November 4, 2009
Forget Those Passwords – Literally (Thanks To OpenID)
Forget Those Passwords – Literally (Thanks To OpenID)By Scott Nesbitt – October 11, 2009
|
You might recall a previous TechTip that looked at software you can use to wrangle all of the passwords you have for your favorite Web sites and Web services. Those apps are a good solution, but what if there was a way to securely log into multiple sites using only one ID? That's not a pipe dream. And it isn't a matter of using the same user name and password for everything (remember, I said securely). A technology called OpenID offers that promise, and is on its way to delivering it. What is OpenID?OpenID isn't software. The OpenID Foundation, a non-profit which works towards the adoption and spread of OpenID, describes it as a decentralized standard for user authentication and access control, allowing users to log into different services with the same ID. Another way that people describe OpenID is single sign-on (SSO). OpenID, though, does one thing and does it well. It authenticates users, confirming they are who they say they are. You don't need to worry about having a unique user name and password for each and every site that you need to log into. Instead, your login credentials (called an OpenID) consists of a URL – like http://MySecretID.myopenid.com/ – that's yours and yours alone. An OpenID provider, a site or server that hosts your URL, ensures that your OpenID is authentic. The URL acts as a universal user name. The only password you need is the one that you use to log into your OpenID provider. Who controls OpenID?No single individual, company, or organization controls OpenID. The technology behind OpenID is Open Source. There can be any number of OpenID providers. In fact, if you have the technical expertise you can set yourself up as a provider and run what's called an identity server. You can learn more about doing that here. That's also a double-edged sword, which I'll discuss in a moment. That said, it's not like the folks working on OpenID are lone programmers in the wilderness. A number of well-known tech companies back and support OpenID. Companies like Google, Yahoo!, VeriSign, and Sun Microsystems. Using OpenIDUsing OpenID sounds difficult. It isn't. It just requires you to change the way in which you think about logging into Web sites and services. Luckily, that shift isn't a big one. First off, you need find an OpenID provider and sign up for an account. If you're looking for one, this is a good resource. Most of the people I know who use OpenID tend to opt for one of the following providers: The signup process is simple. You choose a user name, which is tacked on to the domain name of generic viagra australia the provider. For example, http://YourName.claimid.com. You also need to create a password and enter an email address. Once you've signed up, you can use your URL. From there, you go to the login screen of a site that supports OpenID. You can find a comprehensive list of those sites here. You'll have to click a link, which says Login with OpenID or something similar. Type your URL in the OpenID field and click Sign In. You'll be redirected to your OpenID provider, where you'll need to enter the password for your OpenID account. The provider confirms that you are who you claim you are, which takes about a second. You'll be sent back to the site where you'll be logged in. All of this seems a tad cumbersome, but the advantage is that you don't need to worry about remembering a user name and password combination for every site that you use. There's just one. Advantages and drawbacksThe main advantage of using OpenID is that you only need one user name and password for the Web sites that you use. You'll no longer need to tax your memory or confuse one login with another. OpenID is Open Source. That means a large number of eyes are on it, and constantly improving it. And it's not just the so-called hobbyist programmers, either. As mentioned earlier, a number of tech giants are involved in the development of OpenID. Because OpenID is decentralized, no one firm controls it. You don't have to worry about a firm folding or suddenly charging for the service. There are a growing number of OpenID providers out there – all you need to do is pick one. On the other hand, a large number of Web sites don't support OpenID. As I read somewhere on the Web, some folks cite the chicken-egg problem. Not all sites support OpenID because there aren't enough people using it or who are comfortable with it. The number of sites that support OpenID is growing, but not rapidly. There's also the potential for phishing and identity theft. Remember what I wrote earlier about setting up an identity server? There's nothing to stop a malicious programmer from setting one up and using your own data against you. Sometimes, you run into an OpenID-enabled site that doesn't play nicely. I know a couple of people who weren't able to log into certain sites even though their OpenID credentials were valid and correct. This doesn't happen often, but when it does it can be frustrating. ConclusionOpenID is an interesting and useful way to log into your favorite Web sites. While the number of sites that support OpenID isn't that large, support is gradually increasing. You msight not want to use OpenID for logging into all Web sites, but the idea of single sign-on is intriguing. OpenID is another step towards making it universally available and acceptable. |