Warming up to OpenID
February 26, 2007 ⋅ 6 Comments »
One of the more annoying things about working with computers these days is having to remember a bazillion username/password combinations. There have been several attempts in the last few years at creating a viable single sign-on system, but none of them have been successful.
I think it’s mostly just been a social problem. Either people don’t want to trust their identity to a single authority like Microsoft, or else it’s just a chicken-egg thing. For whatever reason, these services have just not managed to gain any traction.
Now OpenID seems to be gaining some momentum. In short, OpenID is “an open, decentralized, free framework for user-centric digital identity.” The idea is that instead of logging into all your web sites with a separate username and password, you instead just use your OpenID, which is just some URI that identifies you — for example, http://pdubroy.myopenid.com, or //dubroy.com/patrick. The site then makes a request to that URI, to confirm that you are that person. In the worst case, you still have to enter a username and password for every site that you log into, but the username and password are always the same. But if your OpenID provider keeps you logged in via a cookie, then you only have to enter your password once, no matter how many sites you log into.
OpenID began with LiveJournal, which immediately gave it a decently-sized user base. Then, a few weeks ago, Microsoft announced that they would be integrating OpenID support into Vista. Now AOL has announced that every AOL/AIM account now has an OpenID URI. So, it definitely looks like OpenID might be getting enough support to actually be useful.
It’s not all rosy though. Many people have pointed out that the OpenID process is very susceptible to phishing attacks; but that’s a problem we’re going to have to solve somehow anyways, and I think the proposed solutions are pretty decent.
e - February 27, 2007:
I'm not sold on OpenID. The idea behind it is very good, but it puts too much weight on crypto. I tried writing a WordPress plugin for it when the protocol first came out, but I didn't have the crypto extensions that I needed compiled into PHP.
The goal of the system is to verify that a given user is associated with a website. I would like to see a lighter version of OpenId that performs its verification through publishing. In other words, the challenger would ask the user to verify themselves by making altering a webpage on the site to display a nonce of the challenger's choosing.
Regarding OpenId and phishing: what about adding some browser integration to get around the phishing attack? That or a long-lived cookie that gave the site providing the auth service a different look would both allow the user to verify that they are at the site the expect, rather than a site of the attacker's choosing.
Patrick - February 27, 2007:
Hmmm, I had to look at the spec to see where the crypto was involved, and I'll be honest, I don't fully understand it. I don't see why your proposal wouldn't work just as well.
As for the phishing, I think browser integration is a good way to go. I don't think people would be changing their identity providers that often, so it wouldn't be a hassle to have to specify them in the plugin options. But I still think the bookmark-based solution described here is the simplest.
Evan Prodromou - March 1, 2007:
I think that the phishing problem is mostly a red pherring (tee-hee). certifi.ca, for example, is an OpenID provider that only uses SSL certs for authentication. There is never a password, so there's not a risk of phishing. I use certifi.ca as my main OpenID delegate, and I actually find using my OpenID considerably streamlined because of the certs-based authentication.
Patrick - March 1, 2007:
Evan:
Yes, you're right that phishing is only a problem when password authentication is used. However, I think that it will be a while before most people will be using an alternative technique. One thing I was thinking about recently was an OpenID provider that could use public key authentication using my ssh key. That would be cool. Log in once (by typing the url in directly, or something safe), upload your public key, and then use ssh-agent authentication from then on. Then you could really have a single login to your machine, and it would work for everything.
Evan Prodromou - March 2, 2007:
@Patrick: I'm a big fan of public key encryption and the identity control that it brings. About the closest thing to an SSH key for HTTPS is client-side SSL certificates. That's what certifi.ca uses. Most Web sites don't support them because most Web users don't know they exist, and most Web users don't know they exist because most Web sites don't support them.
There are links on the certifi.ca home page to sites where you can get gratis valid SSL certificates in a few minutes (email confirmation required). It's probably exactly what you're looking for. Please give it a try and let me know what you think.
Nic Ferrier - March 3, 2007:
An alternative to Evan's really cool certifi.ca site it http://prooveme.com. We give you a free certificate as part of your sign up process (though we're planning to offer support for existing certs as well). In other respects it works the same as Evan's service. We believe though, that users creating certificates in order to delegate them to other services is a big win feature. Doing that would enable you to, say, delegate authority to flikr to upload photos to your blog.