openid.gifThe buzz this week was that of OpenID, where Kevin Rose announced at The Future Of Web Apps conference in London that Digg would adopt OpenID. This comes after Microsoft and AOL’s announcements.

So what exactly is OpenID? Think of it as a mechanism that allows you to use one login for multiple websites.

An OpenID identity is just a URL. You can have multiple identities in the same way you can have multiple URLs. All OpenID does is provide a way to prove that you own a URL (identity). And it does this without passing around your password, your email address, or anything you don’t want it to. There’s no profile exchange component at all: your profiile is your identity URL, but recipients of your identity can then learn more about you from any public, semantically interesting documents linked thereunder (FOAF, RSS, Atom, vCARD, etc.).

Anybody can run their own site using OpenID, and anybody can be an OpenID server, and they all work with each other without having to register with or pay anybody to “get started”. An owner of a URL can pick which OpenID server to use.

While nothing in the protocol requires JavaScript or modern browsers, the authentication scheme plays nicely with “AJAX”-style setups, so you can prove your identity to a site without bouncing between pages. Source: OpenID.net

OpenID allows the web to become more decentralized, user-centric based and is a part of Web 2.0 that has not fully been embraced yet - Identity. The username and password will essentially become one i.e. a URL. That URL will be used to identify a person instead. Your username, password, email address and other info is tied to that URL and will be kept safe within the OpenID servers. When logging in using OpenID, you will be authenticated to prove who you are and if successful, you will be able to login or leave a comment on the blog or website.

OpenID may see spam decreasing. As spammers always find a way, I won’t go as far as to say it will eliminate spam entirely but it’ll sure make their lives a lot harder. I like the way it verifies who is actually making the comments and the fact that I have one place to change my information for all sites. In this world of constant logins and multiple passwords to remember, that may be a useful feature. The other plus point is that the decentralized authentication system doesn’t allow one company or businesses to make all the decisions, so no one holds all the cards.

However, I see some negatives in the system that may have to be developed:

  • Accountability is the question, no one is truly responsible for the system. What happens when an OpenID provider is compromised?

  • There is currently no certified (or approved) OpenID provider as it is not required. As it stands, anyone can be an OpenID provider while following the right specifications. I believe the general public will be more comforted if an OpenID provider goes through some sort of check or inspection of its facilities and practices so that the risk of compromise is reduced. This may be tough to do considering its “Open” stance.

  • Trust factor is in question. As OpenId is not a trust system, there is no stopping anyone creating a fake ID. How do you prove an OpenID provider is reliable and does not have bad intentions? As it stands, there is nothing to stop a hacker or phisher hosting a OpenID server with the sole intention of comprimising confidential info?

  • Because of the above point, will we see a trend where businesses use specific OpenID providers due to their reputation? Will we see the Microsofts, Verisigns of the world having the monopoly the same way Network Solutions had the monopoly on Domain names years ago?

  • As it stands, more education is needed for the average user to how OpenID actually works. The whole concept is confusing to users and the multiple providers out there offering OpenID services adds to the confusion. There is difference between security and identity - I think it should be pointed out more clearly to the average user. OpenID is not meant for security but for identity although they might work hand in hand. The 3 common questions I hear now about OpenID are “Is OpenID Secure?”, “Who should I register with?” and “Will I get a different OpenID from this provider vs. the next?”.

  • The OpenID authentication is only as strong as what the user has provided within his profile. Therefore it may create a big risk within logons within financial institutions and should not be used in these instances.

    • There are currently about 26 known OpenID providers on the web and that number would be sure to increase. Here is a list of 5 well known providers:

  • MyOpenID
  • VeriSign Personal Identity Provider
  • GetOpenID
  • MyLID
  • Sxipper

    • Sources and Links:

  • OpenID official site
  • identity.eastmedia.com — OpenID and Identity info at eastmedia
  • OpenID Enabled — resource for OpenID users and developers
  • Directory of OpenID-Enabled Sites
  • Directory of OpenID Providers (Servers)
  • The Case for OpenID — ZDNet article contrasting OpenID with other identity systems by Johannes Ernst (NetMesh) and David Recordon (VeriSign)