25
February
2007

Thoughts on OpenID

There has been a ton of talk lately on OpenID, especially since it has seemingly gained inroads with a lot of major industry players such as Microsoft, Verisign and AOL. Heck, even Digg is planning on supporting it.

Michael Arrington of TechCrunch recently said:

It’s definitely time to declare OpenID a winner and the hope for a single-sign on world a reality.

When you read commentary by supporters of OpenID and the resulting press you can’t help by get the impression that it’s the savior of the internet and finally solves the authentication problems for users on the web. Some of the stated advantages:

  1. De-centralized — you don’t have have to trust a single authority like Google or Microsoft.
  2. Tiered authentication — websites that require stronger authentication can get users to sign in with a strong credential. It’s built into the protocol.
  3. URL-based — you can keep your email address private and it saves you time when trying out new sites and services (you already know your ID is unique since no one else is using your URL identifier)
  4. Multiple identities made easy — you can have multiple identities by using different URLs

The list goes on and on… When I read the above list, you can call me skeptical to say the least.

For starters, let me address the 4 stated advantages of OpenID I listed above.

  1. De-centralized — While it sounds sexy that there is no central authority that has your data, this may be big drawback of OpenID.
    • Your identity is only as strong as the assertion that is made by the ID provider validating your identity. If the system is truly distributed and anyone can run an OpenID Identity provider, is the assertion valuable? At some point, a rogue Identity provider will enter the system and then the fun begins.
    • A counterpoint to this is to say that the relying parties can dictate who they will accept assertions from. But is this practical and scalable in the long run? Think of the way the credit card story unfolded — many, many credit card companies, but merchants got sick of trying to accept so many. Eventually it settled down to the big boys: Visa, Master and Amercan Express. Sure there is Diner’s club and Discovery, but do you know anyone with those and can you guarantee merchant acceptance?
  2. Tiered authentication — Microsoft and countless other authentication services have had this for years and years. It’s good for any authentication service to support increasing levels of strengths in the identity assertions it issues, but this is not new and definitely not unique to OpenID.
  3. URL-centric– Is this really an advantage? (1) users are not familiar with using URLs as their identifiers. My mom doesn’t even have a URL. Does yours? (2) Last time I checked, my email address was already unique. Domains already function as a namespace, so joe@gmail.com and joe@hotmail.com are different identifiers. Why is http://joe.openid-A.com vs. http://joe.openid-B.com so special? In fact, OpenID already has an Email Address Transform Extension which allows users to use their email address to sign-in which is mapped to their OpenID under the covers.
  4. Multiple identities made easy — Again, email addresses already provide this today.

Some other drawbacks off the top of my head:

  • Sign-in process bouncing from the service provider to the authetnication service is a bad experience for users. They will not have any context for why they are signing in. This was a problem that plagued the Windows Live ID (then .NET Passport) for years, until we invested a significant amount of work to allow Relying Party integration into the sign-in page to give that context to users.
  • Security wise, this could be a freakin nightmare. The security issues haven’t been totally resolved in their current specs and design, and they basically punt the problem to identity providers since each one can choose whatever option they want. This create a big quality difference in the assertions on ID provider can make over another. We then come full circle back to my comments on decentralization above.
  • Availability of your identity provider is not frequently talked about. Consider your ID provider like your household power company. We all take it for granted that identity providers like Microsoft, Yahoo and Google are seemingly always “up” just like when you plug an device into the wall — when’s the last time you wondered whether there was power to that outlet? It’s no easy feat to have resilient online service with excellent availability. Can we promise that my OpenID provider, joes-house-of-tackle.com, will always be up when I want access to some OpenID relying party? Does this mean that some Identity Providers will be more reliable than others? Will users flock to those Identity providers, and thus start to whittle down the absolute number of Identity Providers available?

I definitely don’t want to come across as completely against OpenID. It’s a good thing that they are forcing the hands of the big boys of the web to stop and think about open standards and what scenarios are important on the web today.

