Introduction to OpenID

Sign in to queue


It starts when you ask a simple question, like "how can I authenticate users against my site?", or "why do I need so many different accounts for all of these different sites?"  Soon you're wading through a dizzying array of buzzwords: CardSpace, Live ID, BBAuth, OpenID, and more.

I've collected resources about each of the important technologies.  By the time we're done, you'll know the key characteristics and tradeoffs of each.  Today we talk about OpenID.

The best person to talk about OpenID is Simon Willison.  He's had plenty of practice giving a thorough introduction and demo for OpenID.



Simon is clearly eager to push OpenID, but he's forthright and honest about the limitations and tradeoffs.  Watch the whole presentation, including Q&A at the end.  He does an excellent job, so I'll just highlight some observations from the presentation:

Business Case: If you enable OpenID on your site, anyone with an account at AOL, LiveJournal, or other site that supports OpenID can logon to your site without needing an extra username/password.  Anyone can choose to be an OpenID provider, OpenID is not controlled by any vendor.  Currently sites like Yahoo!, Google, PayPal, and MSN don't support OpenID, so people on those services wouldn't be able to login to your site.

Protocol: Enabling OpenID is very easy; it's a simple redirect-based mechanism similar to BBAuth or the old Passport.

Industry Situation: It's unlikely that the companies with largest user accounts databases (like PayPal, Yahoo!, Google) will wholesale allow their logins to be OpenID logins anytime soon.  But I expect companies to experiment with OpenID where it makes sense.

The large identity providers are hesitant to expose OpenID logins for a number of reasons that surface in the presentation and Q&A.  Simon rightly observes that if you're comfortable allowing lost-password e-mails, you are already exposed to most of these risks, and points out that lost password reminders are "web single sign-on with deliberately poor user experience".  This argues against lost password e-mails of course, but puts the risks in context.

The biggest fear people have around OpenID is phishing -- the current OpenID design is susceptible to phishing attacks.  Around the 18:00 mark, Simon raises CardSpace as a good solution.  In fact, David Recordon from VeriSign just posted a proposed OpenID spec detailing how OpenID could incorporate other forms of stronger authentication (including Information Cards) in order to make OpenID less susceptible to phishing and other related identity attacks. Congratulations to the OpenID community on this initial draft!

Some other common issues raised were collusion (30:00), ability to allow AOL but not LiveJournal (for example), and recycling IDs (48:00) since OpenID doesn't have a GUID-style identifier.  For scenarios like blog commenting, these aren't showstoppers.

The Discussion

Add Your 2 Cents