One is getting sites to to provide OpenIDs. This isn't hard -- more or less anyone can do it. The other problem is to get sites to accept OpenIDs.

Some sites aren't very fussy. A lot of places are more concerned with having some sort of name to track than proving that that name belongs to anyone in particular. They'll let anyone make up a random name and password. The OpenID equivalent would be accepting any URL as an OpenID, so long as it follows the standard.

Other sites want to tie an identity to a given email address. You know the drill: You provide an email address when you register, that email address gets an email with a magic link in it, you chase that link and only then is the account activated. The OpenID equivalent would be to accept URLs only from sites you knew required that sort of validation. There are many such. In particular, blogger.com does. Any blog URL can serve as an OpenID, so I can provide http://fieldnotesontheweb.blogger.com as an OpenID.

As usual there is more to OpenID than the short summary here, but that's the gist as I understand it. OpenID aims to scratch an itch that clearly needs scratched, and it seems to be getting some traction. I've run across OpenID login options on several mass-market web sites, including CNN and, more geekily, on SourceForge.net. Since blogger.com also accepts OpenID, you'll also see it on blogs attached to major sites.

On the provider side, besides Blogger, AOL, Flickr, Orange Telecom, Yahoo! and several other blogging services, it seems MySpace has jumped on the bandwagon (and Facebook hasn't). There are also several sites that specialize in providing and managing OpenIDs, notably including one run by VeriSign. OpenID maintains a list, and there is also a commercial directory aimed at promoting providers and OpenID-enabled sites.

[OpenID is still a thing, but it clearly hasn't taken the world by storm.  Amusingly, the Wikipedia article's section on "Adoption" was last updated in 2009 -- D.H. June 2015]

2 comments:

earl said...

As a matter of fact, I do want the same key to open my safe deposit box and my bicycle. I want it to be completely portable, unlosable, effortless, and totally secure. Actually, I want all these locks to open always and only at my whim, with not work on my part.

Is that too much to ask?

I recently tried to post a comment to a friend's blog (same host as this blog) and couldn't do it, since I didn't know my password. I don't know my password for posting a comment on this blog, but it seems to work. But anyway, I tried to dodge the problem by opening a new google account, with a new password. It wouldn't let me, since I already have such an account. But I still don't know the password, or even whether I actually have one.

My cell phone wanted me to give it a password for checking my voice mail. It rejected the first one I tried to give it: Not cryptic enough. I was not given the option of opting out of security.

So the answer is to write down all these passwords, either on paper or in my computer, or both, where anyone (including me!) who might need them can find them. This does need fixing.

David Hull said...

Note to self: log in using major provider seems to be the method of choice now.