I believe that there isn’t a place for a single ID provider for the entire online world, but I also don’t believe that OpenID magically fixes all the security and authentication problems that exist today. There is a need for open standards and multiple parties to participate and adopt those standards. There is also a need for us to recognize both the technology and user problems that exist today and not just jump ship to another cinderella technology that comes along claiming it’s the best thing since sliced bread.

If you have one takeaway from this commentary is that I’m trying to emphasize that the media needs a massive reality check and needs to refrain from declaring OpenID as the winner. Fact is, that this is a race where there shouldn’t, and won’t, be a single winner.

Tags: , , , , , ,


3 Comments

  1. Tony Comment posted February 25, 2007:

    I was just thinking about decentralized and tiered authentication, and was reminded by how they addressed (I’m deliberately not using the term “solved”) the certificate authorities problem. The certificates I’m talking about in particular are the certificates used to certify that certain websites are certain websites (e.g. I go to http://bankofamerica.com/, and the little keylock appears, telling me that someone has said “this is definitely bankofamerica.com”). It /looks/* like they do this by: (1) having lots of certificate authorities, (2) having chains of authority (I trust A, so if A trusts B, then I trust B, too), (3) I can elect to trust certain people (via importing, or accepting on the fly), and (4) my browser automagically shipped with people I (should/can) trust.

    (1)+(3)+(4) seem to address the decentralized thing, and (2) seems to address the tiered thing.

    Did they solve the problem here? From the perspective of the end-user, I think so. The majority of the time, this approach probably works well.

    Are there breakdowns? Most certainly: many webpages I visit in the academic environment cannot afford to actually have their certificate authorized by an authority. I can deal with this by “accepting” the certificate (i.e. (3)). There is the possibility of this failing of course (i.e. I trust a bad guy by accident), but the end user probably doesn’t think about this happening or really care — the “do you accept this certificate” dialog box probably seems more like a nuisance (e.g. “Really delete these files?).

    You might also run into people having issues with (4): my browser ships with people I (should/can) trust. Practically, this is probably not a problem, but of course, there are people that don’t trust what they are told to do or trust. That said, the certificate thing works most of the time, and I’m pretty sure most people who do their online banking have never even thought about their security.

    What’s the point of this comment? I think there are parallels here to the certificate problem (it’s not the same, but there are parallels). I just wanted to point to a parallel approach that we can think about with regard to this particular problem.

  2. Trevin Comment posted March 3, 2007:

    I don’t see chains of trust that exist in certificates and certificate authorities to address the authentication space as completely as you describe. The only way this would work is that the equivalent of the CA in this case, would have to certify that a given ID provider is legitimate. In the certificate world, there are very well defined guidelines on certificate issuance, handling and revokation that don’t exist in the identity space.

    Because of this, it would be fairly meaningless for one ID Provider to indicate the “trust” of another more-well known (and trusted) ID Provider, because the guidelines for why that trust exists would vary wildly across the industry.

    If there were well-defined “rules” for how an ID Provider was operated at different levels of security, I agree with you that this could solve many of the issues that exist today in the authentication space.

  3. Tony Comment posted March 5, 2007:

    Ah — you’re right regarding certificate authorities — I was misinterpreting what was going on in my browser.

    Following on what you said though, could/should it be time then, to consider rules for how an ID provider is operated?

    I think the SSL world, they probably instantiated rules since they were dealing with super secure things. Business had a profit motivation to making sure the system could be trusted, and that people would trust it.*

    Is this motivation as strong in the ID world? I guess so, otherwise folks like Passport wouldn’t be working on the problem. ;-)

    *Actually, in some sense, I suppose a debit card number/password pair actually do provide some notion of identity (though different from what you’re talking about, of course).

Leave a comment

« Previous
Next »
 
Rodney's Bread Crumbs plugged in.
Using Yaletown Theme for Wordpress.