The Basics of OpenID
Over the past year I have glanced at the login page for my Backpack or Highrise sites and wondered if I should bother trying this whole OpenID thing. Would it be useful? Maybe. Would it be a hassle? Perhaps.
I have tested a whole lot of web applications and actually use a few them regularly. I currently store all of my passwords for these accounts in Yojimbo. This setup has served me fairly well for the past year. But there were those few times when I could not remember a password for a particular site and did not have access to my secure, encrypted list of passwords. This is exactly what OpenID is meant to solve. It’s the single sign on for the web.
So when David from 37signals announced that some of the larger web presences out there were moving to support OpenID, I thought this was the time to check it out.
So I did just that. And I figured there might be a lot of people like me out there - you’ve heard of OpenID but have never taken the time to learn more or to try it out. So I compiled my findings here.
What is OpenId?
Let’s start first with a definition. Here is an excerpt from Wikipedia:
OpenID is a decentralized single sign-on system. Using OpenID-enabled sites, web users do not need to remember traditional authentication tokens such as username and password. Instead, they only need to be previously registered on a website with an OpenID “identity provider” (IdP).
And here is a short and sweet one liner from OpenID.net:
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
And JanRain, Inc., providers of myOpenID.com, provides this overview:
OpenID is the decentralized, lightweight protocol for single sign-on and portable identity that is causing a massive disruption in today’s internet. More than 8,000 Web sites currently accept OpenID, a figure growing by five percent week over week, and many of the world’s leading companies, including Google Blogger, AOL, VeriSign, France Telecom and Sun Microsystems have adopted or announced support for OpenID enabling over 160 million users.
This technology also has a secondary purpose that the definition from myOpenID.com above alludes to - portable identity. OpenID.org provides a good summary of this side of OpenID:
OpenID also provides you with a place to store your digital identity - a place where you can easily be found on the web.
There is a lot of information on this subject, but it can be summed up easily - the Internet is an application itself and OpenId can be your authentication to this application. Wherever you choose to go, the idea is to only have to log in once. And to be secure while doing so.
And Reality?
The description above is the high level end goal. Is OpenID there yet? In one word - no. But with the announcement of companies like Google, Yahoo and Microsoft climbing on board, it’s easy to see the majority of smaller organizations following suit.
And it’s also easy to see this technology being embraced by the technophiles and hardcore web 2.0 users. But to see widespread adoption, it’s this writers opinion that this technology needs to be dead simple to setup and use. This is exaclty the question I wanted to answer. Can my parents set this up for themselves?
Experience
I chose myOpenID.com as a provider for my new account. The sign up was simple and I was soon on my way. You can view my profile to see how id providers give options for your online presence.
My second step was to try logging in to my Highrise and Backpack accounts to see how this worked. Fail.
I was not able to log in to my accounts on the first few attempts, even though I was prompted through the myopenid site to give access to the apps that I was attempting to use. It took me a few minutes to realize that I had not enabled my Highrise and Backpack accounts to actually use an OpenID account login. So even though the login screens to both applications have the option to use an OpenID to login, you actually have to log in to your account with your original username and password and enable this functionality.
Once that was done, a simple logout was required and then I was up and running with my new OpenID. My only complaint with the whole process was that the help options on 37Signals and myOpenID.com did not make a mention of this type of issue. But overall it was an easy process.
Issues and Concerns
This technology is not without concerns. Criticisms are focused, rather obviously, around security, privacy and possible breaches of a person’s OpenID account.
Stefan Brands, a professor at McGill University has this to say in his lengthy article on OpenID:
OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.”
It is easy to see why this would frighten some away from using openID. The main selling point of this whole idea is ease of use. The fact that this would also be one of the biggest risks will stop a lot of people from adopting.
Conclusion
I said above, that to achieve widespread adoption, openID has to be simple and easy to setup and use. But after learning more about the security and privacy concerns, it seems obvious that openID could cause problems with the very people who need it to be that easy. If it’s so easy that your somewhat computer-illiterate parents can set it up, then they will also be at risk to be fooled into compromising their information. After all, these are the people who are convinced into sending sending money to Nigeria.
In the end, I myself am comfortable with starting to use openID for some of my online applications. Am I going to set it up with my bank? No. Hopefully, over time the technology will address some of the concerns it is facing in it’s infancy.
