Myths about OpenID and digital identities

I’m really on a roll the past few days with blog posts on digital identity.  My new love is e-commerce with my work on Windows Marketplace, but it’s hard to ignore the recent waves in “big” news in the digital identity world.  Given my expertise in the area, I can’t help but give my 2 cents (or 4 cents :)).

After reading all the blogs entries and resulting comments on sites like TechCrunch, there is a lot of confusion on the significance, or lack thereof, of all these recent announcements (Google, Microsoft) around new OpenID providers.

First, let’s define a few terms:

Identity Provider: An Identity Provider is an entity that issues identities and resulting credentials used to authenticate as that identity.  These are almost always an email address and password combination.  Example of this is Microsoft issuing Windows Live IDs (e.g. [email protected] or [email protected]) with a password.

Relying Party: A Relying Party is a site or service that accepts assertions of a user’s identity from a specific Identity Provider. This term is always used in conjunction with the name of an identity provider.  For example, a site that is a “Windows Live ID relying party” accept identity assertions from Windows Live ID.

OpenID Provider: An OpenID Provider is an Identity Provider that interoperates with OpenID.  It enables users with identities it has issued to authenticate to services that accept OpenIDs.  It does this by authentication a user’s credentials, then issuing a proof of that authentication (commonly referred to as a service ticket) that the user can present to a service that accepts OpenIDs.

OpenID Relying Party: Refers to a site or service that accepts user identity assertions from an OpenID Provider.

Now that we’ve gotten terminology out of the way here are several myths that are prevalent in many online discussions about digital identities, and in particular, discussions about OpenID:

Myth: Becoming an OpenID provider makes you more “open”.

Fact: By becoming OpenID providers, an identity provider just allows all of its users to access OpenID sites. So technically, they aren’t more open in the traditional sense since they didn’t grant access to it’s services to any more users than it already had.  It just allowed their users to access the services outside of its control, namely, OpenID relying parties like Plaxo.  So in reality, becoming an OpenID provider is really a greedy strategy by (1) letting your users access more, and (2) jumping on the bandwagon to not only ride a good press wave, but also to hopefully encourage more users to use you as an identity provider.

Myth: Becoming a Relying Party disempowers a site’s native identity provider since it no longer hold it’s user information (think Gmail to Google, or Flickr to Yahoo).

Fact: This is not true. In fact, by becoming a relying party, there are very few risks and you still have the ability to hold all the user information accumulated on service usage.  Becoming an OpenID provider or relying party, does not imply that you need to share a user’s profile with any other service.  The only risk in becoming a relying party is if you accept assertions from an identity provider that doesn’t legitimately authenticate the user’s identity.  Imagine accepting identity assertions from an Identity Provider that didn’t use passwords, and all you did was enter an email address to be authenticated.  You wouldn’t be able to trust that the user really was [email protected] when the assertion was presented to you

Myth: All the recent OpenID news about these new OpenID providers will solve all the digital identity problems.

Fact: As mentioned the other day, it doesn’t really matter how many OpenID providers there are. The real issue at hand is how many OpenID Relying Parties exist.  Right now, there are very few which makes the utility of OpenID very low and just makes for good PR talking points.  It will be monumental when you see all the Google, Yahoo and Microsoft services becoming OpenID Relying Parties.

Myth: OpenID is more secure than Windows Live ID (or any other identity provider).

Fact: First, this statement doesn’t make sense since OpenID is essentially just a set of protocols, and Windows Live ID is an identity provider.  If the real statement is that an OpenID provider is more secure than a non-OpenID provider, then unfortunately. that is also incorrect.

From the eyes of the consumer, the security of an identity provider really has nothing to do with the underlying protocols that are used.  They just know where to go to authentication and how to authentication. This is why fewer Identity Providers are good because we reduce the risk of phishing scams where users unknowingly give their credentials to a malicious party.

The security of an identity provider is really about the security of the credentials used to assert a user’s identity. The great thing about OpenID is that since it is an open system and since anyone can become an Identity Provider, it paves the way for there to be competition and natural selection to occur among Identity Providers.  With OpenID, we’ve seen the rise some fantastic security solutions that will make a real impact with customers when we have more OpenID relying parties.  For example, investments by VeriSign in 2-factor auth, gives me a lot of hope that other Identity Providers will follow suit.  This will force the entire industry to not only increase the level and expectation of security, but also make it easier to use for the everyday user.